Topic: Privacy
-
Where do we send the FCRA/ECOA adverse notice if the applicant is a business and we also pull credit reports for the individual business owners? Are there any privacy concerns for co-applicants who receive another co-applicant’s information on an adverse action notice?
—
by
We recommend sending a combined ECOA/FCRA adverse action notice to the primary applicant, which in this case would be the business itself. In addition, we recommend sending FCRA adverse action notices to any individuals whose consumer credit reports you pulled, such as co-applicants, guarantors, and the business owners. Under the Equal Credit Opportunity Act (ECOA)…
-
Our last privacy notice disclosed that we share information with an affiliate, but we recently merged with the affiliate and do not share information with any other affiliates. Can we still use the alternative delivery method to provide our annual privacy notices online?
—
by
We believe that you may be able to use the alternative delivery method of providing the annual privacy notice, because the removal of an entire category of parties with which you share information does not disqualify you from using the alternative delivery method. To be eligible for the alternative delivery method, you must meet several…
-
We have an account holder who passed away and had a payable-on-death account. He had several beneficiaries, and we are wondering if the beneficiaries are entitled to the last three months of statements while the account holder was alive.
—
by
The Illinois Trust and Payable on Death Accounts Act (Act) only addresses the authority for financial institutions to distribute the proceeds of a payable-on-death (P.O.D.) account upon the owner’s death and is silent on whether the institution may distribute account statements that were issued when the account owner was alive. As explained below, however, you may…
-
We feature customers and announce their birthdays and wedding anniversaries in our bank’s in-house newsletter. We have the customer’s permission, but not in writing. At a recent compliance examination, the examiners said publishing the birthdays is disclosing personally identifiable information.
—
by
We agree that including customer names and their birthdays in your in-house newsletter is a disclosure of personal information that is protected by both federal privacy law (the Gramm-Leach-Bliley Act and its implementing regulation, Regulation P) and state privacy law (Section 48.1 of the Illinois Banking Act). We note that both laws provide an exception…
-
Can we mail out a solicitation to our business customers’ customers? For example, our customer, XYZ Company, received a check from ABC Company. Can we pull the mailing address off of the ABC Company check and use that to mail solicitations?
—
by
We strongly caution you to exercise caution before adopting this practice, as it runs the risk of violating Illinois privacy law. The Illinois Banking Act’s privacy provisions prohibit banks from disclosing certain customer information to third parties without the customer’s consent. 205 ILCS 5/48.1(c)(1). The customer information protected by the Illinois Banking Act includes “any…
-
We are considering entering into a joint marketing agreement with a credit card company. If we comply with the joint marketing exception under federal law, will we be in compliance with Illinois law?
—
by
Yes. If you are complying with the joint marketing agreement exception under the federal privacy regulations, you will be in compliance with Illinois law. As you noted, the Illinois Department of Financial and Professional Regulation (IDFPR) released an interpretive letter in 2001, Interpretive Letter 01-01, which details how federal and Illinois financial privacy laws interact,…