No, we do not believe there would be privacy concerns associated with providing the stolen check and noncustomer’s ID to law enforcement authorities.
Federal and Illinois privacy laws protect “financial records” and “personally identifiable financial information.” These terms are defined broadly, and include your customer’s information, which could be found on the stolen check, and the fact that they are a customer of your bank. Under federal law, “personally identifiable financial information” also could include a noncustomer’s information, such as the noncustomer’s ID, if a noncustomer has obtained a financial product or service from your bank. However, the Illinois Banking Act does not prohibit the furnishing of such information to law enforcement authorities where the bank reasonably believes it has been the victim of a crime. Regulation P similarly permits the disclosure of a customer’s financial information “[t]o protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.”
For resources related to our guidance, please see:
- Illinois Banking Act, 205 ILCS 5/48.1(a) (“For the purpose of this Section, the term ‘financial records’ means any original, any copy, or any summary of: . . . (4) any other item containing information pertaining to any relationship established in the ordinary course of a bank’s business between a bank and its customer, including financial statements or other financial information provided by the customer.”)
- Regulation P, 12 CFR 1016.3(p)(1)(i) (“Nonpublic personal information means . . . Personally identifiable financial information . . . .”)
- Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (“Personally identifiable financial information includes . . . The fact that an individual is or has been one of your customers or has obtained a financial product or service from you. . . .”)
- Illinois Banking Act, 205 ILCS 5/48.1(b)(7) (“This Section does not prohibit: . . . (7) The furnishing of information to the appropriate law enforcement authorities where the bank reasonably believes it has been the victim of a crime.”)
- IDFPR Interpretive Letter 01-01 (March 9, 2001) (“Section 15 provides several other exceptions to the notice and opt-out provisions, including disclosures of information to fiduciaries or representatives of the customer or disclosures made to protect against fraud and unauthorized transactions. Although Section 48.1 of the Act does not explicitly include these exceptions to its opt in requirement, the exceptions enumerated in the federal regulations are consistent with the purpose of Section 48.1 of the Act. Thus, we believe that a state bank need not obtain a customer’s authorization to make disclosures permitted by one of the exceptions contained in Subpart C of the federal regulations.”)
- Regulation P, 12 CFR 1016.15(a) (“The requirements for initial notice in § 1016.4(a)(2), for the opt out in §§ 1016.7 and 1016.10, and for service providers and joint marketing in § 1016.13 do not apply when you disclose nonpublic personal information: . . . (2) . . . (ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. )