We strongly caution you to exercise caution before adopting this practice, as it runs the risk of violating Illinois privacy law. The Illinois Banking Act’s privacy provisions prohibit banks from disclosing certain customer information to third parties without the customer’s consent. 205 ILCS 5/48.1(c)(1). The customer information protected by the Illinois Banking Act includes “any other item containing information pertaining to any relationship established in the ordinary course of a bank’s business between a bank and its customer.” As stated by the Illinois Department of Financial and Professional Regulation (IDFPR), this category of customer information includes the fact that a customer is or has been a customer of your institution. Interpretive Letter No. 01-01 (March 9, 2001), page 4. The IDFPR letter also notes that, unlike federal law, the Illinois law applies to all customers, including businesses as well as consumers (page 4).
We believe that the businesses that receive solicitations from your institution very likely could determine how your institution obtained their mailing addresses, particularly if your institution has not had any other contacts with the business. We can envision several scenarios in which a solicitation might disclose your customer’s identity. For example, if one of the solicited businesses only writes checks to one of your customers, it is possible that the business will make the connection and determine that your institution obtained its mailing address from that customer. As a result, sending solicitations to those businesses would reveal the fact that your customer is a customer of your bank, which we believe would violate the Illinois Banking Act’s prohibition on disclosing customer information without the customer’s consent.