Privacy Policy Handbook (2024)

Section 1:

Overview of Privacy Policy Requirements

The Privacy Rule governs when and how banks may share non-public personal information about consumers with unaffiliated third parties.

The rule contains two principles: notice and opt-out. In summary:

• Beebanks have to evolveinitialInannualprivacyto report. The notices should generally describe the bank's information sharing practices.
• Banks that share non-public personal information about consumers with unaffiliated third parties (beyond the opt-out exceptions set forth in the Privacy Rule) must also provide consumers with:
• an opt-out message
• a reasonable period within which the consumer can unsubscribe

Exceptions to the opt-out:A consumer cannot unsubscribe from all information exchange. First, the Privacy Rule does not apply to information sharing between related parties. Second, the rule contains exceptions to allow the transfer of non-public personal information to non-affiliated parties to process and service a consumer's transaction and to facilitate other normal business transactions. For example, consumers may not be able to opt out when non-public personal information is shared with an unaffiliated third party to:

• marketing the bank's own financial products or services
• marketing financial products or services offered by the bank and another financial institution (joint marketing)
• processing and servicing transactions that the consumer requests or authorizes
• protect against possible fraud or unauthorized transactions
• respond to a lawsuit
• meet federal, state or local legal requirements

Ban on sharing account numbers:The Privacy Rule prohibits a bank from disclosing an account number or password for credit card, deposit or transaction accounts to an unaffiliated third party for use in marketing purposes. The rule contains two limited exceptions to this general prohibition. A bank may share account numbers for marketing purposesown productsas long as the service provider is not authorized to initiate direct debits on accounts. A bank may also disclose account numbers to a participant in a private label or affinity credit card program when the participants have been identified to the customer.An account number does not contain a number or code in encrypted form, as long as the bank does not also offer the option to decode the number.

Restrictions on reuse and disclosure:The Privacy Rule restricts the reuse and disclosure of non-public personal information received from an unaffiliated financial institution or disclosed to an unaffiliated third party. The specific limitations depend on whether the information is received under or outside of the Exception and Opt-Out Notice.

State law:A provision under a state law that provides greater consumer protections than those provided in the privacy provisions of the GLBA will take precedence over the federal privacy rule. The Bank will be required to comply with the provisions of this state law to the extent these provisions provide greater consumer protection than the Federal Privacy Rule. The Federal Trade Commission determines whether a particular state law provides more protection.

Announcements content:The initial, annual and revised notifications shall include, as applicable:

• categories of information that a bank collects(all banks)
• categories of information that a bank can make public(all banks, except a bank that does not intend to publish information or only provides information under the exemptions, may simply state so)
• categories of affiliates and non-affiliates to which a bank discloses non-public personal information(all banks that share non-public personal information with an affiliated or non-affiliated third party)
• practices for sharing information about previous customers(all banks)
• categories of information disclosed under the service provider/joint marketing exception(only banks that rely on this exception)
• the consumer's right to unsubscribe(only the banks that provide information outside exceptions)
• disclosures under the Fair Credit Reporting Act(only banks that provide an FCRA opt-out notice)
• confidentiality and information security disclosures(all banks)

A revised noticemay be required when a bank changes its information sharing practices.

The following table sets forth the rule's requirements for providing initial, annual, and revised notices to consumers and customers.

Opt-out notice

The last line states that anotice of opt-outis sufficient if:

• identifies all categories of non-public personal information that the bank intends to disclose to unaffiliated third parties
• indicates that the consumer can opt out of disclosure
• provides consumers with a reasonable means to unsubscribe, such as a toll-free telephone number

The table below summarizes the rule's requirements for providing an opt-out notice.

Opt-out right:If a bank wants to share non-public personal information outside the exceptions, it must also:

• give consumers onereasonable opportunity to unsubscribe.Examples in the privacy rule provide consumers30 daysto respond to the opt-out notification when the bank delivers the notification by post or electronically
• comply withwith a consumer's opt-out directionas soon as this is practicablewhen the instruction is received after the initial opt-out period has expired
• comply withwith the opt-out direction, until revoked in writing by the consumer

Submission of communications:The initial, annual, revised and opt-out notices may be provided in writing or, if the consumer agrees, electronically. A verbal description of the message is not sufficient.

Section two

Section two has been repealed. This concerned the preparation of the compliance deadline for the privacy rules, which was July 1, 2001 and is therefore no longer relevant.

Section three:

Enforcement of compliance
July 1, 2001

The following activities can help a bank achieve and maintain compliance with the Privacy Rule.

• Develop controls to monitor ongoing compliance. Consider mechanisms for monitoring:
  • providing initial and annual notices to customers
  • providing initial notice to consumers who are not customers, if applicable
  • compliance with opt-out instructions, where relevant
  • the accuracy of privacy statements, including prior approval of:
    • new marketing programs
    • new or renewed supplier contracts
    • disclosure of account numbers
    • affiliate referral programs
    • reuse of consumer information received from another financial institution
• Train employees. All employees must understand the Bank's policies and procedures to comply with the Privacy Policy. Some employees need to be able to explain the bank's privacy policy to customers and companies that provide services to the bank.
• Compliance checking. Periodic audits will help management assess risks and verify the effectiveness of the compliance program. The Federal Financial Institutions Examination Council (FFIEC) will release the privacy audit procedures effective July 1, 2001. The exam procedures will be a useful tool in developing a privacy audit program.

The interdisciplinary investigation procedures are sent directly to the insured depository institutions once completed. The procedures will also be available on the FDIC's website atwww.fdic.govwhen you're done.

Section Four:

Read Lingo

Learning the language will help you understand and comply with privacy regulations. This section explains key terminology.

Who Must Comply with the FDIC Privacy Rule?

The FDIC Privacy Rule refers to financial institutions required to comply with the rule as “you.” For example, if the rule says you must report, that means all entities covered by that rule must report. The following definition of 'you' explains which types of entities are covered by the rule:

Van:The banks that must comply with the FDIC's rule are -

• Banks regulated by the FDIC
• insured government branches of foreign banks
• subsidiaries of FDIC-controlled banks and state-insured branches of foreign banks, with certain exceptions, such as insurance, securities, or brokerage subsidiaries

Although the FDIC's rule only applies to certain banks and some of their subsidiaries, all financial institutions must comply with similar privacy rules adopted by their regulators. For example, although securities subsidiaries of FDIC-supervised banks are not required to comply with the FDIC's Privacy Rule, they must comply with a similar privacy rule adopted by the Securities and Exchange Commission.

Who is protected by the Privacy Rule?

The Privacy Rule protects “consumers.”All consumers receive the same privacy protection.

However, a subset of consumers is defined ascustomersmust receive certain information, such as an annual privacy statement, which may not be provided to consumers who are not customers.

So it is important to know the distinction between consumers and customers to understand the different information requirements under the Privacy Rule.

Customer:Any person who wishes to obtain or has obtained a financial product or service from a bank for personal, family or household purposes is a consumer of that bank. The definition of consumer includes people who:

• to apply fora financial product or service (e.g. a loan or deposit account) for personal, family or household purposes
• actually achievea financial product or service (e.g. a loan or deposit account) for personal, family or household purposes

Could be:As the following diagram shows, customers are a subset of consumers. A customer is a consumer like a bank has onecontinued relationship. Although the rule does not define a “continuing relationship,” it provides examples of transactions that are and are not considered continuing relationships. Consumers who have a deposit account, take out a loan or receive an investment advisory service are considered customers. See section 332.3(i).

Additional guidance regarding the consumer relationship can be found in the Supplementary Information (Preamble) to the rule, which notes that an ongoing relationship is established "where a consumer typically receives some level of continuing service after or in connection with a transaction." See page 35168, Federal Register, Vol. 65, no. 106.

The following diagram shows the relationship between all individualswho trades with a bank and those who meet the legal definitionsconsumersIncustomers. As the graph shows, only a portion of the people who do business with a bank are consumers under the Privacy Rule. For example, individuals are not considered consumers under this rule if they are commercial customers, donors or beneficiaries of trusts for which the bank is trustee, or participants in a bank-sponsored employee benefit plan.

What type of information is protected by the Privacy Rule?

The rule identifies three primary categories of information:

• publicly available information
• personally identifiable financial information
• non-public personal information

Non-public Personal Informationis the category of information protected by the Privacy Rule.The definitions of publicly available information and personally identifiable financial information work together to describe and define non-public personal information.

• Publicly available informationis all information that a bank reasonably believes is lawfully publicly available. Thatnatureof the information,not the sourceof the information determines whether it is publicly available information within the meaning of the privacy rule. For example, even if a bank obtains customers' telephone numbers or the estimated value of their homes directly from consumers, that information is considered publicly available if the bank has reasonable grounds to believe that the information could have been lawfully obtained from a public source . . A reasonable belief exists if a bank has determined that (a) the information is of a type generally available to the public and (b) the individual has not blocked the disclosure of such information. This means, for example, that a bank can consider a customer's telephone number as publicly accessible,but onlyif the bank takes steps to determine that the telephone number is not confidential.
• Personally Identifiable Financial Informationis all information that a bank collects about a consumer in connection with offering a financial product or service. This includes:
  • information provided by the consumer during the application process (e.g. name, telephone number, address, income)
  • information resulting from the transaction with the financial product or service (e.g. payment history, loan or deposit balances, credit card purchases)
  • information from other sources about the consumer obtained in connection with offering the financial product or service (for example, information from a consumer credit report or from court files)

Personally Identifiable Financial Informationalso includes any information that is “disclosed in a manner that indicates that the person is or has been your consumer.” See section 332.3(o)(2)(i)(D).So the fact that someone is a consumer of a bank is personally identifiable financial information.

• Non-public Personal Information, the category of information protected by the Privacy Rule includes:
  1. Personally identifiable financial information, i.edoesn'tpublicly available information; And
  2. Lists, descriptions, or other groups of consumers who were either
     1. created bypersonally identifiable financial information that is not publicly available information, or
     2. containpersonally identifiable financial information that is not publicly available information.

A list is considered non-public personal information if this is the casegeneratedbased on customer relationships, loan balances or other personally identifiable financial information that is not publicly available. A list is also considered non-public personal information if it existscontainsnon-public personal information.

For example, in jurisdictions where mortgage documents are public records, the names and addresses of all persons for whom a bank held a mortgage loan would not be nonpublic personal information because it was generated using publicly available information and contained only publicly available information. . However, the list would become non-public personal information if it contained current loan balances or if it were generated only using customers with a current mortgage balance that exceeds a certain amount.

The two categories of non-public personal information are shown in the following diagram.

Who are unaffiliated third parties?

The Privacy Rule restricts the sharing of information with unaffiliated third parties. The rule defines unaffiliated third parties as persons or entities other than affiliated parties and persons jointly employed by a bank and an unaffiliated third party. Affiliates generally include a bank's subsidiaries, its holding company, and any other subsidiaries of the holding company. See Section 332.3(a), Section 332.3(d), and Section 332.3(g).

The Privacy Rule does not restrict information sharing with affiliated companies. However, it does require disclosure of such information sharing policies and practices. (Note: The rules for sharing information between a bank and its subsidiaries are set forth in the Fair Credit Reporting Act.)

Although the Privacy Rule generally uses the term “unaffiliated third parties,” there are some instances where it distinguishes between unaffiliated financial institutions and all other unaffiliated third parties. Readers should pay particular attention to these differences. See section 332.13.