First, we must clarify that there are two types of “privacy policies”:
- The initial and annual notices of your privacy policy required by the federal privacy regulations (under the Gramm-Leach-Bliley Act), which applies to all uses of nonpublic personal information (the “GLBA privacy notice”)
- A website privacy notice, which applies only to the use of customer information by the website (“website privacy notice”)
We are not aware of a requirement that a bank post either the GLBA privacy notice or a website privacy notice on its websites, nor are we aware of any specific requirements that would apply to a bank’s website privacy notice.
With that said, banking regulators strongly encourage banks to post their GLBA privacy notices on their websites. (See the FFIEC IT Examination Manual E-Banking Booklet, Customer Privacy and ConfidentialityAppendix A: Examination Procedures.) Because regulators expect the GLBA privacy notice to be posted on a bank’s website, we would recommend also posting it on the mortgage website, even though it is maintained by a third party on behalf of your organization.
Because the third party that manages your bank’s mortgage website would be considered a “technology service provider” (TSP), you may also want to review the FFIEC’s recently updated IT Booklet on Supervision of Technology Service Providers (TSP) and the recently released Interagency Guidelines on the Implementation of Interagency Programs for the Supervision of Technology Service Providers (pdf).