Topic: Privacy
-
Our current privacy notice states that “our joint marketing partners may include financial services companies.” If we will be marketing credit card services under a joint marketing agreement, is that disclosure specific enough?
—
by
You may want to consider revising the privacy notice. As to joint marketing agreements, your disclosure should include a “a separate statement of . . . the categories of third parties with whom you have contracted.” 12 CFR 1016.6(a)(5). The instructions for the model privacy notice suggest that this disclosure should be stated as follows:…
-
Because a few of our customers have identical TINs (00-0000000) in our online banking system, about two customers were able to view other customers’ online banking accounts, including their names and account numbers. Do we need to notify those customers?
—
by
Yes, both Illinois law and federal guidelines on data breach notifications require you to notify the affected customers. The specifics on the notification requirements are described below (note that nothing in either the Illinois law or federal guidelines prevents you from providing one notice that meets both laws’ requirements). State Law Requirements The situation…
-
We are adding a wealth management division that will be an affiliate of our institution, with a broker who will be a dual employee of the bank and a nonaffiliated investment company. How should we handle sharing customer information with the employee and other privacy issues?
—
by
If the dual employee will be sharing your customers’ information with the nonaffiliated investment company, we believe that you would have to comply with the federal privacy notice requirements and the Illinois opt-in requirements, described below. Since you have indicated that you are looking for a form for the Illinois opt-in requirement, we recommend posting…
-
One of our customers has taken out a car loan, and his father agreed to pledge his car as collateral for the loan. Can we provide loan information to the father, such as balances and late payments?
—
by
Yes, we believe that you can disclose information about the loan to a party who pledged collateral for the loan. There are two exceptions to the privacy requirements of Regulation P that may apply here. First, Regulation P permits banks to disclose account information to “persons holding a legal or beneficial interest relating to the…
-
Our mortgage loan software recently changed the font size it uses on initial privacy notices, so that the font size differs from the font size on our annual privacy notices. Is that a problem?
—
by
We are not aware of any rule that requires the font size in the initial privacy notice to be the same as the annual privacy notice. The privacy rules require that initial and annual privacy notices be “clear and conspicuous.” 12 CFR 1016.4(a)
-
We’re looking into sharing information with unaffiliated third parties and are researching privacy law. Does Illinois privacy law or federal privacy law apply? Do we have to collect customer opt-ins or allow for opt-outs?
—
by
Both Illinois and federal privacy laws apply to the sharing information with unaffiliated third parties. Your institution needs to comply with both the federal opt-out requirement and the Illinois opt-in requirements. The Illinois Department of Financial and Professional Regulation (IDFPR) has issued an Interpretive Letter that explains the relationship between the Illinois and federal privacy…
-
One of our loan customers makes payments through an ACH agreement with the customer’s employer, and the customer incurred a late fee due to a payroll issue at the employer. The employer agreed to pay the customer’s late fee, but the customer requested a larger refund than the actual cost of the late fee. Can we disclose the amounts of the customer’s late fee without violating any privacy laws?
—
by
After reviewing Illinois and federal privacy law, it looks like the bank’s disclosure of the customer’s personal financial information could fall into an exception for disclosing such information to protect against fraud, and it also may fall into an exception for disclosing information in connection with processing a customer’s transactions. Both federal and Illinois privacy…
-
One of our employees is speaking at an event for small business owners and wants to discuss some of the small business customers he serves, with their permission. Would any financial privacy laws prohibit us from revealing these customer relationships to the outside world?
—
by
Both Illinois and federal privacy laws include exceptions for revealing a customer’s financial information with the customer’s consent. Under the federal law, Regulation P includes an exception to the prohibition on disclosing “nonpublic personal information” when done so “[w]ith the consent or at the direction of the consumer, provided that the consumer has not revoked…
-
We recently responded to a subpoena by providing financial records about a customer. Now, this customer is contesting the subpoena and claims that we violated the Right to Financial Privacy Act. Is this a data breach incident that we need to report?
—
by
Privacy Laws First, we disagree with your customer that responding to a subpoena with financial information violated your customer’s privacy rights. Both Illinois and federal privacy laws include exceptions for responding to subpoenas with customers’ financial information. Under Regulation P, a financial institution may disclose a customer’s information “to comply with a properly authorized .…
-
We’ve been giving disclosures to loan customers about homeowners insurance. An Illinois law, 215 ILCS 5/1412, says that if we are a financial institution and offer insurance (either directly or through an affiliate), we have to give an affiliated business disclosure. We had a close relationship with an insurance company at one time, but we do not currently have any affiliate or relationships with any insurance companies. Do we need to keep giving this notice to our customers?
—
by
We do not see any reason to disclose an affiliate relationship to customers after the affiliate relationship has ended. The Illinois law you cited, 215 ILCS 5/1412, requires disclosure to customers only if your institution offers insurance directly or through an affiliate. Since your institution does not currently offer insurance directly or through an affiliate,…