Topic: Privacy
-
Are there any customer privacy issues if a state-chartered bank files a complaint containing customer information with the OCC about a national bank that is failing to cooperate in resolving a check fraud issue?
—
by
No, we do not believe there would be privacy issues associated with sharing customer information with the OCC as part of a complaint about a national bank. The financial privacy provisions in the Illinois Banking Act do not prohibit banks from furnishing financial records to any officer, employee, or agent of the OCC, Federal Reserve,…
-
Our core processor notified us that we needed to update our mobile banking app privacy notice to alert customers that the app may access information stored on their device, such their location, contacts, and camera. Apparently, Google requires these additions. We added this information to the “What?” box on the first page of the Regulation P model privacy form, which our processor said was appropriate. However, Laser Pro has informed us that adding this information exceeds the character limit for the “What?” box, and we should instead add the information to the “Other important information” box on page 2 of the model form. Is it permissible to add this information to the “What?” box, and would we still be protected by Regulation P’s safe harbor?
—
by
We do not believe this information should be added to Regulation P’s model privacy form in the “What?” box or “Other important information” box. We believe that the Regulation P privacy policy may be modified only in ways specified in the rule in order for the safe harbor to remain effective. Instead, we recommend adding…
-
Our bank requires non-customers to provide a thumbprint when cashing an on-us check. Is a thumbprint considered “biometric information” under the Illinois Biometric Information Privacy Act (BIPA)? If so, are we required to comply with BIPA’s provisions?
—
by
While BIPA protects biometric identifiers (including fingerprints), it fully exempts financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA). Consequently, we do not believe your financial institution is required to comply with BIPA’s provisions. We also note that the Illinois Personal Information Protection Act (PIPA) requires banks to implement and maintain reasonable security measures…
-
We recently updated our deposit account terms and conditions. We are trying to avoid having to send our customers the entire document or a separate change in terms notice. Can we post the updated terms and conditions on our website with changes highlighted and include a message in our customer’s statements saying they can visit our website for the updated terms and conditions? The message also would say that customers can request a printed copy.
—
by
It is unlikely that you will be able to fulfill your notice requirements by posting updated terms and conditions on your website if your updated deposit account terms affect any of the notice requirements under Regulation CC, Regulation E, Regulation DD, or Regulation P. These regulations do allow electronic disclosure if certain requirements are met,…
-
We received a message through the Social Security Administration (SSA)’s online system asking us to verify whether an individual has a deposit account with us. The individual is a customer of ours, but we are not sure whether we should disclose this information. The SSA’s message says that our customer has consented to the release of this information in accordance with the Right to Financial Privacy Act, but the customer’s signature is not included. Instead, the SSA’s message states that our customer’s signature is on file.
—
by
We do not recommend disclosing the fact that your customer has a deposit account with your bank without receiving a signed and dated statement from your customer authorizing the disclosure that complies with the Right to Financial Privacy Act’s requirements. The Right to Financial Privacy Act prohibits federal government authorities from accessing information contained in…
-
Our bank wants to offer existing customers a minimal referral bonus if they bring someone in who opens a new checking account that remains open for a specified minimum time period. Is there any guidance on advertising such a bonus? Also, are there any associated IRS reporting requirements?
—
by
We are not aware of any guidance specific to advertising a checking account referral program for existing customers. We note that Regulation P’s privacy requirements generally prohibit your bank from disclosing “the fact that an individual is or has been one of your customers or has obtained a financial product or service from you.” To…
-
A noncustomer presented a blank check to our bank. We flagged it before it was cashed and found out it was stolen from one of our customers. We have the original check and the noncustomer’s ID. Would there be any privacy concerns associated with providing law enforcement with these items?
—
by
No, we do not believe there would be privacy concerns associated with providing the stolen check and noncustomer’s ID to law enforcement authorities. Federal and Illinois privacy laws protect “financial records” and “personally identifiable financial information.” These terms are defined broadly, and include your customer’s information, which could be found on the stolen check, and…
-
Our bank wants to implement a chatbot for routine customer interactions and general inquiries. Is there any guidance on what a chatbot can and cannot say? Are there any compliance concerns we should be aware of? For how long do we need to retain the chat scripts?
—
by
We are not aware of any federal or state guidance specifying what a chatbot can and cannot say to a customer. The federal banking agencies issued a request for information on financial institutions’ use of artificial intelligence, including chatbots, in March 2021 (with descriptions of some of the related risks), but they have not followed…
-
We have an elderly deposit customer who we believe is gambling away most of their money, and we do not believe the gambling is the result of financial exploitation by a third party. We are worried that the customer may apply for a loan that they would be unable to repay because of their gambling. Can we report their gambling to a family member, or would this violate our customer’s financial privacy? Also, would we have a legitimate reason to deny their loan? On paper, this customer would qualify for a loan since their house is paid off and they have repaid their previous loans.
—
by
No, we do not believe you may report your customer’s gambling to a family member, as this would violate Illinois and federal financial privacy protections. The Illinois Banking Act and Regulation P prohibit the disclosure of a customer’s financial records or financial information to a third party, unless an exception applies. Although there are exceptions…