In our view, reviewing the other party’s privacy policies in a merger or acquisition should be an integral part of each party’s respective due diligence process. The representations made in both organizations’ privacy policies remain effective after the acquisition, and the successor entity may need to reconcile differences between the predecessor banks’ terms and promises.
Notably, an FDIC Supervisory Insights article on Mergers and Acquisitions also observes that as part of the merger and acquisition planning process, a bank should “determine the impact on privacy policy provisions, including compliance with the Gramm–Leach–Bliley Act (GLBA) Privacy of Consumer Financial Information Rule and affiliate-sharing rules issued under FCRA.”
For resources related to our guidance, please see:
- FDIC Supervisory Insights, Mergers and Acquisitions: A Compliance Perspective (Summer 2013) (“Successful execution of mergers and acquisitions among financial institutions requires significant attention to detail, to ensure that the systems of the surviving institution function in a way that is consistent with laws, regulations, and safe-and-sound banking practice. A successful merger results in an integration of systems encompassing risk management, information technology, Bank Secrecy Act/anti-money laundering, and compliance with consumer protection laws and the Community Reinvestment Act.”)
- FDIC Supervisory Insights, Mergers and Acquisitions: A Compliance Perspective (Summer 2013) (“An effective merger due diligence process helps ensure the surviving institution’s consumer compliance posture is maintained during and after a merger or acquisition, as it gives the Board and senior management the information it needs to allocate personnel resources in compliance and operational areas.”)
- FDIC Supervisory Insights, Mergers and Acquisitions: A Compliance Perspective (Summer 2013) (“Table 1: Due Diligence Considerations as Part of the Merger- and Acquisition-Planning Process . . . Determine impact on privacy policy provisions, including compliance with the Gramm-Leach Bliley Act (GLBA) Privacy of Consumer Financial Information Rule and affiliate-sharing rules issued under FCRA.”)