We are not aware of any federal or state laws or rules that would directly apply in this case. However, your arrangement should be structured to comply with Illinois and federal financial privacy laws, and we recommend that your employees be properly trained and aware of the privacy rules with respect to the arrangement. Particularly important is the prohibition on disclosing bank customer information without the customer's consent. Even the fact that an individual is your customer is considered to be protected information, and the presence of the business in your lobby might prompt your examiners to raise this question. For this reason, it may be advisable to consult with your prudential regulator (here, the IDFPR) before proceeding.
We also note that the FDIC Guidance for Managing Third-Party Risk applies to any “business relationship.” Although many aspects of this guidance do not necessarily apply to your proposed arrangement, we would recommend reviewing the guidance for its discussion on performing a risk assessment and reviewing your agreement with the business. We also would recommend closely monitoring the business's activities while it is on location at your bank.
For resources related to our guidance, please see below:
- Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (personally identifiable financial information includes “the fact that an individual is or has been one of your customers or has obtained a financial product or service from you”)
- FDIC Guidance for Managing Third-Party Risk (“For purposes of this guidance, the term ‘third party’ is broadly defined to include all entities that have entered into a business relationship with the financial institution . . . .”)