IBA Compliance Connection

Your go to source for compliance!

Our privacy notice currently states that for Illinois customers, we will not share their personal information for marketing purposes “without your authorization.” Our account agreement does not consent to disclosure. We are aware of an Illinois Department of Financial and Professional Regulation (IDFPR) interpretive letter stating that Illinois law does not require banks to provide customers with “a specific method to authorize disclosure or to opt in” and that banks are not prohibited from “incorporating a customer’s consent to disclosure into the terms of an account or loan agreement” — provided the customer is given a reasonable opportunity to opt out. If our account agreements do not contain such terms, is our privacy notice sufficient to prove the customer’s “opt in” to disclosure of their personal information?

by

admin

No, we do not believe notifying a customer at account opening that you will not share their personal information with nonaffiliates is sufficient to prove that a customer has opted-in to disclosure of their personal information.

As you noted, IDFPR Interpretive Letter 01-01 clarifies that the privacy protections in the Illinois Banking Act do “not require that a bank provide its customer a specific method to authorize disclosure or to opt in” to having their personal information shared with nonaffiliates. However, we believe that an opt-in would require some agreement by the customer (in the example provided in the IDFPR letter, the customer agrees by signing the account agreement that incorporates the consent to disclosure). However, the privacy disclosure that you described is insufficient to prove a customer’s consent, both because it states only that you will not be disclosing to nonaffiliates without disclosing information sharing outside of that context, and also because the privacy disclosure does not require the customer’s signature or other method of agreement.

For resources related to our guidance, please see:

  • IDFPR, Interpretive Letter 01-01 (“Another distinction between Section 48.1 and the federal regulations is the method through which a customer exercises his or her right to opt in or opt out. . . . In contrast to the federal regulations, Section 48.1 does not require that a bank provide its customer a specific method to authorize disclosure or to opt in. For instance, Section 48.1 does not prohibit banks from incorporating a customer’s consent to disclosure into the terms of an account or loan agreement. However, if a bank chooses to use such a method to obtain a customer’s consent pursuant to Section 48.1, it must also comply with the federal regulations by providing the customer with a reasonable opportunity to exercise the right to opt out. Thus, if a customer opts in when a customer relationship is established, the bank may only begin sharing information if and when the customer chooses not to exercise his or her right to opt out provided by the federal regulations.”
  • Illinois Banking Act, 205 ILCS 5/48.1(c) (“Except as otherwise provided by this Act, a bank may not disclose to any person, except to the customer or his duly authorized agent, any financial records or financial information obtained from financial records relating to that customer of that bank unless:  (1) the customer has authorized disclosure to the person . . .”)
  • Illinois Banking Act, 205 ILCS 5/48.1(b)(15) (“This Section does not prohibit . . . The exchange in the regular course of business of information between a bank and any commonly owned affiliate of the bank, subject to the provisions of the Financial Institutions Insurance Sales Law.”)
  • IDFPR, Interpretive Letter 01-01 (“Section 48.1(c) of the Act generally requires a state bank to obtain the consent of its customer before that customer’s financial information may be disclosed; an affirmative act by the customer. In contrast, the federal privacy regulations require only that consumers be given notice and the opportunity to opt out of disclosures; inaction equals assent. The affirmative authorization required by Section 48.1 clearly provides enhanced protection to customers of state banks and should not be preempted by the federal privacy regulations.”)