Privacy of Consumer Financial Information
4. The following accounts were opened at State National Bank: • John Doe • John Doe and Joe Smith • Mary Smith and Joe Smith • Fred Richards and Mary Smith Assuming the initial privacy notice did not change, what is the minimum number of initial privacy notices the bank must give? a. Three b. Four c. Six d. Seven
B
A consumer applies for a cash-out home refinance loan at ABC Bank where she has a deposit account relationship. Her current mortgage is held at XYZ Bank. She provides her telephone number, income, total assets, and social security number on the loan application. ABC Bank obtains her current address from a list of its depositors. Her name and telephone number are listed in the local phone directory. According to the Privacy of Consumer Financial Information (Privacy) regulation, which of the following is considered nonpublic personal information for this consumer? A. Name B. Address C. Telephone Number D. Current mortgage
B
What are the exceptions to providing an opt out notice when a bank shares PII to nonaffiliated third parties?
Banks do not have to comply with the opt-out requirements if they limit disclosure of nonpublic pelegal rersonal information: 13. sharing with service providers and/or joint marketers with an agreement (the bank must have a contract w/ the party and give out initial notices to consumers) 14. sharing with other entities in order to process and service consumer-authorized transactions (disclosures under this exception could be in connection with something else) 15. for third parties including attorneys, accountants, or to comply with legal requirements
2. ACME Bank has a joint marketing agreement with Friendly Brokerage Company whereby ACME and Friendly agree to jointly market certain financial products. ACME would like to refer customers to Friendly by providing the Friendly brokerage officer with names of ACME customers who might be interested in the financial products Friendly offers. Friendly has signed an agreement with ACME promising not to disclose any information about ACME's customers to others. What type of responsibility does ACME have to its customers under the Privacy Regulation? a. ACME must give a disclosure and opt-out opportunity to all customers. b. ACME has no disclosure or opt-out responsibilities. c. ACME must give customers a notice that it provides information to companies with which it has joint marketing agreements. d. ACME must give an opt-out option but no disclosure.
C
5. What should a compliance manager do FIRST to implement the third-party joint marketing agreement as required by the Privacy of Consumer Financial Information regulations? a. Notify the third party of the institution's opt-out policy b. Obtain approval of the board of directors prior to entering into a third-party contract c. Review the requirements for third-party joint marketing agreements and make certain the requirements are included d. Request a written statement from the third-party provider that certifies compliance with the regulation
C This step is necessary before having the board approve an agreement or requesting information from the third party.
A bank's privacy notice correctly describes its information sharing practices with financial service providers and contains an opt-out notice. The bank shares customer names and addresses with an unaffiliated mortgage company, if the customers have not opted out of such information sharing. The mortgage company uses that information to market its products to bank customers. Subsequently, the mortgage company provides the names and addresses to an affiliated insurance company. According to the Privacy of Consumer Financial Information (Privacy) regulation: A. the bank is not allowed to share information with the mortgage company. B. the mortgage company is not allowed to share information with the insurance company. C. the mortgage company is allowed to share information with the insurance company. D. there are no restrictions for sharing information once it leaves the bank.
C.
Which of the following is any company that controls, is controlled by, or is under common control with another company? A. nonaffiliated third party B. Sole proprietor C. Affiliate D. Vendor
C.
3. National Bank generally discloses information only to affiliated parties. However, in the following circumstances, it will disclose information to nonaffiliated parties. • It shares information with its service processor for the purpose of completing transactions. • It sends details of loan transactions to its lawyers so that documentation can be drawn. • It allows its external auditors to see transactions. • From time to time for business development purposes, it shares full loan files with an affiliated finance company that is owned by its holding company. Does National have any responsibility to provide customers an opt-out option? a. No. The bank shares only with affiliated parties except for the exemptions allowed by the privacy regulation. b. Yes. Any information sharing requires an opt-out notice. c. Yes. The loan transaction information given to the lawyers triggers the opt-out notice requirement. d. Yes. The bank must give a Fair Credit Reporting Act opt-out for the information, even for sharing with an affiliate.
D
7. A bank wants to generate revenue by selling banners on its Web site. Customers will be able to go to an advertiser's site by clicking on a banner on the bank's home page. Under the privacy regulations, what should the bank do? a. Revise its privacy disclosure b. Execute a confidentiality agreement with each advertiser c. Execute a joint marketing agreement with each advertiser d. Take no action, as none is required
D The requirements of Regulation P only apply when a financial institution discloses nonpublic personal information about consumers to nonaffiliated third parties. As long as the customer's effort to click on the banner does not cause the institution to share any nonpublic personal information with the advertiser, the institution has no additional responsibilities under Regulation P.
8. A bank provides several value-added services to checking account customers, such as free travel insurance provided by a nonaffiliated insurance company. Each month, the bank provides a list of customer names and addresses to the insurance company. What should be the compliance officer's GREATEST concern? a. That marketing materials clearly and conspicuously describe the travel insurance b. That consumers are aware of this valuable service so the bank retains their relationship c. That customer service representatives fully describe the features of the checking accounts d. That the bank has a written agreement with the insurance company and the bank's privacy notice accurately describes the relationship
D This step is crucial to compliance with the Privacy regulation. The other steps are important in marketing the bank's services, but not in privacy compliance.
True or False: A bank may provide customers a "short form" initial notice together with an opt out notice stating that the longer privacy notice is available upon request.
False, this can be given to consumers not customers
True or False: The bank does not have to send a privacy notice to a denied loan applicant with no customer relationship.
False, this person would be considered a "consumer" and a privacy notice would have to be provided before the bank discloses her nonpublic personal information to any nonaffiliated third party
consumers vs customers
consumers are people that obtained/or tried to obtain a product/service from the bank (ex: old customer or someone who was rejected a loan) customers are consumers who have "customer relationships" with the bank, meaning the relationship is ongoing
is a mortgage or security interest filing considered nonpublic personal information?
no this information is generally made available to the general public from government records, widely distributed media, or legally required disclosures to the general public
Mrs. Rutherford does not have a relationship with the bank, but purchases $5,000 in travelers checks. Is an initial privacy notice required if the bank does NOT intend to share her information with a nonaffiliated third party?
no, this is an isolated transaction, not a continuing customer relationship. An initial privacy notice is not required to consumers unless the bank intends to disclose personal information to a nonaffiliated third party
Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to ________________ _________ ____________, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure.
non-affiliated third parties
True or False: Customers are only entitled to initial privacy notices
partially true, customers are entitled to initial AND annual privacy notices (unless an exception applies) also, banks should send new privacy notices for each new product/service the customer gets if applicable
True or False: all customers are consumers, but not all consumers are customers
true
are names, phone numbers, and addresses considered nonpublic personal information?
yes also nonpublic personal information: SSNs, income, credit score, and info obtained through internet collection devices
If a bank shares information about customers' creditworthiness to a nonaffiliated company does the bank have to provide an opt out notice?
yes, it does not fall under one of the exceptions so consumers have to be given the opportunity to opt out
All of the following statements are true about opting out in joint relationships EXCEPT: A. A bank may permit each joint customer to opt-out separately B. A bank may require all joint customers to opt-out before you implement any opt-out election C. A bank may permit people in a joint relationship to make different opt-out elections
B is a false statement. Banks may not require all joint customers to opt-out before implementing any opt-out election
what is considered nonpublic personal information?
-generally any information that is not publicly available and that: -a consumer provides to a bank to obtain a financial product/service -results from a transaction between the consumer involving a financial product/service -a bank otherwise obtains about a consumer in connection with providing a financial product/service
What Act established the Privacy of Consumer Financial Information?
GLBA Gramm-Leach-Bliley Act
6. XYZ bank holding company is purchasing ABC Bank. ABC Bank will retain a separate charter. The compliance officer has been asked to develop a privacy policy and privacy notice for ABC Bank. What should the compliance officer do FIRST? a. Identify all of the information-sharing practices between ABC Bank and third parties b. Obtain a mailing list of ABC Bank's customers to ensure they receive a privacy notice c. Ensure that all of ABC Bank's joint marketing agreements contain confidentiality clauses d. Evaluate whether ABC Bank's systems can electronically support opt-out elections by customers
A While the other steps may be important, it is necessary to know what ABC Bank's information sharing practices are first.
If someone repeatedly uses a bank's ATM are they considered a customer or consumer?
A consumer
Which of the following is personal information. Select all that apply A. information collected through internet cookies which provides information on which websites a consumer frequents B. The name of a business customer C. Customer used to have diabetes D. Customer overdrafted their account one time
A, C, D
1. Acme Community Bank does NOT disclose any nonpublic personal information about its customers except to its computer processor, to its attorneys for loan documentation, and to a national credit reporting agency. What privacy notices is Acme required to give? a. Initial and annual notices to consumers and customers b. Initial and annual notices to customers c. Initial, annual, and opt-out notices to customers d. Initial, annual, and opt-out notices to customers and consumers
B
When must customers receive the privacy notice?
No later than the time the bank establishes a customer relationship
Does the GLBA cover small business loans?
No, only product/services for consumer purposes
is it considered reasonable if the consumer has to write their own letter as a means of opting out?
No, reasonable means include check-off boxes, a reply form, or a toll-free number
Are banks required to send opt out notices to all account holders who share a joint account?
No. One notice is sufficient.
How many privacy notices must be provided on a joint account?
One
True or False: Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notice of its privacy policies and practices to its customers.
True
True or False: The GLBA Act only covers products/services for personal, family, or household purposes
True
If the bank's privacy notice has not changed since the previous year and does not trigger opt-out requirements are they still required to send out an annual privacy notice to customers?
Under these circumstances, the bank can send the annual notice using an alternative method (posting it to their website)
what are the exceptions to the timeline of the initial privacy notice?
banks may provide the privacy notice within a reasonable timeframe after the establishment of the customer relationship when: 1. an account is opened over the phone (customer agrees) 2. a bank purchases loans and the borrower did not have a choice 3. a bank assumes a deposit liability and the accountholder does not have a choice 4. A student program relationship where proceeds are disbursed promptly without prior communication (Title IV of the Higher Education Act of 1965)
Privacy notices must be clear and _____________.
conspicuous
are consumers entitled to notices?
consumers are entitles to an initial privacy and opt out notice before the bank shares nonpublic personal info to nonaffiliated parties (unless one of the exceptions apply)
—Consumers must be given the right to "____ _____" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party unless an exception to that right applies
opt out