Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-migrate-db domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /srv/app/gotoiba-dev/htdocs/web/wp-includes/functions.php on line 6121
Our website has a privacy policy, but the mortgage area of our website is run by a third party vendor. Should our privacy policy also appear on the third party’s website? – IBA Compliance Connection

IBA Compliance Connection

Your go to source for compliance!

Our website has a privacy policy, but the mortgage area of our website is run by a third party vendor. Should our privacy policy also appear on the third party’s website?

by

First, we must clarify that there are two types of “privacy policies”:

  1. The initial and annual notices of your privacy policy required by the federal privacy regulations (under the Gramm-Leach-Bliley Act), which applies to all uses of nonpublic personal information (the “GLBA privacy notice”)
  1. A website privacy notice, which applies only to the use of customer information by the website (“website privacy notice”)

We are not aware of a requirement that a bank post either the GLBA privacy notice or a website privacy notice on its websites, nor are we aware of any specific requirements that would apply to a bank’s website privacy notice.

With that said, banking regulators strongly encourage banks to post their GLBA privacy notices on their websites. (See the FFIEC IT Examination Manual E-Banking Booklet, Customer Privacy and ConfidentialityAppendix A: Examination Procedures.) Because regulators expect the GLBA privacy notice to be posted on a bank’s website, we would recommend also posting it on the mortgage website, even though it is maintained by a third party on behalf of your organization.

Because the third party that manages your bank’s mortgage website would be considered a “technology service provider” (TSP), you may also want to review the FFIEC’s recently updated IT Booklet on Supervision of Technology Service Providers (TSP) and the recently released Interagency Guidelines on the Implementation of Interagency Programs for the Supervision of Technology Service Providers (pdf).