IBA Compliance Connection

Your go to source for compliance!

We are adding a wealth management division that will be an affiliate of our institution, with a broker who will be a dual employee of the bank and a nonaffiliated investment company. How should we handle sharing customer information with the employee and other privacy issues?

by

admin

If the dual employee will be sharing your customers’ information with the nonaffiliated investment company, we believe that you would have to comply with the federal privacy notice requirements and the Illinois opt-in requirements, described below. Since you have indicated that you are looking for a form for the Illinois opt-in requirement, we recommend posting the request on our Privacy online discussion forum at gotoiba.com.

Sharing information with the dual employee will not trigger the privacy requirements until the employee shares customer information with his or her other employer. The restrictions on sharing customer information do not apply to the dual employee (see 12 CFR 1016.3(o)(1)), but the restrictions do apply if you or the dual employee shares information with the nonaffiliated investment company for marketing purposes. See FDIC FAQs for the Privacy Regulation, Question J.4 (December 2001) (“providing customer information to a dual employee for purposes of marketing the insurance company’s products and services to your customers is deemed to be providing the information directly to the insurance company”).  

  • Federal Notice and Opt-Out Requirements: Under the federal regulations, the privacy requirements include an initial privacy notice and the option for the customer to opt-out. 12 CFR 1016.10(a)(1). However, you may qualify for an exception from the opt-out requirement if your institution’s relationship with the investment company qualifies as a “joint marketing agreement.” 12 CFR 1016.13(a). The initial privacy notice requirement would still apply, and your agreement with the investment company would have to prohibit it “from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing” or as necessary under another exception to the privacy rules. 12 CFR 1016.13(a)(2)also see FDIC FAQs for the Privacy Regulation, Question J.4.
  • Illinois Opt-In Requirement: Under the Illinois Banking Act, you must obtain an opt-in from the customer before sharing private information to the investment company. It states that “a bank may not disclose to any person . . . any financial records or financial information . . . unless: (1) the customer has authorized disclosure to the person.” 205 ILCS 5/48.1.

We recommend checking your account agreements to see if they have already incorporated an opt-in that satisfies the Illinois law’s requirements. As stated in an IDPFR Interpretive Letter, Illinois law “does not prohibit banks from incorporating a customer’s consent to disclosure into the terms of an account or loan agreement.” (We recommend reading the Interpretive Letter in full, as it has helpful discussion covering the overlapping Illinois and federal privacy requirements.)