Privacy Compliance Basics
What is covered?
Products for: Personal Use; Family use and Household Purpose
Privacy Expectations: Core Privacy Principles that all financial institutions should adhere to:
1. Safeguard all consumers information; 2. Limit data collection when possible; 3. Use information only for the purposes for which it was collected; 4. Maintain confidentiality.
Common sharing arrangements that fall outside of the three opt-out exceptions include
1. Sharing information about customers' information for purposes of affiliate marketing 2. Sharing information with nonaffiliated financial institutions for marketing, where there is no joint marketing agreement 3. Sharing information about customers' creditworthiness
So what are the exceptions? There are three categories of exceptions:
1. Sharing with other entities in order to facilitate the financial institution's business or to comply with legal requirements 2. Sharing with other entities in order to process and service consumer-authorized transactions 3. Sharing with other entities in order to facilitate the financial institution's business or to comply with legal requirements
When Opt-Out Provisions Do Not Apply
1. To persons acting in a fiduciary or representative capacity on behalf of the consumer 2. To persons holding a legal or beneficial interest relating to the consumer 3. For required risk control or for resolving consumer disputes or inquiries 4. To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability 5. With the consent of, or at the direction of a consumer, provided the consumer has not revoked consent To protect the confidentiality or security of a financial institution's records pertaining to the consumer, service, product, or transaction
The privacy notice must accurately describe how the financial institution collects, discloses, and protects personal information about its consumers. In addition, where it applies, it must also include:
1.Categories of affiliated and nonaffiliated third parties to whom information is disclosed 2.Categories of information disclosed 3.Categories of information disclosed and to whom under Joint Marketing Rule/Service Provider exception 4.Categories of information collected 5.Disclosures required by Fair Credit Reporting Act
Opt-Out Requirements: Regardless of when it was collected, a financial institution may not disclose any personal information about a consumer to a nonaffiliated third party, unless:
1.It has provided a privacy notice describing its privacy policy and practices 2.it has provided the individual an opportunity to opt out of the information sharing 3.It has provided the individual a reasonable opportunity to opt out before disclosing information to a nonaffiliated third party 4.The consumer does not opt out
Under the 3 exceptions
1.Sharing with other entities in order to facilitate the financial institution's business or to comply with legal requirements 2.Sharing with other entities in order to process and service consumer-authorized transactions 3.Sharing with service providers and/or joint marketers
Information Sharing Under the Fair Credit Reporting Act
1.The sharing is "clearly and conspicuously" disclosed to the consumer 2.Before information is shared to affiliates, the consumer has been given an opportunity to direct whether or not sharing about him or her takes place 3. The consumer has not opted out The FCRA states that this sharing agreement must be clearly and conspicuously disclosed to the consumer, and consumers must be given opportunity to opt-out to the first sharing of such information.
The privacy notice must accurately describe how the financial institution collects, discloses, and protects personal information about its consumers. In addition, where it applies, it must also include:
6.Right to opt-out If you disclose information to nonaffiliated third parties under the exceptions permitting to do so for processing or administering a financial transaction or to comply with legal requirements, a statement that the disclosures are made "as permitted by law."
2 of 3 Privacy Notice Exceptions Occasionally, the privacy notice may be delivered after the time a continuing customer relationship has been established. The privacy notice may be provided within a reasonable timeframe after the relationship is established when:
A customer relationship is established with an individual under a program authorized by a student program, such as Title IV of the Higher Education Act of 1965, where proceeds are disbursed promptly without prior communication between the financial institution and the customer.
1 of 3 Privacy Notice Exceptions Occasionally, the privacy notice may be delivered after the time a continuing customer relationship has been established. The privacy notice may be provided within a reasonable timeframe after the relationship is established when:
A financial institution and a customer agree to enter into a customer relationship and the customer agrees to receive the privacy notice at a later date in order to avoid a substantial delay in the transaction (for example, when the account is opened over the phone)
3 of 3 Privacy Notice Exceptions Occasionally, the privacy notice may be delivered after the time a continuing customer relationship has been established. The privacy notice may be provided within a reasonable timeframe after the relationship is established when:
A financial institution assumes a deposit liability and the accountholder does not have a choice about the assumption A financial institution purchases a loan and the borrower does not have a choice about the purchase
What if There's a Joint Relationship?
A financial institution may permit people in a joint relationship to make different opt-out elections A financial institution may permit each joint customer to opt out separately. If this is the case, the financial institution must permit one opt-out on behalf of all parties A financial institution may treat an opt-out election by a joint customer as applying to all those associated in the joint relationship
Privacy Breaches
A privacy breach occurs when personally identifiable information is shared with a third party without the impacted individual's permission or outside of the circumstances allowed by regulations. It is a breach of the trust that consumers have in their financial institution. It can significantly impact both individuals and financial institutions.
Mary Madison applies for a loan at Presidential Financial but is denied funding. She does not have an account at the institution - therefore, she does not have a customer relationship. When does Presidential Financial need to provide an initial privacy notice to her?
Before they initiate apple and share information with 3rd parties
First Federal changes its privacy disclosure and some of their practices. Privacy rules state that they are obligated to send a revised privacy notice that describes the new policies.
Correct. If a financial institution changes its disclosure policies or practices, it must provide a revised privacy notice that describes the new policies in the same way as the initial privacy notice.
Privacy Breaches When personally identifiable information is shared with a third party without the impacted individual's permission or outside of the circumstances allowed by regulations, it is important for all employees to take appropriate action to mitigate privacy breaches and promptly respond to them in accordance with their financial institutions procedures to reduce the harm the breach may cause. Privacy breaches can have significant impact on both the customer and the financial institution.
Customers entrust their personal information with financial institutions, and when that trust is broken, the breach can cause: • Embarrassment • Loss of employment or business opportunity • Identity theft • Negative customer experience In addition, privacy breaches can expose financial institutions to: • Reputational risk • Violation of federal or state law • Increased regulatory scrutiny • Financial loss • Loss of consumers' trust and business • Litigation risk
CAN-SPAM
E-mail marketing is governed by the terms of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. All marketing sent by e-mail, whether to individuals or businesses, must comply with the terms of the CAN-SPAM Act. The CAN-SPAM Act sets out rules for commercial e-mail, establishes requirement for commercial messages, gives recipients the right to stop you from e-mailing them, and details penalties for violations. The CAN-SPAM Act covers all commercial messages, which the law defines as "any electronic mail message for which the primary purpose is commercial advertisement or promotion of a commercial product or service."
Delivery Privacy Notice
For individuals who conduct transactions with the financial institution electronically, the privacy notice may be posted on the financial institution's website. These consumers must then acknowledge receiving the notice as a necessary part of obtaining the particular product or service. For joint accounts, only one privacy notice must be provided to the accountholders. A financial institution is free, however, to provide separate privacy notices to each account holder.
No continuing Customer Relationship
For those consumers who do not establish a continuing relationship, the privacy notice must be given prior to the time that the financial institution discloses personal information to a nonaffiliated third party. For convenience and to avoid a compliance gap, your financial institution may implement a procedure to provide a privacy notice at the time a consumer provides personal information to your financial institution.
Changes in Privacy Policies and Procedures
If the financial institution changes its disclosure policies and practices, it must provide a revised privacy notice that describes the new policies and practices to the consumer. If applicable, consumers must be given a "reasonable opportunity" to opt out under the new policies and procedures prior to disclosure of personal information. We will discuss opt-out provisions in closer detail later in this tutorial. If a financial institution changes its disclosure policies or practices, it must provide a revised privacy notice that describes the new policies in the same way as the initial privacy notice.
The Impact of Privacy Violations
Individuals entrust financial institutions with extensive personal information. A privacy breach is a breach of that trust, and the potential impact to individuals may include: 1. Embarrassment 2. Loss of employment or business opportunity 3.Identity theft 4.Negative customer experience
Responding to Privacy Breaches
It is important that every breach of consumers' information is taken seriously to maintain customer trust in the financial institution and to ensure compliance with regulatory expectations. Therefore, all privacy breaches must be reported properly to ensure they are handled quickly and thoroughly. Why is it important to promptly report breaches? Consider the previous question involving Larry, the window washer. What if Larry saw Mary's address, account number, or Social Security number and John, the financial institution employee, saw Larry viewing his screen but failed to report the privacy breach. Three months after the incident, Larry wants to buy his wife a beautiful necklace for their 25th wedding anniversary. Unfortunately, the necklace is out of Larry's price range. Larry, remembering the information he saw on John's screen, opens a credit card in the name of the customer. Could this identity theft have been prevented? Yes, it could have been prevented. If John reported the privacy breach, the customer may have been contacted and offered services such as credit monitoring to ensure situations like this are prevented. Reported privacy breaches help financial institutions with risk management strategies. A financial institution can identify the root cause of a privacy breach and develop sustainable solutions to prevent similar types of breaches from occurring, protecting both the customer's and the financial institution's reputation. In addition, regulatory guidance and some state laws require financial institutions to notify the customer of a privacy breach. Therefore, it is important for breaches to be reported so that the financial institution maintains compliance with applicable laws, regulations, and regulatory expectations.
Are privacy notice requirements satisfied if ABC Financial posts its privacy notice on a post board in a branch of the main office lobby that customers frequently walk past?
It is not sufficient to simply post the privacy notice in a branch office or to periodically advertise the privacy policies and practices.
Mailing a copy of the privacy notice to the customer Handing the customer a physical copy of the notice Posting a copy in the branch or main office lobby Electronic delivery through the financial institution's website When delivering the privacy notice to customers, which of the following methods is unacceptable? When delivering the privacy notice to customers, which of the following methods is unacceptable? COL_MC_Blue A. B.
It is not sufficient to simply post the privacy notice in the branch or main office lobby. All notices must be in the form the customer may keep or recall
In 2012, Mary closed her only account with ABC Financial. In 2014, is ABC Financial required to send Mary a Privacy Notice?
Mary does not have a continuing relationship with the financial institution, therefore an annual privacy notice is not required unless ABC Financial intends to share Mary's personal information with a nonaffiliated third party.
CAN-SPAM Requirements
Monitor what others are doing on your behalf (even if you contract with another company to handle your email marketing, you are still responsible for CAN-SPAM compliance) Honor opt-out requests promptly (within 10 business days) Tell recipients how to opt-out of receiving future emails from you Tell the recipients where you are located (valid post office address required) Identify the message as an advertisement Don't use deceptive subject lines Don't use false or misleading header information. The header information must be accurate and identify the person or business who initiated the message Compliance with CAN-SPAM laws is important as fines can include criminal and civil penalties. For example, violation of CAN-SPAM laws can result in a violation of $16,000 per e-mail which can add up very quickly.
Annual Privacy Notice
Must be provided to consumers having a continuing customer relationship with the financial institution at least once in any period of 12 consecutive months during which the customer relationships last.
Risk 1: Are we required to send opt-out notices to all account holders who share a joint account?
No. Financial institutions are not required to send separate privacy notices to all account holders of a joint account. One notice is sufficient.
Risk 2: One of our regular consumers is starting a business and applying for a small business loan. Is a privacy notice required?
No. The Gramm-Leach-Bliley Act (GLBA) protects individuals using or seeking to obtain a financial product or service offered by a financial institution for consumer purposes. Privacy regulations do not protect information about companies, partnerships, limited liability companies, business trusts, associations, or other entities.
In 2012, Mary closed her only account with ABC Financial. In 2014, is ABC Financial required to send Mary a Privacy Notice?
No.Mary does not have a continuing relationship with the financial institution, therefore an annual privacy notice is not required unless ABC Financial intends to share Mary's personal information with a nonaffiliated third party.
Sharing outside the exceptions
One way to understand what makes some arrangements permissible and others subject to opt-out is this: 1.Sharing under the exceptions involves sharing information in order to facilitate consumer, customer, or financial institution business; 2.Sharing outside the exceptions involves disclosing information that will be used for marketing purposes Opt-out choices must be honored within a reasonable time, typically within 30 days after the customer opts out.
Do-Not-Call
Privacy is not only the protection of personal information. Privacy involves the right to be left alone. Therefore, at many financial institutions, complying with "Do-Not-Call" and Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) laws falls within privacy considerations. The Federal Trade Commission maintains a Do-Not-Call Registry that allows individuals to effectively opt out from receiving sales calls. Financial institutions that conduct telephone sales are required to honor the do-not-call options on the Do-Not-Call Registry.
Who Is Protected By the GLBA?
Privacy regulations protect individuals using or seeking to obtain a financial product or service offered by a financial institution for consumer purposes. The key term is "consumer." The financial product or service must be used primarily for personal, family, or household purposes. Privacy regulations do not protect information about companies, partnerships, limited liability companies, business trusts, associations, or other entities. It also does not protect individuals who obtain a financial product or service for business, commercial, or agricultural purposes.
Carter opened his account relationship with his financial institution by mail. Is Carter considered a customer of his financial institution?
Regardless of how the account relationship started - in person, by mail, or online - each of these is the beginning of a customer relationship with a financial institution.
Affiliates v. Nonaffiliated Third Parties
Remember, the GLBA limits instances in which a financial institution may disclose personal information about a consumer to nonaffiliated third parties. To fully understand when the GLBA applies, then, you must understand what differentiates an affiliated third party from an unaffiliated third party.
The Impact of Privacy Violations
Reputational risk Violation of federal or state law Increased regulatory scrutiny Financial loss Loss of consumers' trust and business Litigation risk
Privacy Notices
Right to opt-out If you disclose information to nonaffiliated third parties under the exceptions permitting to do so for processing or administering a financial transaction or to comply with legal requirements, a statement that the disclosures are made "as permitted by law." Financial institutions that use the Model Consumer Privacy Notice (a copy of which can be downloaded from the Jobs Aids section of this course) are presumed to have made the disclosures required by law. Categories of affiliated and nonaffiliated third parties to whom information is disclosed Categories of information disclosed Categories of information disclosed and to whom under Joint Marketing Rule/Service Provider exception
Sally wants to build an additional bedroom to her three bedroom home. She has obtained a loan from ABC Financial. Is a privacy notice required?
Sally has obtained a loan to improve her home from ABC Financial, for which it has servicing rights. There is a continuing relationship with an individual that has obtained a financial product for consumer purposes.
Sally obtains a small business loan for a start-up business venture relating to social media. Is an Initial privacy notice required?
Sally has obtained a small business loan, which is not a financial product for a consumer purpose. A privacy notice is not required.
Mary applied for a loan with ABC Financial. John, the loan officer, orally informed Mary of the financial institution's privacy policy. Does John's oral notice satisfy the privacy notice requirements?
That's correct. An oral description of the provisions of a privacy notice, either given in person or over the phone, does not satisfy the privacy notice requirement.
Sue, an employee of First Federal, looks at the financial institution's computer system to view her brother's account balance to determine if he can repay a loan she made to him. Is this considered a breach?
That's correct. Assessing a family member's personal information without proper authorization is a privacy breach.
ABC Financial sends its customers a privacy notice along with an opt-out notice, requiring consumers to draft their own letter to indicate their opt-out preference. Is this a reasonable opportunity to opt out?
That's correct. Requiring consumers to draft a letter in order to opt out is not a reasonable means to exercise the right.
ABC Financial received a subpoena from a federal court requesting the account history for one of its customers. Is ABC Financial allowed to provide this information without providing its customer an opt-out notice?
That's correct. The GLBA permits a financial institution to disclose an individual's personal information without providing an opt-out notice, for purposes of complying with legal requirements.
Privacy Compliance
The FCRA outlines rules on how financial institutions may share information with affiliates, nonaffiliated third parties, for employment purposes, and with and by a consumer reporting agency.
Information Sharing Under the Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) permits affiliates to share any experience or transaction information of consumers with each other. It also allows affiliates to share any other information, including information from credit reports, if the following conditions are met:
Initial Privacy Notice 2
The GLBA defines a customer relationship to mean a continuing relationship between a consumer and a financial institution, in which the financial institution provides a financial product or service to the individual for personal, family, or household purposes (e.g., consumer purposes).
ABC Financial received a subpoena from a federal court requesting the account history for one of its customers. Is ABC Financial allowed to provide this information without providing its customer an opt-out notice?
The GLBA permits a financial institution to disclose an individual's personal information without providing an opt-out notice, for purposes of complying with legal requirements.
The Privacy Notice 1
The GLBA requires financial institutions to provide a privacy notice to individuals that are using or seeking to obtain a financial product or service for consumer purposes.
The Gramm-Leach-Bliley Act limits instances in which a financial institution may disclose nonpublic personal information to nonaffiliated third parties.
The Gramm-Leach-Bliley Act limits instances in which a financial institution may disclose nonpublic personal information to nonaffiliated third parties. Privacy rules do not afford protection to information about individuals who obtain a financial product or service for business, commercial, or agricultural purposes.
Regardless of when it was collected, a financial institution may not disclose any personal information about a consumer to a nonaffiliated third party, unless:
The consumer does not opt out It has provided the individual a reasonable opportunity to opt out before disclosing information to a nonaffiliated third party It has provided a privacy notice describing its privacy policy and practices It has provided the individual an opportunity to opt out of the information sharing
Annual Privacy Notices
The institution's information-sharing policies do not trigger the opt-out requirements of the GLBA (described later in this course). The information in the privacy policy has not changed since the previous year. The institution uses the model form developed by federal regulators. Institutions that meet these criteria must still notify customers annually of the availability of the privacy policy, such as by including the notification with a monthly statement. In addition, institutions must provide a paper copy within ten days to any customer who requests one by phone.
The Privacy Notice 3
The privacy notice describes the information collection and sharing practices of financial institutions. It is important that every employee review the privacy notice annually and ensure that they are collecting, using, and sharing consumer information in accordance with the disclosures in the privacy notice.
Privacy Expectations
The rapid growth of telecommunication technology in the 21st century has created new ways for people to share information. Although many individuals welcomed the opportunity to share their own information electronically, entities with whom these individuals did business could also easily share this personal information with each other.
Gramm-Leach Bliley Act
The rapid growth of telecommunication technology in the 21st century has created new ways for people to share information. Although many individuals welcomed the opportunity to share their own information electronically, entities with whom these individuals did business could also easily share this personal information with each other.A growing number of high profile cases involving privacy breaches emerged, which caused a great deal of frustration with financial institutions' perceived lack of concern for privacy protection. Many people voiced concerns that they had lost control over how their personal information was being used and shared with others
Does a financial institution need to provide a revised privacy notice explaining new policies before the new policies are effective?
The revised privacy notice must be provided, and the customer must be given a reasonable opportunity to opt out.
Gramm-Leach Bliley Act
These consumer complaints led to the creation of the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to safeguard personal information disclosed to them by consumers and to tell consumers how their information is collected and shared.
The Privacy Notice 2
Under the GLBA, privacy notice requirements vary for individuals classified as "consumers" and "customers." However, your financial institution may take a more conservative approach to ensure compliance and execute the same privacy notice procedures for all individuals using consumer products/services rather than distinguishing between "consumers" and "customers."
Opt-Out Notices
Whether your financial institution is required to provide consumers an opt-out privacy notice depends on the type of information that your financial institution shares. The GLBA established three categories called permissible sharing agreements, often referred to as "exceptions." Under the exceptions, a financial institution may share consumers' personal information with nonaffiliated third parties without first sending the consumer an opt-out notice.
Ericka is a new accounts representative that was hired one month ago. In order to make a good impression on all her customers, she takes little notes about their personal details. Take CJ Gregory for example: CJ Gregory: $10,000 Money Market balance, has Type 1 Diabetes, lives in new housing development in Broadview Park Would this information be classified as personally identifiable information?
Yes it would
Risk 3 - If we suspect that fraudulent activity is occurring on a customer's account, can we contact the customer if he or she has signed up for the National Do-Not-Call Registry?
Yes. The Do-Not-Call Registry stops individuals from receiving unsolicited sales calls. Calls to service the account are acceptable.
Initial Privacy Notice
a financial institution must provide a notice of its privacy policies and practices to individuals that become a customer no later than the time the financial institution establishes a customer relationship.
Amy is a new customer of ABC Financial. Upon opening her new account, ABC Financial provided her its privacy and opt-out notice. Amy is very sensitive about sharing her personal information and appreciated that ABC Financial asked her about her preferences. Amy selected to opt out of all sharing of her information for which she was given the option, including sharing with affiliates to market new products to her. A few months after opening her account with ABC Financial, she received a call from XYZ Financial Advisors, an affiliate of ABC Financial. XYZ Financial Advisors informed Amy that ABC Financial shared her information to XYZ Financial Advisors so that they could provide services that they know Amy would absolutely love! Did ABC Financial fail to honor Amy's opt-out preferences?
yes
It is not considered reasonable to require customers to write their own letters to the financial institution to opt out.
A financial institution may offer consumers the right to be selective in exercising their opt-out rights. For example, a consumer may want to opt out of marketing of certain products, through certain channels, or out of sharing specific personal information. If the financial institution elects to accommodate its consumers in this way, it must clearly inform the consumer about the choices and consequences of those choices. Remember, consumers have a continuing right to opt out at any time!
Steve and Kiley are in a long-term, long distance relationship. They have a joint checking account and they arrange to have statements sent to Kiley's address. Steve elects to opt out of any information sharing. What are the FI compliance with privacy regulations?
A financial institution may send a single opt-out privacy notice to one person, but they must accept an opt-out election from any person in the joint relationship. A financial institution may also treat an opt-out election as applying to the entire account, and the financial institution may not require any other individual in the relationship to opt out before implementing the initial opt-out election. The financial institution cannot require all joint customers to opt out before it implements any opt-out election.
Privacy Expectations
All consumers of a financial institution expect that their information will be kept confidential. Similarly, employees expect that their personal information, including employment information, will be kept confidential and used only for the purpose for which it was collected.
ABC Financial owns Alpha Financial and Beta Brokerage Firm. Therefore, Alpha Financial and Beta Brokerage are affiliates.
Alpha Financial and Beta Brokerage Firm have common ownership, and are therefore affiliates.
Under the Exceptions (cont.) Opt-Out Notices: Does the information that your financial institution shares with nonaffiliated third parties fit into one of these three categories?
An Opt-Out Notice is NOT required.However, if your financial institution discloses its consumers' personal information to third party service providers or joint marketers: 1. The third party must be contractually bound to use the disclosed information for specified purposes. 2. It must disclose these arrangements in the privacy notice, and
Affiliates v. Nonaffiliated Third Parties
An affiliate is any company that controls, is controlled by, or is under common control with another company. In contrast, a nonaffiliated third party is a company that does not control, is not controlled by, or is not under common control with another company. Additionally, a person that is not employed jointly by you or any company that is affiliated with you is considered a nonaffiliated third party.
Privacy Notices
An affiliate is any company that controls, is controlled by, or is under common control with another company. In contrast, a nonaffiliated third party is a company that does not control, is not controlled by, or is not under common control with another company. Additionally, a person that is not employed jointly by you or any company that is affiliated with you is considered a nonaffiliated third party.
John, a customer service specialist, is working in his office with floor to ceiling windows. He receives a call from Mary, a customer requesting account information. John pulls up the customer's information on his computer screen and resolves her concerns. After the call, John leaves his office to talk to a co-worker, but he does not log out of his computer. The customer's account information is still on the screen. Larry, the window washer, starts washing the windows in John's office. Larry looks at the computer and sees Mary's full name, but he cannot identify any other information. Is this considered a privacy breach?
Mary's name was disclosed to a third party without proper authorization. Identifying an individual as a customer of a bank is a privacy breach. Overdraft history, medical information revealed during the loan process, and information collected through cookies are types of personally identifiable information.
Mrs. Rutherford does not have a relationship with Presidential Financial, but stops in to purchase traveler's checks. She purchases $5,000 in traveler's checks. Is an initial privacy notice required if the bank does not intend to share her information with a nonaffiliated third party?
No.This is an example of an isolated transaction, not a continuing customer relationship. An initial privacy notice is not required unless the financial institution intends to disclose personal information to a nonaffiliated third party.
Suppose Mary and John share a checking account with ABC Financial. Is ABC Financial required to deliver a privacy notice to both individuals?
Only one privacy notice must be provided on a joint account. However, a financial institution is free to provide separate privacy notices to each account holder.
Privacy regulations apply only to nonpublic personal information about individuals who obtain a financial product or service to be used for which of the following purposes? Choose all that may apply.
Personal information about individuals who obtain a financial product or service for personal, family, or household purposes (i.e., "consumers") must follow privacy regulations.
Customers and Consumers
Privacy regulations protect a consumer's personally identifiable information that a financial institution collects about an individual in connection with providing the consumer with a financial product or service. Combined with public information, personally identifiable information could be used for identity theft, phishing attacks, etc. For example, Frank at First Federal gathers together a list of borrowers who all live in a certain area. This list includes information like phone numbers (publicly available) and Social Security numbers. The fact that these people have been put on a list because they are loan applicants is personally identifiable information - therefore, this list is deemed "personal information.
Frances O'Connor is seeking additional financial services to help her double the size of her small business. You directed her to speak with your branch manager. Do the privacy rules protect Frances's business request?
Privacy rules do not afford protection to information about individuals who obtain a financial product or service for business, commercial, or agricultural purposes.
Privacy rules
Privacy rules do not afford protection to information about individuals who obtain a financial product or service for business, commercial, or agricultural purposes..
What is not covered?
Products for: Companies; Partnerships; Limited Liability Companies; Business Trusts; Associations; Other business entities; Individuals who obtain a product or service for business, commercial, or agricultural reasons
ABC Financial sends its customers a privacy notice along with an opt-out notice, requiring consumers to draft their own letter to indicate their opt-out preference. Is this a reasonable opportunity to opt out?
Requiring consumers to draft a letter in order to opt out is not a reasonable means to exercise the right.
Sharing Outside the Exceptions
Sharing outside of these three exceptions is permitted, as long as the financial institution provides its consumers the opportunity to first opt out. In other words, if a financial institution shares information outside of the exceptions, then the financial institution must provide an opportunity for individuals to opt out of the sharing of personal information. Common sharing arrangements that fall outside of the three opt-out exceptions include: 1. Sharing information with nonaffiliated financial institutions for marketing, where there is no joint marketing agreement 2. Sharing information about customers' creditworthiness 3. Sharing information about customers' information for purposes of affiliate marketing
One way to understand what makes some arrangements permissible and others subject to opt-out is this:
Sharing under the exceptions involves sharing information in order to facilitate consumer, customer, or financial institution business Sharing outside the exceptions involves disclosing information that will be used for marketing purposes
Gramm-Leach Bliley Act - GLB The GLBA
The Gramm-Leach-Bliley Act (GLBA) was passed in response to the perception that financial institutions were not adequately protecting the privacy of personal information. As technology breakthroughs allow for greater information sharing among individuals and businesses, more consumers have become concerned with the extent that financial institutions share their personal information with other organizations. The GLBA requires financial institutions to safeguard personal information disclosed to them by consumers and to tell consumers how their information is collected and shared. The GLBA is consumer legislation. That is to say that the Act protects individuals using or seeking to obtain a financial product or service offered by a financial institution for consumer (personal, family, or household) purposes. The Act does not protect information about companies, partnerships, limited liability companies, business trusts, associations, or other entities. It also does not protect individuals who obtain a financial product or service for business, commercial, or agricultural purposes.
Opt-Out Notices Reasonable Means for Opting Out
The Opt-out Notice must provide a reasonable means by which the consumer may opt out. Examples of reasonable means to opt out, include: Mailing a form Calling a toll-free number For isolated transactions where there is no continuing customer relationship, like cashier's check purchases, if a financial institution intends to share personally identifiable information, reasonable opportunity is provided if the opt-out notice is given and the consumer elects whether to opt out as part of the transaction.t is not considered reasonable to require customers to write their own letters to the financial institution to opt out. A financial institution may offer consumers the right to be selective in exercising their opt-out rights. For example, a consumer may want to opt out of marketing of certain products, through certain channels, or out of sharing specific personal information. If the financial institution elects to accommodate its consumers in this way, it must clearly inform the consumer about the choices and consequences of those choices. Remember, consumers have a continuing right to opt out at any time!
Delivery of Privacy Notice
The privacy notice must be in writing and provide notice of collection and sharing practices, as well as instructions regarding the individuals' right to opt out of certain sharing of their information, in accordance with the law and regulations. The privacy notice must be delivered so that each consumer can reasonably be expected to receive the actual notice. The privacy notice may be delivered by mail or hand. It is not sufficient to simply post the privacy notice in the branch or main office lobby. All notices must be in the form the customer may keep or recall Annually. When a customer relationship is not established, the privacy notice must be provided prior to the use of any personally identifiable information the financial institution may have A customer relationship is established F
Do-Not-Call
There are a number of exceptions to honoring the do-not-call options, including calls for service or other non-solicitation calls. For example, if a customer's account is overdrawn and you want to call him to let him know, you would not be required to check the Do-Not-Call Registry. Another exemption is the established business relationship, which permits you to call a customer for sales call during the time he is a customer, as well as for 18 months after the customer relationship has ended. Fines for failing to honor the National Do-Not-Call-Registry can be as high as $16,000 per violation. For more information, go to http://www.telemarketing.donotcall.gov Certain states also require organizations to honor do-not-call choices that their residents have made on the state "Do-Not-Call" list. These requirements vary state by state.
Personally Identifiable Information
There has always been information about consumers that is publicly available: telephone directories contain the names, addresses, and telephone numbers of individuals who do not request an unlisted number. Privacy regulations protect the personally identifiable information that a financial institution collects in connection with providing the consumer with a financial product or service. While anyone can consult a telephone directory to look up a phone number, you cannot simply look up someone's Social Security number or checking account number. Personally identifiable information is kept private because in the wrong hands, this information could lead to identity theft and other crimes. Some examples of personally identifiable information include: • Previous medical history, credit scores and related information, and account numbers are personal information. These are all examples of personal information. Any information provided to the financial institution on an application for any consumer product or service • Information the financial institution gathers as a result of transactions with it or on its behalf involving financial products or services, such as payment history • Account balance, loan history, overdraft history, or debit or credit card purchase patterns gathered from servicing an account • Certain medical information revealed when credit life, health, or accident insurance is discussed in the loan process • The fact that an individual maintains or maintained an account at the financial institution, even when the account is closed • Information collected through an internet cookie • Information from a consumer report, such as a credit report from Transunion
Suppose Sally does not use any financial products or services from ABC Financial, but only has one bank account, which is with First Federal. On her way home from work one day, Sally stops by an ABC Financial branch to cash a check. Is there a continuing relationship?
There is not a continuing relationship. Although Sally is cashing a check at ABC Financial, she does not have an account with ABC Financial. This type of transaction is an isolated transaction that would not be considered a continuing customer relationship.
While privacy breaches can occur for a variety of reasons, the three most common are?
• Human error: These breaches occur when employees are unaware of the appropriate procedures or fail to follow them. • System error: These breaches occur when technology causes the breach due to maladjustment of the equipment or other "glitches." •Theft: These breaches occur when there is criminal intent or potential fraud activity. Financial institutions should ensure that any contract with a vendor addresses privacy considerations. Every privacy breach should be reported. Something that may seem insignificant at the time, such as an employee forgetting to log off of his computer, can possibly result in identity theft, for example. Promptly reporting and addressing all privacy breaches is not only an issue for compliance, but it can also help the financial institution's risk management strategy. By analyzing each instance, patterns can be detected and policies developed to minimize the risk of future breaches.