Topic: Privacy
-
Our bank inadvertently released bank statements to the wrong customers. We plan to notify the affected customers, but do we also have to notify our regulators?
—
by
Yes, we recommend notifying your regulators pursuant to Interagency Guidance regarding unauthorized access of customer information. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice requires banks to establish a security breach response program that contains procedures for notifying their primary Federal regulator as soon as possible “when the institution…
-
Our bank shares nonpublic personal information with nonaffiliated financial companies pursuant to a joint marketing agreement and also reports credit information to a credit bureau. Our privacy policy has not changed for three years. What are our privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA)?
—
by
You must provide initial privacy policy disclosures, including that you share customer information with nonaffiliated third parties pursuant to a joint marketing agreement. However, you are exempt from GLBA’s annual privacy notice requirement, subject to the discussion below. The GLBA requires financial institutions to provide initial privacy policy disclosures to new customers and re-disclose their…
-
We originate some mortgage loans with properties and/or borrowers located outside of Illinois. Does our privacy notice need to include privacy requirements for each state? If yes, do you know of a resource on state privacy laws?
—
by
It is conceivable that another state’s financial privacy law would apply to a mortgage loan made by an Illinois bank, requiring you to provide information about that state’s law on your annual privacy notice. Whether another state’s law applies to a mortgage loan is a complicated question that will depend on the circumstances of each…
-
Under the FAST Act’s changes to the annual privacy notice requirements, our understanding is that we are not required to send customers the Privacy Notice OR give them notice (for example, on periodic statements) as long as we meet the two conditions. Is that correct? Our privacy notice has not changed, and we share information only for joint marketing purposes with another financial institution (and we don’t share information with affiliates under the FCRA).
—
by
Yes, your bank is exempt from the annual privacy notice requirement and Regulation P’s alternative delivery method requirements under the FAST Act’s amendment of the Gramm-Leach-Bliley Act (GLBA). Regulation P permits financial institutions meeting several preconditions to comply with the annual privacy notice delivery requirement by using an “alternative method” — posting the notice on…
-
We recently learned that the FAST Act eliminated the annual privacy notice requirements under certain conditions. Does that also eliminate the requirement that we notify customers that the annual privacy notice is available?
—
by
Yes, banks that are exempt from the annual privacy notice requirement under the FAST Act’s amendment of the Gramm-Leach-Bliley Act (GLBA) also are exempt from Regulation P’s alternative delivery method requirements. Regulation P permits financial institutions meeting several preconditions to comply with the annual privacy notice delivery requirement by using an “alternative method” — posting…
-
Our local police department called us to request a customer’s financial records. What do we need to receive from the police before disclosing those records?
—
by
We recommend requesting that the police department produce a subpoena or court order for the disclosure of your customer’s financial records. In general (there are several exceptions which do not appear to apply here), federal law and the Illinois Banking Act authorize you to furnish a customer’s financial records to a third party, including a…
-
We received a subpoena from the Illinois Department of Human Services. It requests documents about a particular customer, using his social security number. Ordinarily, the subpoenas that we receive include an authorization from the local circuit court. Should we respond to this subpoena, or should we request further documentation before responding?
—
by
We recommend obtaining more information before responding to the subpoena. The Department of Human Services Act expressly grants subpoena powers to the Inspector General (the office that investigates allegations of abuse, neglect or financial exploitation). The Act does not require subpoenas to be authorized by a county court. However, in this case, the subpoena does…
-
We are preparing to change our privacy notice from not sharing with an affiliate to sharing with an affiliate. We would like to accept opt-outs only through a reply form. Can we put “N/A” in lieu of providing our telephone number and web address? Can you verify that Illinois law does not require an opt-out period of more than 30 days from sending the notice? Does Illinois law exempt commonly-owned affiliates from the opt-in requirement? Does federal law exempt information that is not about creditworthiness from opt-out requirement?
—
by
Yes, we believe that you may enter “N/A” in lieu of providing a telephone number or internet website for opt-out purposes, since you are providing a reply form as a reasonable means for a customer to exercise the opt-out right. If you are comfortable with modifying the model forms, which is permitted under Regulation P,…
-
The TRID rules permit us to remove certain seller information from the Closing Disclosure that we provide to the buyer. However, the rules do not permit us to remove some of the seller’s information, such as the amount paid for a broker’s commission and home inspection and home warranty fees. Doesn’t the inclusion of that information violate the seller’s privacy rights?
—
by
We do not believe that sharing limited information about the seller in the Closing Disclosure for a consumer mortgage transaction will create any privacy issues, primarily for two reasons. First, the financial privacy protections under state and federal law apply only to a customer who has obtained a financial product or service from you. Because…
-
Would we violate a customer’s privacy rights by providing a copy of the customer’s Closing Disclosure to the seller and the seller’s realtor in advance of the closing (so that they can check it for accuracy)?
—
by
Yes, we believe it would violate your customer’s privacy rights if your bank were to provide a full Closing Disclosure to the seller, unless your customer agrees to providing this disclosure. Alternatively, the TRID rules provide a modified Closing Disclosure form that redacts certain personal financial information of the buyer for purposes of providing to…