IBA Compliance Connection

Your go to source for compliance!

Can we post a summary of our privacy policy in our lobby or should we post our current privacy notice in full to fulfill our signage requirements?

by

admin

We are not aware of a requirement in Illinois or federal law to post signage containing your privacy policy in bank lobbies. While you are required to provide adequate notice of your customer identification program (CIP), which many banks fulfill by posting a CIP notice in their lobbies, the privacy requirements in Regulation P do not include a similar signage or notice requirement for your privacy policy.

Instead, Regulation P requires financial institutions to provide clear and conspicuous notice of their privacy policies in a form that can reasonably be expected to provide actual notice of the policy. Regulation P specifically states that posting signs with your privacy policy in branches and offices is an insufficient way to deliver actual notice to customers. Thus, regardless of whether your institution posts notice of its policy in full or in summary form, it must still fulfill its requirement under Regulation P to provide clear and conspicuous notice by delivering that notice in a different form.

For resources related to our guidance, please see:

  • FinCEN CIP Regulations, 31 CFR 1020.220(a)(5)(i) (“The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.”)
     
  • FinCEN CIP Regulations, 31 CFR 1020.220(a)(5)(ii) (“Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its Web site, include the notice on its account applications, or use any other form of written or oral notice.”)
     
  • Regulation P, 12 CFR 1016.4(a) (“You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to:

(1) Customer. An individual who becomes your customer, not later than when you establish a customer relationship, except as provided in paragraph (e) of this section; and

(2) Consumer. A consumer, before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party, if you make such a disclosure other than as authorized by §§ 1016.14 and 1016.15 of this part.”)

  • Regulation P, 12 CFR 1016.9(a) (“You must provide any privacy notices and opt out notices, including short-form initial notices, that this part requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.”)
     
  • Regulation P, 12 CFR 1016.9(b)(1) (“You may reasonably expect that a consumer will receive actual notice if you:

(i) Hand-deliver a printed copy of the notice to the consumer;

(ii) Mail a printed copy of the notice to the last known address of the consumer;

(iii) For the consumer who conducts transactions electronically:

  • (A) In the case of financial institutions other than those described in § 1016.3(l)(3) of this part, post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or
  • (B) In the case of financial institutions described in § 1016.3(l)(3), clearly and conspicuously post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service;

(iv) For an isolated transaction with the consumer, such as an ATM transaction, post the notice on the ATM screen and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.”)

  • Regulation P, 12 CFR 1016.9(b)(2) (“You may not, however, reasonably expect that a consumer will receive actual notice of your privacy policies and practices if you:

(i) Only post a sign in your branch or office or generally publish advertisements of your privacy policies and practices

(ii) Send the notice via electronic mail to a consumer who does not obtain a financial product or service from you electronically.”)

  • Regulation P, 12 CFR 1016.9(c) (“You may reasonably expect that a customer will receive actual notice of your annual privacy notice if:

(1) The customer uses your website to access financial products and services electronically and agrees to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website; or

(2) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request.”)