Skip to main content
Case Study

Applying the Duty of Confidentiality and Privacy to the Sharing of Non-Public Personal Information

CFP Board has developed a series of case studies to provide practical guidance to CFP® professionals and their firms on the new Code and Standards. Each case study presents a hypothetical factual circumstance and then asks a question about a CFP® professional’s duty in that circumstance under the Code and Standards.

Download the Case Study (PDF)

October 17, 2022

Becky Smith, CFP® has worked with Jeff and Susan Barnes for almost fifteen years in a financial planning relationship. The Barnes are very philanthropic – Becky has assisted the Barnes with numerous charitable donations and other charitable projects. The Barnes let Becky know that if there are potential opportunities to donate to charity in the future, Becky should let them know.

Becky has recently been nominated to serve on the steering committee for a well-known charitable organization. Becky wants to provide a good impression, so she provides the names, ages, and income levels for the Barnes so the charity could solicit donations from the clients. She believes that they would be happy to be involved with her charity due to their prior philanthropy and their statements to Becky about potential charitable opportunities.


Did Becky violate the duty of confidentiality and privacy under CFP Board’s Code and Standards when she provided the clients’ names and income levels to the charity?

Response Options

Response A is not the best response because the statement from the Barnes about a future charitable opportunity would not constitute consent to provide non-public personal information to a third party.

Response B is the best response. This case involves the Duty of Confidentiality and Privacy (Standard A.9.).

A CFP® professional must keep confidential and may not disclose any non-public personal information about any prospective, current, or former Client (“client”), except that the CFP® professional may disclose information:

  1. For ordinary business purposes:
    • With the client’s consent, so long as the client has not withdrawn the consent;
    • To a CFP® Professional’s Firm or other persons with whom the CFP® professional is providing services to or for the client, when necessary to perform those services;
    • As necessary to provide information to the CFP® professional’s attorneys, accountants, and auditors; and
    • To a person acting in a representative capacity on behalf of the client;
  2. For legal and enforcement purposes:
    • To law enforcement authorities concerning suspected unlawful activities, to the extent permitted by the law;
    • As required to comply with federal, state or local law.
    • As required to comply with a properly authorized civil, criminal, or regulatory investigation or examination, or subpoena or summons, by a governmental authority;
    • As necessary to defend against allegations of wrongdoing made by a governmental authority;
    • As necessary to present a civil claim against, or defend against a civil claim raised by, a client;
    • As required to comply with a request from CFP Board concerning an investigation or adjudication; and
    • As necessary to provide information to professional organizations that are assessing the CFP® professional’s compliance with professional standards.

Here, while the Barnes requested that Becky inform them of any charitable opportunities, Becky shared the Barnes’ non-public personal information with the charity without first receiving permission from the Barnes. Becky did not share the information for ordinary business purposes or for legal and law enforcement purposes. Although Becky shared the information to gain stature at the charity she had just joined, Becky’s disclosure without the Barnes’ consent is improper.

Response C is not the best response because the clients’ names, ages, and income levels constitute non-public personal information and cannot be shared with third parties without consent.

Response D is not the best response because there is no requirement under the Code and Standards for the third party to take action with the non-public personal information that they receive.

Read More Case Studies About the Code and Standards
See the Full Case Study Listing          



Relevant Standards:Confidentiality and Privacy (Standard A.9.).


Access More Guidance Materials

This compliance resource is part of a full library of resources that CFP® professionals can use to comply with the Code and Standards. More guidance materials can be found in our Compliance Resources Library.

Compliance Resources