IBA Compliance Connection

Your go to source for compliance!

We allow our customers to opt out of personal information sharing verbally or in an email. When a customer makes a verbal request to opt out, our frontline staff sends an email to notify our back office. Our compliance team reviews both these emails and a report from our core system on customers who have opted out when reviewing our privacy procedures. We recently discovered that when a customer opens an account (which we require to be done in-person), our frontline staff can note an opt-out request in our core system — removing the need to send an email to our back office. However, our core system does not record the date of the opt out request. How should our compliance team review our privacy procedures if we don’t have a record of the date a verbal opt-out request was made? We are aware that Regulation P does not require banks to retain documentation of a customer’s opt out request.

by

admin

If you are unable to record the date of an opt out direction in your core system, we recommend continuing your practice of having frontline staff send an email to your back office to document the date of the customer’s opt out direction.

Regulation P requires you to “comply with a consumer’s opt out direction as soon as reasonably practicable after you receive it.” Consequently, although Regulation P does not require you to retain documentation of a customer’s opt out direction, we recommend doing so for purposes of your internal review, so that your compliance team can determine whether you are complying with customers’ opt out directions in a timely fashion.

Alternatively, your bank could require customers to opt out in writing, for example by requiring customers to check a box on a form provided with the opt out notice or use a reply form that can be mailed to your bank. Regulation P permits you to designate how customers provide an opt out direction — provided the means is reasonable for each consumer.

For resources related to our guidance, please see:

  • Regulation P, 12 CFR 1016.7(g) (“You must comply with a consumer’s opt out direction as soon as reasonably practicable after you receive it.”)
  • Regulation P, 12 CFR 1016.7(a)(1) (“Form of opt out notice. If you are required to provide an opt out notice under § 1016.10(a), you must provide a clear and conspicuous notice to each of your consumers that accurately explains the right to opt out under that section. The notice must state:

(i) That you disclose or reserve the right to disclose nonpublic personal information about your consumer to a nonaffiliated third party;

(ii) That the consumer has the right to opt out of that disclosure; and

(iii) A reasonable means by which the consumer may exercise the opt out right.”)

  • Regulation P, 12 CFR 1016.7(a)(2)(ii) (“Reasonable opt out means. You provide a reasonable means to exercise an opt out right if you:

(A) Designate check-off boxes in a prominent position on the relevant forms with the opt out notice;

(B) Include a reply form together with the opt out notice that, in the case of financial institutions described in § 1016.3(l)(3) of this part, includes the address to which the form should be mailed;

(C) Provide an electronic means to opt out, such as a form that can be sent via electronic mail or a process at your Web site, if the consumer agrees to the electronic delivery of information; or

(D) Provide a toll-free telephone number that consumers may call to opt out.”)

  • Regulation P, 12 CFR 1016.7(a)(2)(iv) (“Specific opt out means. You may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.”)