GLBA Nonpublic Personal Information Sharing with Bank Partners

What it is

Chime shares your financial and personal information with its partner banks (The Bancorp Bank and Stride Bank) and service providers as part of operating its financial services.

Why it matters (compliance & governance perspective)

Because Chime is a financial technology company and not a bank itself, your account and financial data flows to Chime's bank partners, which means your information is governed by multiple entities' privacy practices and regulatory obligations simultaneously.

This document changed recently

Consumer impact (what this means for users)

Your financial account data, including account balances, transaction history, and personal identifying information, is shared with Chime's bank partners and potentially their affiliates, expanding the set of institutions that hold and process your financial information.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The GLBA Privacy Rule requires financial institutions to provide consumers with notice of their information sharing practices and an opportunity to opt out of sharing with nonaffiliated third parties in most circumstances. Both The Bancorp Bank and Stride Bank are federally chartered institutions subject to OCC supervision and their own GLBA obligations. The CFPB has supervisory authority over Chime's consumer financial product offerings. Coordination of GLBA privacy notices across Chime and its bank partners is a compliance requirement. GOVERNANCE EXPOSURE: Medium. The tri-party structure of Chime, The Bancorp Bank, and Stride Bank creates a complex data governance environment where each entity's GLBA obligations must be independently satisfied while the consumer-facing experience is managed through Chime. Compliance teams must ensure that the GLBA privacy notice provided to consumers accurately reflects all sharing that occurs across all three entities. JURISDICTION FLAGS: Federal GLBA requirements apply uniformly across all US users. California residents may have additional rights under CCPA with respect to data held by Chime as a technology company. The interplay between Chime's CCPA obligations and the bank partners' GLBA obligations requires careful analysis, as CCPA provides a carve-out for data subject to GLBA but only to the extent it actually is subject to GLBA. CONTRACT AND VENDOR IMPLICATIONS: The bank partner relationships should be reviewed to confirm data sharing agreements address GLBA-required safeguards, permitted uses of shared data, and obligations in the event of a data breach. The policy's reference to sharing with bank partner affiliates, in addition to the banks themselves, expands the data sharing scope and should be documented in vendor and partner agreements. COMPLIANCE CONSIDERATIONS: Legal teams should map all categories of personal data shared with each bank partner and confirm the GLBA annual privacy notice accurately reflects these flows. Consumer-facing opt-out mechanisms for GLBA-covered sharing should be tested to confirm they are operationally effective. Data breach notification obligations across all three entities should be coordinated.

Applicable agencies

Provision details

Other risks in this policy

• Third-Party Advertising and Tracking Technologies medium
• CCPA Rights for California Residents medium
• Broad Personal Information Collection Scope medium
• LiveRamp Identity Resolution Integration medium
• Data Retention and Deletion Rights low
• Children's Privacy and Age Restriction low