Navigating Privacy Compliance: The Overlapping Web of Reg P, GLBA, and Virginia Oversight for Virginia Finance Companies.

THIS CONTENT REFLECTS THE PHILOSOPHY OF BOYLEDOWN LENDING INC., A CONSUMER FINANCE COMPANY LICENSED BY THE VIRGINIA STATE CORPORATION COMMISSION (LICENSE number CFI-256). IT IS INTENDED AS INFORMATIONAL CONTENT AND PROMOTES OUR LENDING MODEL. AS SUCH, IT IS CONSIDERED AN ADVERTISEMENT.

This is an image of a spider in a web. The purpose of the image is to metaphorically explain the content of the article about the web of privacy regulations in the United States at the federal level and in the state of Virginia. — Things to know to stay on the safe side of the regulatory compliance privacy web.

AI Disclosure:
This article was developed with the assistance of artificial intelligence (AI) using OpenAI’s ChatGPT. While the ideas and editorial direction reflect the author’s perspective, portions of the research, structuring, and drafting were supported by AI-generated insights. All content was reviewed and finalized by the author.

The regulatory web in financial privacy law

When it comes to borrower privacy, licensed consumer finance companies in Virginia face a layered regulatory framework. At the federal level, you’re dealing with the Gramm-Leach-Bliley Act (GLBA) and its implementing rules. With respect to the disclosure of most non-public information to non-affiliates, the relevant rule is Regulation P (the Privacy Rule).¹²Overlaying that, you have the FTC, CFPB, state attorneys general, and finally the Virginia State Corporation Commission (SCC) with their own enforcement hooks.

The result is a compliance web where one mistake can trigger scrutiny from multiple directions—even if borrowers themselves can’t sue you directly.

Federal Authority: CFPB vs. FTC

The Consumer Financial Protection Act of 2010 gave the CFPB authority to implement and enforce portions of GLBA that qualify as “federal consumer financial law.” Specifically, under 15 U.S.C. § 6804(a)(1)(A), the CFPB writes rules governing disclosure of nonpublic personal information—implemented as Regulation P (12 CFR Part 1016).

Who’s covered? Under Reg P, Virginia consumer finance companies are “financial institutions.” That means they must provide privacy notices at the start of the customer relationship and annually thereafter.

Who enforces? Since Dodd-Frank in 2011, the CFPB holds rulemaking and enforcement authority for Reg P—not the FTC. (with the exception of automobile dealers). BEFORE Dodd-Frank, the FTC did the had enforcement and rulemaking powers, which is why, as in other deceptive practices law, their case law is informative and persuasive precedent in this area of law. Confusingly, for Virginia consumer finance companies, the FTC still has jurisdiction over data security under the Safeguards Rule, but not Reg P privacy notice^s.³ This is because under the Dodd-Frank act, disclosing privacy information to consumers falls under consumer financial law, the jurisdiction of the CFPB.⁴ The information security methods to protect that information still are within the jurisdiction of the FTC, at least for a Virginia finance company. Financial institutions under the jurisdiction of prudential regulators like the FDIC and the OCC have safeguards rules that mirror the FTC rule.⁵

So at least for overseeing Reg P (as opposed to information security safeguards), is the FTC out of the picture? Kind of.

Under Section 5 of the FTC Act, the agency retains authority to police unfair or deceptive acts or practices (UDAP). In theory, if a Virginia consumer finance company misrepresents your privacy practices (e.g., saying you don’t share data but doing so anyway), the FTC could frame that as a deceptive act, even if they no longer directly enforce Reg P.

What about the CFPB? They might be in picture…a little or a lot.

12 U.S.C. § 5515(a) grants the CFPB exclusive authority to examine insured depository institutions and credit unions with total assets exceeding $10 billion, as well as their affiliates, for compliance with federal consumer financial laws. If you meet that threshold as a Virginia lender you can be supervised by the CFPB. If you do not, then all you have to worry about from the CFPB are enforcement actions. The CFPB retains enforcement authority over all institutions, regardless of asset size, to address violations of federal consumer financial laws. That being said, the smaller the lender the less likely the threat of enforcement from the CFPB, especially in the current political climate where the CFPB has taken a more hands-off approach.

What About Compliance Requirement from Virginia?

The Role of State Attorneys General

Under the Consumer Financial Protection Act, state attorneys general can bring actions to enforce federal consumer financial laws, including portions of GLBA. That means the Virginia Attorney General could bring an enforcement action if a Virginia consumer finance company violated Reg P. Again, this too is unlikely unless there is a major violation of the law. For instance, perhaps a major identity theft breach occurred by a non-affiliate who was marketing consumer information obtained by the Virginia consumer finance company that injured tons of consumers AND the consumer finance company did not provide a Reg P notice that allowed their loan applicant customers to opt out and prevent that future injury.

Virginia’s State Corporation Commission: The Catch-All Authority

Perhaps the most important hook for Virginia consumer finance companies is Virginia’s enforcement and supervisory powers. Under Va. Code § 6.2-1541(A)(7), the State Corporation Commision (SCC), specifically the Bureau of Financial Institutions, the state agency within the Commission, can revoke or suspend a consumer finance license if a licensee:

“Has violated any provision of this chapter or any other law or regulation applicable to the conduct of his business.”

That phrase— “any other law or regulation applicable to the conduct of his business”—is the broad catch-all.

It means that if you fail to comply with Reg P, the SCC can treat that violation as grounds for:

Issuing a cease-and-desist order

Imposing civil fines or penalties

Suspending or revoking your license

This means that a consumer finance companies’ STATE license could still be on the line if the SCC determines you violated FEDERAL law and regulations, GLBA/Reg P specifically.

Borrower Redress: No Private Right of Action for Reg P violations, but Other Risks

It’s important to be clear: there is no private cause of action under Reg P. Borrowers cannot directly sue you a Virginia consumer finance company for failing to send privacy notices or for mishandling data under Reg P.

But that doesn’t mean virginia consumer finance companies are safe from borrower litigation. Consumers could try to reframe their claims under state common law:

Breach of Contract – If your loan agreement or privacy policy makes specific promises about data use (“we do not share your data”), breaking that promise can be litigated as a breach of contract.

Negligence / Negligent Disclosure – Plaintiffs sometimes argue you had a duty to exercise ordinary care in protecting sensitive information and failed to do so. Elements include duty, breach, causation, and actual damages. Courts usually require tangible harm like financial loss or identity theft risk.

Other Tort Claims – In rare cases, plaintiffs may try invasion of privacy or unjust enrichment theories, though these are harder to prove in Virginia.

Even if these claims are difficult for consumers to win, the reputational and financial costs of defending against them are real.

Comparative law interesting side note: While other states like New York also do not have a private right of action for Reg P, consumers in New York state could sue under a deception theory. New York law allows private plaintiffs to sue under deceptive practices or consumer protection statutes (e.g., New York General Business Law § 349) if a lender misrepresents its data handling or privacy practices.

Practical Compliance Takeaways for Virginia Consumer Finance Companies

Send required privacy notices. Under Reg P, this means both at account opening and annually thereafter.

Keep your Safeguards Rule program strong. Document security policies and employee training.

Avoid overpromising. Don’t put statements in your privacy policies that you may not be able to keep.

Monitor consumer complaints. Regulators expect you to track and respond, and complaints can show up in the CFPB’s public database.

Recognize overlapping oversight. CFPB (rules and enforcement), FTC (UDAP authority), Virginia Attorney General (state-level enforcement), and SCC (license, civil monetary penalties authority) all have potential hooks.

Bottom Line

Privacy compliance under Reg P isn’t just about sending out a form—it’s about managing risk across multiple enforcement layers.

The CFPB owns Reg P.

The FTC still has UDAP authority; and for Virginia Consuer finance companies:

the Virginia Attorney General can sue under federal consumer financial law; and

the Virginia SCC can suspend licenses under its broad catch-all provision.

Borrowers can’t sue you directly under Reg P, but if you mishandle privacy obligations, you face serious regulatory exposure and potential common-law claims.

Lesson for lenders: Treat consumer data privacy as a license-critical issue.

Disclaimer: This blog post is for informational purposes only and is not intended to provide legal, financial, or tax advice. You should consult your own attorney, financial advisor, or tax professional regarding your individual situation and any legal obligations applicable to your business or personal finances.

Email: david@boyledown.com
Phone: (631) 379‑0306
Mailing Address:
Boyledown Lending Inc.
285 Crockett Hill Lane
Cross Junction, VA 22625

The Three Pillars of GLBA Privacy and Security
When we talk about “GLBA compliance,” we’re really talking about Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6827). Title V is where Congress laid out the rules for protecting consumer financial information. It has two subtitles, and within them, three distinct obligations:
1. Subtitle A — Privacy and Safeguards (15 U.S.C. §§ 6801–6809)
This is the heart of GLBA. Subtitle A contains two closely related—but separate—requirements:
The Privacy Rule (Regulation P)
Based on §§ 6802–6804.
Requires financial institutions to give initial and annual privacy notices.
Limits disclosure of nonpublic personal information to non-affiliated third parties unless notice + opt-out is provided.
The Safeguards Rule (FTC, 16 C.F.R. Part 314)
Based on § 6801(b).
Requires financial institutions to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards.
Applies broadly to non-bank lenders, including Virginia consumer finance licensees.
In short: Privacy Rule = notice and choice. Safeguards Rule = security program. Both come from Subtitle A, but they serve different purposes.
2. Subtitle B — Fraudulent Access (15 U.S.C. §§ 6821–6827)
These provisions are sometimes called the “pretexting” rules. They make it illegal to obtain consumer financial information by false pretenses—such as phishing, impersonation, or selling illegally obtained data. These sections are criminally enforceable and sit alongside the civil regulatory framework.

Putting It Together
If you’re a licensed consumer finance company in Virginia, here’s the layered takeaway:
Regulation P (Privacy Rule): Notice + opt-out obligations.
Safeguards Rule: Build and maintain a security program.
Pretexting Provisions: Don’t let customer data be obtained or misused through deception.
They’re all under Title V of GLBA, but they cover different slices of the same problem—how to keep borrower information private, secure, and out of the wrong hands.
↩︎
If you were dealing with disclosure of non-public information to affiliates, you would be dealing with FCRA and Reg V. However, the information on these practices is usually in a combined notice. ↩︎
1. FTC Safeguards Rule vs Privacy Rule
16 C.F.R. Part 313 = FTC’s GLBA Privacy Rule
Applied to financial institutions under FTC jurisdiction before Dodd-Frank.
Set requirements for:
Privacy notices
Opt-out rights for consumers
Restrictions on sharing nonpublic personal information (NPI) with affiliates and non-affiliates
FTC Safeguards Rule = separate rule at 16 C.F.R. Part 314, focusing on information security programs.

2. Dodd-Frank Transfer (2010/2011)
Dodd-Frank Act (2010) moved rulemaking and enforcement of Reg P from FTC to CFPB for covered financial institutions.
After the transfer:
CFPB issued Reg P at 12 C.F.R. Part 1016
FTC no longer enforces Reg P for most financial institutions (except exceptions like auto dealers).

3. Implications
Historical FTC 16 C.F.R. Part 313 cases and guidance remain persuasive precedent when interpreting CFPB Reg P rules.
For a small Virginia lender, the CFPB is now the primary regulator, but FTC guidance can still inform compliance practices.

✅ Summary:
Yes, the FTC issued a GLBA Privacy Rule at 16 C.F.R. Part 313 before Dodd-Frank.
Post-Dodd-Frank, the CFPB codified Reg P at 12 C.F.R. Part 1016, taking over rulemaking and enforcement (except for certain carve-outs).
↩︎
1. Consumer Financial Law Definition
12 U.S.C. § 5481(5) defines “consumer financial law” as:
“…the provisions of Federal law described in subsection (a) that relate to the offering or providing of a consumer financial product or service.”
12 U.S.C. § 5481(12) defines “financial institution”, which is relevant because Reg P applies to these institutions.

2. CFPB Jurisdiction Over Privacy Disclosures
12 U.S.C. § 5531 and § 5536 give the CFPB authority to prescribe rules and enforce consumer financial laws, including:
Privacy disclosures under GLBA/Reg P
Enforcement authority over unfair, deceptive, or abusive acts or practices (UDAAP)
The transfer of Reg P rulemaking and enforcement from FTC to CFPB is codified in Dodd-Frank § 1100A(b)(1)(B) (12 U.S.C. § 5518(b)(1)(B)), which incorporates existing privacy rules for financial institutions into CFPB jurisdiction.

✅ Key Takeaway
Under Dodd-Frank, privacy disclosures to consumers (Reg P) are treated as part of consumer financial law, which is under the CFPB’s jurisdiction.
This is why CFPB now regulates and enforces Reg P for covered financial institutions.
↩︎
Safeguards Rule for Prudentially Regulated Institutions
FDIC-Regulated Banks:
12 C.F.R. § 364.4 – “Standards for Safeguarding Customer Information”
Requires FDIC-insured banks to implement a written information security program comparable to the FTC Safeguards Rule.
OCC-Regulated Banks:
12 C.F.R. § 30, Appendix B – “Interagency Guidelines Establishing Standards for Safeguarding Customer Information”
These guidelines require administrative, technical, and physical safeguards to protect customer information.
Federal Reserve-Regulated Institutions:
12 C.F.R. § 208.63 – similar safeguards standards for state member banks.

2. Relation to FTC Safeguards Rule
FTC Safeguards Rule: 16 C.F.R. Part 314
Applies to financial institutions under FTC jurisdiction (non-bank lenders, mortgage brokers, etc.)
Requires a written information security program, risk assessment, and safeguards — largely mirroring the prudential regulators’ rules.

✅ Summary:
Banks and credit unions under prudential regulators (FDIC, OCC, Federal Reserve) must follow safeguards rules similar to the FTC Safeguards Rule.
Each regulator codifies the requirements in its own regulations and guidance, but the core obligations — risk assessment, administrative/technical/physical safeguards, and oversight — are consistent.
↩︎

Boyledown Lending Inc.