Skip to main content

Banks Encouraged to Share Information Related to Elder Abuse

Written by Amy Malone

 One of the most common forms of elder abuse is financial exploitation.  Older adults often have valuable assets and vulnerabilities, such as mental or physical disabilities, that make them prime targets by both strangers and family members.

Banks and other “financial institutions” as defined under the Gramm-Leach-Bliley Act (GLBA) may be able to spot trends and changes in spending, irregular transactions or account activity that, if reported, could stop further exploitation.  The catch is that GLBA imposes privacy requirements that restriction how and when covered entities can share nonpublic personal information (NPI) without the consent of an individual.  Financial institutions spend a lot of time and resources trying to ensure compliance with the privacy requirements and  have struggled with whether they can share NPI with authorities in the case of suspected elder abuse.

To clarify, the Consumer Financial Protection Board (CFPB) and seven other federal agencies teamed up and issued Interagency Guidance on Privacy Laws and Reporting Financial Abuse of Older Adults. According to the Guidance reporting suspected financial abuse to local, state or federal agencies does not generally violate the privacy provisions of GLBA or its implementing regulations.  The Guidance asserts that in fact “specific privacy provisions of GLBA and its implementing regulations permit the sharing of this type of information under appropriate circumstances without complying with notice and opt-out requirements.”

Section 502(e) of GLBA provides exceptions to the general rule that a financial institution cannot disclose information to nonaffiliated third parties without first complying with notice and opt-out requirements.  The Guidance insists that sharing nonpublic personal information about consumers with local, state or federal agencies for the purpose of reporting suspected financial abuse of elderly persons will usually fall within one or more of the exceptions.  The Guidance provides these specific exceptions:

  • A financial institution may disclose NPI to comply with federal, state, or local laws, rules and other applicable legal requirements, such as state laws that require reporting by financial institutions of suspected abuse. (15 U.S.C. 6802(e)(8))
  • A financial institution may disclose NPI to respond to a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities or to respond to judicial process or government regulatory authorities having jurisdiction for examination, compliance, or other purposes as authorized by law. (15 U.S.C. 6802(e)(8))
  • A financial institution may disclose NPI to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. (15 U.S.C. 6802(e)(3)(B))For example, this exception generally would allow a financial institution to disclose to appropriate authorities nonpublic personal information in order to:
    • report incidents that result in taking an older adult’s funds without actual consent, or
    • report incidents of obtaining an older adult’s consent to sign over assets through misrepresentation of the intent of the transaction.
  • To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), a financial institution may disclose nonpublic personal information to law enforcement agencies (including the CFPB, the federal functional regulators, and the FTC), self-regulatory organizations, or for an investigation on a matter related to public safety. (15 U.S.C. 6802(e)(5)

In addition, financial institutions may always disclose NPI with the consent of the consumer or the consumer’s legal representative.

The CFPB also released a financial resource tool to help prevent, identify and respond to elder financial exploitation.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.