Mortgage Concepts is a recurring video series covering best practices and compliance education for California mortgage loan originators. This video discusses Regulation P, which governs privacy rules of a consumer’s financial information. For course credit toward renewing your NMLS license, visit



Privacy is an important part of the real estate profession. Sensitive information trades hands frequently — particularly for mortgage professionals, who have access to their clients’ most personal financial data.

Privacy laws exist to protect this sensitive information. These laws include rules for when financial institutions can share information, and when they need to notify and receive consent from clients. This information is presented in Regulation P, the Privacy of Consumer Financial Information.


Customer or consumer?

These rules limit the consumer information shared by financial institutions, which are any institutions in the business of engaging in financial activities. This includes:

  • banks;
  • thrifts;
  • mortgage loan originators (MLOs);
  • real estate settlement service providers;
  • mortgage servicers;
  • payday lenders; and
  • private student loan lenders. [12 Code of Federal Regulations §1016.3(l)(1)-(3)]

The term financial institution does not include:

  • most auto dealers;
  • brokers or dealers registered under the Security Exchange Act of 1934;
  • investment advisors registered by any state or the Securities Exchange Commission;
  • investment companies registered under the Investment Company Act of 1940; and
  • insurance companies supervised by a state insurance regulator. [12 CFR §1016.3(s)(2)]

Privacy rules vary based on whether the individual is a consumer or customer of the financial institution.

A consumer is a broad term, covering any individual — or that individual’s legal representative — who obtains or has obtained a financial product or service from a financial institution which is used primarily for personal or household purposes. [12 CFR §1016.3(e)(1)]

For example, a consumer includes someone who has applied for personal or household credit from a financial institution, whether or not their application was approved or the loan was originated. [12 CFR §1016.3(e)(2)(i)]

On the other hand, a customer is a special type of consumer, an individual with whom the institution has an established customer relationship, which means they:

  • have a deposit or investment account with the institution;
  • obtain a loan from the institution;
  • have a loan which is serviced by the institution;
  • purchase insurance from the institution;
  • have entered into an agreement with the institution to arrange a mortgage loan;
  • lease personal property from the institution; or
  • obtain financial or investment advice from the institution for a fee. [12 CFR §1016.3(j)(2)(i)]

A consumer is no longer a customer if the financial institution originating a loan later sells the loan, no longer retaining the rights to service the loan. [12 CFR §1016.3(j)(2)(ii)(B)]

A consumer is also not considered a customer when they obtain one-time property appraisal services from an institution. [12 CFR §1016.3(j)(2)(ii)(D)]


Opting out

Financial institutions may wish to share nonpublic information collected from consumers with third parties. When financial institutions share this type of information with third parties, they need to first notify consumers and give them the chance to opt out of their information being shared. [12 CFR §1016.10(a)(iii)]

The opt-out rules apply whether or not the financial institution has established a customer relationship with the consumer. [12 CFR §1016.10(b)]

The consumer may opt out by responding within a reasonable time of:

  • at least 30 days after mailing a printed notice giving the consumer an opportunity to opt out; or
  • at least 30 days after acknowledging receipt of electronic communications giving the consumer an opportunity to opt out. [12 CFR §1016.10(a)(3)]

If the consumer does not respond within these reasonable time frames, the financial institution may share their nonpublic information with third parties. [12 CFR §1016.10(a)(iii)-(iv)]

Financial institutions also may give consumers the option to opt out of having only part of their information shared, or for the institution to share their information only with certain parties. [12 CFR §1016.10(c)]


Exceptions to the opt-out rules

Financial institutions are exempt from the rules requiring them to give consumers the chance to opt out of sharing information with third parties when the shared information is between the institution and a third party which performs services for the institution or functions on the institution’s behalf, as long as the institution:

  • delivers their initial privacy notice to the consumer; and
  • signs an agreement with the third party that the third party will not use the nonpublic shared information in any other way than that agreed to with the institution. [12 CFR §1016.13(a)(1)]

For example, the third party may use the shared nonpublic information for joint marketing purposes, when the third party markets the financial institution’s services or services offered jointly between the institution and the third party. [12 CFR §1016.13(a)(2)-(b)]

Further, these institutions are exempt from nonpublic information sharing rules when the information is shared when necessary to administer, initiate or enforce a transaction in connection with:

  • the servicing or processing of a financial product requested or authorized by the consumer;
  • maintaining or servicing the consumer’s account; or
  • the securitization or secondary market sale (such as the sale of servicing rights) of the consumer’s transaction. [12 CFR §1016.14(a)]

For instance, a mortgage holder may share nonpublic information about a consumer with a third party who will be servicing the loan — as long as the information is only used to service the loan. [12 CFR §§1016.14(a); §1016.11(a)]

Other cases when financial institutions are exempt from requiring consumers to opt out of information sharing with third parties include situations when:

  • the consumer consents or directs the financial institution to do so;
  • it is required to protect the confidentiality or security of the institution’s records on the consumer, service, product or transaction;
  • it is required to prevent fraud or unauthorized transactions;
  • it is needed to resolve a consumer dispute or inquiry; or
  • it is with a person with a legal or beneficial interest relating to the consumer, or who is acting as their representative. [12 CFR §1016.15(a)(1)-(2)]

It is also permissible for a financial institution to share nonpublic information without receiving prior approval from the consumer when doing so is required to comply with federal, state or local laws, including investigations. [12 CFR §1016.15(a)(7)]

Financial institutions are also exempt from the opt-out requirements when sharing information with a consumer reporting agency, or sharing information from a consumer report reported by a consumer reporting agency. [12 CFR §1016.15(a)(5)]

For example, a financial institution does not need to follow the opt-out rules when a consumer who has applied to the institution for a mortgage consents for the institution to share their nonpublic information with a homeowners insurance company. [12 CFR §1016.15(b)]


Privacy policies

Financial institutions are required to send current customers an annual notice describing their privacy policy. [12 CFR §1016.5(a)(1), (b)(1)]

The annual privacy policy notice needs to be delivered in writing, or electronically when the customer has agreed to receive electronic communications. [12 CFR §1016.9]

Information required by law to be in writing can be made electronically available to a consumer only if they affirmatively consent to receive the information electronically and the business clearly and conspicuously discloses specified information to the consumer before obtaining their consent. [15 USC § 7001(c)(1)]

In addition, consumer information required to be delivered in writing may be offered electronically:

  • when the business clearly discloses specified information on managing and understanding the electronic correspondence;
  • after gaining the consumer’s consent to receive such correspondence electronically; and
  • while said consent is not withdrawn. [15 USC § 7001(c)(1)]

Financial institutions may not share a customer’s account or access number for use in marketing, unless it is to market the institution’s own services to the customer. [12 CFR §1016.12]

Annual privacy policies need to contain the following information:

  • the categories of nonpublic personal information collected;
  • the categories of nonpublic personal information disclosed;
  • the categories of third parties who the nonpublic personal information is disclosed to, except for those third parties which qualify for certain exceptions to the privacy and opt-out rules;
  • the categories of nonpublic personal information about former customers disclosed and the categories of third parties to whom nonpublic personal information from former customers is disclosed, except for those third parties which qualify for certain exceptions to the privacy and opt out rules;
  • when nonpublic personal information is disclosed to a nonaffiliated third party, a separate statement of the categories of information disclosed and the categories of third parties with whom the institution has contracted;
  • an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including how the consumer may opt out;
  • any notices regarding the ability to opt out of the sharing of nonpublic information among affiliated third parties;
  • the financial institution’s policies and practices for protecting the confidentiality and security of nonpublic personal information; and
  • any nonaffiliated third parties who are excepted from privacy rules. [12 CFR §1016.6(a)-(b)]

A model privacy form can be found here in the Appendix to the Privacy Rule regulations. [Appendix to 12 CFR §1016]


Exemptions to privacy policy notice rules

In some cases, financial institutions are exempt from sending out annual notices about their privacy policies.

For example, when a financial institution (other than a credit union) which grants a loan does not have a customer relationship with a consumer, it is not required to send out annual privacy notices. [12 CFR §1016.5(c)]

Further, beginning September 17, 2018, financial institutions are exempt from providing annual privacy policy notices when they:

  • limit the nonpublic personal information shared with other parties to those allowed under the exceptions for providing opt-out notices; and
  • have not changed their privacy policies or practices since they last delivered their privacy policy. [12 CFR 1016.5(e)]