privacy statement
Section One:Overview of privacy rule requirements
The privacy rule governs when and how banks may share nonpublic personal information about consumers with nonaffiliated third parties.
The rule embodies two principles - notice and opt out. In summary:
Exceptions to opt out: A consumer cannot opt out of all information sharing. First, the privacy rule does not govern information sharing among affiliated parties. Second, the rule contains exceptions to allow transfers of nonpublic personal information to unaffiliated parties to process and service a consumer's transaction, and to facilitate other normal business transactions. For example, consumers cannot opt out when nonpublic personal information is shared with a nonaffiliated third party to:
Prohibition on sharing account numbers: The privacy rule prohibits a bank from disclosing an account number or access code for credit card, deposit, or transaction accounts to any nonaffiliated third party for use in marketing. The rule contains two narrow exceptions to this general prohibition. A bank may share account numbers in conjunction with marketing its own products as long as the service provider is not authorized to directly initiate charges to the accounts. A bank may also disclose account numbers to a participant in a private label or affinity credit card program when the participants are identified to the customer. An account number does not include a number or code in encrypted form as long as the bank does not also provide a means to decode the number.
Limits on reuse and redisclosure: The privacy rule limits reuse and redisclosure of nonpublic personal information received from a nonaffiliated financial institution or disclosed to a nonaffiliated third party. The specific limitations depend on whether the information was received pursuant to or outside of the notice and opt out exceptions.
State Law: A provision under a State law that provides greater consumer protection than provided under the GLBA privacy provisions will supercede the Federal privacy rule. The bank will be obligated to comply with the provisions of that State law to the extent those provisions provide greater consumer protection than the Federal privacy rule. The Federal Trade Commission determines whether a particular State law provides greater protection.
Privacy Notices
Every bank must develop initial and annual privacy notices - even if the bank does not share information with nonaffiliated third parties.
Content of notices: The initial, annual, and revised notices include, as applicable:
The opt out right: If a bank intends to share nonpublic personal information outside the exceptions, it must also:
Section TwoGet Ready for July 1, 2001A bank's strategy for achieving full compliance by July 1, 2001, will vary depending on the complexity of the bank and the progress it has already made in complying with the requirements of the rule. The level of effort a bank will expend depends in large part on:
1. Establish a timeline for compliance
A timeline designating important checkpoints prior to July 1, 2001, is a good place to start and can be instrumental to ensuring timely compliance.
A specific process for certifying completion of the various steps identified in the bank's privacy compliance strategy will help managers keep track of progress. When establishing due dates for specific activities, build in time to receive input and feedback from senior management and other stakeholders. Every bank should consider:
Use this opportunity to evaluate and establish institutional privacy objectives, and communicate to potential customers and consumers the bank's customer service philosophy.
Both proposals will be finalized in the near future. When issued, the final rules will be available on the FDIC's Web site: www.fdic.gov. In the meantime, the proposals are posted on the Web site.
3. Deliver notices
July 1, 2001The following activities can help a bank achieve and maintain compliance with the privacy rule.
Section Four:Learn the LingoLearning the lingo will help you understand and comply with the privacy rule. This section provides an explanation of key terminology.
Who must comply with the FDIC's privacy rule?
The FDIC's privacy rule refers to financial institutions that must comply with the rule as "you." For example, when the rule states that "you must provide a notice" it means all entities subject to this rule must provide a notice. The following definition of "you" explains the types of entities subject to the rule:
You: The banks that must comply with the FDIC's rule are -
Who is protected by the privacy rule?
The privacy rule protects "consumers." All consumers receive the same privacy protections.
However, a subset of consumers defined as customers must receive certain disclosures, such as an annual privacy notice, that need not be provided to consumers who are not customers.
Thus, it is important to know the distinction between consumers and customers to understand the different disclosure requirements under the privacy rule.
Consumer: Any individual who is seeking to obtain or has obtained a financial product or service from a bank for personal, family, or household purposes is a consumer of that bank. The definition of consumer includes individuals who:
Additional guidance regarding the customer relationship can be found in the Supplemental Information (the preamble) of the rule, which notes that a continuing relationship is established "where a consumer typically would receive some measure of continued service following, or in connection with, a transaction." See page 35168, Federal Register, Vol. 65, No. 106.
The next diagram depicts the relationship between all individuals who do business with a bank and those who meet the regulatory definitions for consumers andcustomers. As the diagram shows, only a portion of the individuals who conduct business with a bank are consumers under the privacy rule. For example, individuals are not considered consumers under this rule if they are commercial clients, grantors or beneficiaries of trusts for which the bank is trustee, or participants in an employee benefit plan that the banks sponsors.
What type of information is protected by the privacy rule?
The rule identifies three primary categories of information:
For example, in jurisdictions where mortgage documents are public records, the names and address of all individuals for whom a bank held a mortgage would not be nonpublic personal information since it was generated using publicly available information and contained only publicly available information. The list would become nonpublic personal information, however, if it contained current loan balances or if it was generated using only those customers with current mortgage loan balances in excess of a certain amount.
Who are nonaffiliated third parties?
The privacy rule restricts information sharing with nonaffiliated third parties. The rule defines nonaffiliated third parties as persons or entities except affiliates and persons jointly employed by a bank and a nonaffiliated third party. Affiliates generally include a bank's subsidiaries, its holding company, and any other subsidiaries of the holding company. See Section 332.3(a), Section 332.3(d), and Section 332.3(g).
The privacy rule does not impose limitations on information sharing with affiliates. It does, however, require disclosure of such information sharing policies and practices. (Note: The rules governing the sharing of information between a bank and its affiliates are set forth in the Fair Credit Reporting Act.)
Although the privacy rule most commonly uses the term "nonaffiliated third parties," there are some instances in which a distinction is made between nonaffiliated financial institutions and all other nonaffiliated third parties. Readers should pay particular attention to these distinctions. See Section 332.13.
The privacy rule governs when and how banks may share nonpublic personal information about consumers with nonaffiliated third parties.
The rule embodies two principles - notice and opt out. In summary:
- All banks must develop initial and annual privacy notices. The notices must describe in general terms the bank's information sharing practices.
- Banks that share nonpublic personal information about consumers with nonaffiliated third parties (outside of opt out exceptions delineated in the privacy rule) must also provide consumers with:
- an opt out notice
- a reasonable period of time for the consumer to opt out
- nonpublic personal information
- the distinction between consumers and customers
- nonaffiliated third party
Exceptions to opt out: A consumer cannot opt out of all information sharing. First, the privacy rule does not govern information sharing among affiliated parties. Second, the rule contains exceptions to allow transfers of nonpublic personal information to unaffiliated parties to process and service a consumer's transaction, and to facilitate other normal business transactions. For example, consumers cannot opt out when nonpublic personal information is shared with a nonaffiliated third party to:
- market the bank's own financial products or services
- market financial products or services offered by the bank and another financial institution (joint marketing)
- process and service transactions the consumer requests or authorizes
- protect against potential fraud or unauthorized transactions
- respond to judicial process
- comply with federal, state, or local legal requirements
- jointly offer, endorse, or sponsor the financial product or service, and
- limit further use or disclosure of the consumer information transferred
Prohibition on sharing account numbers: The privacy rule prohibits a bank from disclosing an account number or access code for credit card, deposit, or transaction accounts to any nonaffiliated third party for use in marketing. The rule contains two narrow exceptions to this general prohibition. A bank may share account numbers in conjunction with marketing its own products as long as the service provider is not authorized to directly initiate charges to the accounts. A bank may also disclose account numbers to a participant in a private label or affinity credit card program when the participants are identified to the customer. An account number does not include a number or code in encrypted form as long as the bank does not also provide a means to decode the number.
Limits on reuse and redisclosure: The privacy rule limits reuse and redisclosure of nonpublic personal information received from a nonaffiliated financial institution or disclosed to a nonaffiliated third party. The specific limitations depend on whether the information was received pursuant to or outside of the notice and opt out exceptions.
State Law: A provision under a State law that provides greater consumer protection than provided under the GLBA privacy provisions will supercede the Federal privacy rule. The bank will be obligated to comply with the provisions of that State law to the extent those provisions provide greater consumer protection than the Federal privacy rule. The Federal Trade Commission determines whether a particular State law provides greater protection.
Privacy Notices
Every bank must develop initial and annual privacy notices - even if the bank does not share information with nonaffiliated third parties.
Content of notices: The initial, annual, and revised notices include, as applicable:
- categories of information a bank collects (all banks)
- categories of information a bank may disclose (all banks, except a bank that does not intend to make any disclosures or only makes disclosures under the exceptions may simply state that)
- categories of affiliates and nonaffiliates to whom a bank discloses nonpublic personal information (all banks sharing nonpublic personal information with an affiliate or with a nonaffiliated third party)
- information sharing practices about former customers (all banks)
- categories of information disclosed under the service provider/joint marketing exception (only those banks relying on this exception)
- consumer's right to opt out (only those banks that disclose outside of exceptions)
- disclosures made under the Fair Credit Reporting Act (only those banks providing the FCRA opt out notice)
- disclosures about confidentiality and security of information (all banks)
The opt out right: If a bank intends to share nonpublic personal information outside the exceptions, it must also:
- provide consumers with a reasonable opportunity to opt out. Examples in the privacy rule give consumers 30 days to respond to the opt out notice when the bank delivers the notice by mail or electronically
- comply with a consumer's opt out direction as soon as reasonably practicable when the direction is received after the initial opt out period elapses
- comply with the opt out direction until revoked in writing by the consumer
Section TwoGet Ready for July 1, 2001A bank's strategy for achieving full compliance by July 1, 2001, will vary depending on the complexity of the bank and the progress it has already made in complying with the requirements of the rule. The level of effort a bank will expend depends in large part on:
- the bank's previous efforts to assess or disclose information sharing practices
- the bank's decisions about sharing nonpublic personal information after July 1, 2001
- the volume, if any, of consumers and customers who must receive an opportunity to opt out before information sharing with nonaffiliated third parties can take place.
- establish a timeline for compliance
- develop privacy policies and notices
- deliver notices
- prepare to respond to consumers
1. Establish a timeline for compliance
A timeline designating important checkpoints prior to July 1, 2001, is a good place to start and can be instrumental to ensuring timely compliance.
A specific process for certifying completion of the various steps identified in the bank's privacy compliance strategy will help managers keep track of progress. When establishing due dates for specific activities, build in time to receive input and feedback from senior management and other stakeholders. Every bank should consider:
- Involving the Board of Directors: A board-approved privacy policy is not required by the rule, but it can be an effective way to involve the board of directors in developing a privacy compliance strategy. A board-sanctioned privacy policy can be useful in communicating the bank's overall privacy commitment and strategy to the entire organization.
- Involving representatives from each bank department: Most likely a senior bank officer will oversee development and implementation of the privacy compliance strategy. Nevertheless, participation from each department in the bank will help ensure nothing is overlooked. This approach will also help policy makers identify information sharing practices or consumer privacy issues unique to a specific department or to a financial product or service.
Use this opportunity to evaluate and establish institutional privacy objectives, and communicate to potential customers and consumers the bank's customer service philosophy.
- Create a comprehensive inventory of information collection and information sharing practices at the bank. The inventory will help ensure practices are properly disclosed in the bank's privacy notices. For every department, review:
- all applications and forms used to collect information about consumers
- marketing practices
- vendor contracts
- electronic banking and Internet activities
- fee income accounts
- record retention policies
- Assess current information collection and information sharing practices in light of the privacy rule obligations and the bank's objectives. Determine which practices should continue after July 1, 2001. This may be a good time to involve the bank's Board of Directors. Consider:
- whether any current practices would be prohibited under the rule
- which practices must be disclosed in the privacy notices and whether opt out rights apply
- whether account numbers are shared only as permitted by the rule
- whether information received from other financial institutions is shared only as permitted by the rule's reuse and redisclosure limitations
- whether to adopt voluntary privacy standards developed by relevant trade associations. Those standards could be good indicators of industry norms and consumer expectations
- Draft privacy notice(s). Create a list of information collection and information sharing practices that must be disclosed to consumers. This list can help you categorize practices per the rule requirements and decide how to structure notices. The privacy rule provides a variety of disclosure options. For example, banks may develop:
- one initial privacy notice that covers all the information sharing practices of the bank
- an assortment of initial notices for different customer relationships or different types of financial products or services
- one initial notice that covers the practices of the bank along with one or more of its affiliates Likewise, the opt out notice may be structured in a variety of ways.
- Sample clauses provided in Appendix A in the rule. Banks may use the sample clauses to the extent they accurately reflect the bank's practices.
- Fair Credit Reporting Act requirements and information security standards. The federal banking agencies have issued two proposed rules that may affect the compliance strategy and the content of privacy notices.
Both proposals will be finalized in the near future. When issued, the final rules will be available on the FDIC's Web site: www.fdic.gov. In the meantime, the proposals are posted on the Web site.
3. Deliver notices
- Identify consumers and customers who must receive the initial and opt out notices. It is important to identify all groups of existing customers, consumers, and former customers who must get the initial privacy notice and opt out notification. Some banks may need to coordinate several databases and a variety of departments to identify everyone who must receive a notice.
- Establish timeframes for mailing or otherwise delivering notices. Remember:
- All existing bank customers must receive an initial privacy notice no later than July 1, 2001.
- Existing bank customers, consumers who are not customers, and former bank customers have the right to opt out if the bank is sharing nonpublic personal information about them with nonaffiliated third parties outside the exceptions.
- Information sharing subject to opt out cannot continue after July 1, 2001, until the initial and opt out notices are delivered and a reasonable opt out period has elapsed. Therefore, banks that intend to share nonpublic personal information outside the exceptions after July 1, 2001 should deliver notices well before July 1.
- Develop opt out procedures. All banks sharing nonpublic personal information outside of the exceptions will need to develop procedures for consumers to exercise an opt out, as well as procedures for processing and complying with opt out directions. The opt out procedures should include:
- tracking the initial opt out opportunity (e.g., the first 30 days after the initial notice is delivered)
- recording opt outs received from consumers
- maintaining the opt out mechanism(s), such as a toll-free telephone number, electronic mail, or an opt out form with boxes to check
- complying with opt out directions received after the initial opt out opportunity elapses
- Respond to public inquiries. Customer service representatives and other bank employees should be prepared to answer questions from consumers about the new privacy notices. Depending on the number of employees answering consumer phone calls, it may be a good idea to provide scripts to help employees respond to questions from the public. In addition, it may be helpful to have extra copies of the privacy notice readily available for mailing or handing out to consumers.
July 1, 2001The following activities can help a bank achieve and maintain compliance with the privacy rule.
- Develop controls to monitor ongoing compliance. Consider mechanisms for monitoring:
- delivery of initial and annual notices to customers
- delivery of initial notice to consumers who are not customers, if applicable
- compliance with opt out directions, if applicable
- accuracy of privacy notices, including prior approval for:
- new marketing arrangements
- new or renewed vendor contracts
- disclosure of account numbers
- affiliate-referral programs
- reuse of consumer information received from another financial institution
- Train employees. All employees should understand the bank's policies and procedures for complying with the privacy rule. Some employees will need to be able to explain the bank's privacy policies to customers and to businesses providing services to the bank.
- Audit for compliance. Periodic audits will help management assess risk and verify the effectiveness of the compliance program. The Federal Financial Institutions Examination Council (FFIEC) will release interagency privacy examination procedures before July 1, 2001. The exam procedures will be a useful tool in developing a privacy audit program.
Section Four:Learn the LingoLearning the lingo will help you understand and comply with the privacy rule. This section provides an explanation of key terminology.
Who must comply with the FDIC's privacy rule?
The FDIC's privacy rule refers to financial institutions that must comply with the rule as "you." For example, when the rule states that "you must provide a notice" it means all entities subject to this rule must provide a notice. The following definition of "you" explains the types of entities subject to the rule:
You: The banks that must comply with the FDIC's rule are -
- FDIC-supervised banks
- insured state branches of foreign banks
- subsidiaries of FDIC-supervised banks and insured state branches of foreign banks, with certain exceptions, such as insurance and securities or brokerage subsidiaries
Who is protected by the privacy rule?
The privacy rule protects "consumers." All consumers receive the same privacy protections.
However, a subset of consumers defined as customers must receive certain disclosures, such as an annual privacy notice, that need not be provided to consumers who are not customers.
Thus, it is important to know the distinction between consumers and customers to understand the different disclosure requirements under the privacy rule.
Consumer: Any individual who is seeking to obtain or has obtained a financial product or service from a bank for personal, family, or household purposes is a consumer of that bank. The definition of consumer includes individuals who:
- apply for a financial product or service (e.g., a loan or a deposit account) for personal, family, or household purposes
- actually obtain a financial product or service (e.g., a loan or a deposit account) for personal, family, or household purposes
Additional guidance regarding the customer relationship can be found in the Supplemental Information (the preamble) of the rule, which notes that a continuing relationship is established "where a consumer typically would receive some measure of continued service following, or in connection with, a transaction." See page 35168, Federal Register, Vol. 65, No. 106.
The next diagram depicts the relationship between all individuals who do business with a bank and those who meet the regulatory definitions for consumers andcustomers. As the diagram shows, only a portion of the individuals who conduct business with a bank are consumers under the privacy rule. For example, individuals are not considered consumers under this rule if they are commercial clients, grantors or beneficiaries of trusts for which the bank is trustee, or participants in an employee benefit plan that the banks sponsors.
What type of information is protected by the privacy rule?
The rule identifies three primary categories of information:
- publicly available information
- personally identifiable financial information
- nonpublic personal information
- Publicly available information is any information a bank reasonably believes is lawfully publicly available. The nature of the information, not the source of the information, determines whether it is publicly available information for purposes of the privacy rule. For example, even if a bank obtains customers' telephone numbers or the assessed value of their residences directly from the consumers, this information will be considered publicly available if the bank has a reasonable basis to believe the information could have been lawfully obtained from a public source. A reasonable belief exists if a bank has determined that (a) the information is of the type that is generally available to the public and (b) the individual has not blocked such information from public disclosure. This means, for example, that a bank can consider a customer's phone number to be publicly available, but only if the bank takes steps to determine the phone number is not unlisted.
- Personally identifiable financial information is any information a bank collects about a consumer in conjunction with providing a financial product or service. This includes:
- information provided by the consumer during the application process (e.g., name, phone number, address, income)
- information resulting from the financial product or service transaction (e.g., payment history, loan or deposit balances, credit card purchases)
- information from other sources about the consumer obtained in connection with providing the financial product or service (e.g., information from a consumer credit report or from court records)
- Nonpublic personal information, the category of information protected by the privacy rule, consists of:
- Personally identifiable financial information that is not publicly available information; and
- Lists, descriptions, or other groupings of consumers that were either
- created using personally identifiable financial information that is not publicly available information, or
- contain personally identifiable financial information that is not publicly available information.
For example, in jurisdictions where mortgage documents are public records, the names and address of all individuals for whom a bank held a mortgage would not be nonpublic personal information since it was generated using publicly available information and contained only publicly available information. The list would become nonpublic personal information, however, if it contained current loan balances or if it was generated using only those customers with current mortgage loan balances in excess of a certain amount.
Who are nonaffiliated third parties?
The privacy rule restricts information sharing with nonaffiliated third parties. The rule defines nonaffiliated third parties as persons or entities except affiliates and persons jointly employed by a bank and a nonaffiliated third party. Affiliates generally include a bank's subsidiaries, its holding company, and any other subsidiaries of the holding company. See Section 332.3(a), Section 332.3(d), and Section 332.3(g).
The privacy rule does not impose limitations on information sharing with affiliates. It does, however, require disclosure of such information sharing policies and practices. (Note: The rules governing the sharing of information between a bank and its affiliates are set forth in the Fair Credit Reporting Act.)
Although the privacy rule most commonly uses the term "nonaffiliated third parties," there are some instances in which a distinction is made between nonaffiliated financial institutions and all other nonaffiliated third parties. Readers should pay particular attention to these distinctions. See Section 332.13.