Topic: Privacy
-
Are we allowed pay a referral fee for referrals of consumer loans that are not secured by real estate?
—
by
We are not aware of any prohibitions on paying referral fees related to unsecured consumer loans. The Real Estate Settlement Procedures Act of 1974 (RESPA) prohibits kickbacks for referrals of real estate settlement services for “federally related mortgage loans,” which are defined as first or subordinate liens on residential real property designed for the occupancy…
-
Our bank’s legal name (but not our ownership) will change in 2022, and our current name will become a division of the new bank name. We will be notifying our customers of the change well in advance. Will we need to send revised account disclosures and privacy notices to our customers, and if so, what are the timing requirements? Can you recommend any guidance or resources that address compliance considerations with respect to name changes? Also, what type of notification is required if we decide to change the bank’s main office or corporate headquarters?
—
by
We do not believe you are required to send customers revised account disclosures and privacy notices when only your bank’s name is changing. However, if your bank’s main office is changing, you must seek federal and state approval and publish notice of the change. For consumer savings accounts, Regulation DD requires you to provide advance…
-
We are an out-of-state bank that purchased an Illinois bank, which will merge into our bank. Do we need to send mortgage transfer notices as required by the Illinois Banking Act to mortgage customers from the Illinois bank if the only thing that will be changing for them is the name of the institution they will be corresponding with? We will continue receiving and processing mortgage payments at the same location and phone number. Or does Illinois law not apply since we are an out-of-state bank?
—
by
We believe that your bank is required to send transfer notices for residential mortgage financing transactions under the Illinois Banking Act, in addition to potentially sending notices under Regulation X and Regulation Z, as well as Regulation P. Under the Illinois Banking Act, any bank making residential mortgage financing transactions is required to send written…
-
Are we required to retain undeliverable mail that has been returned by the post office? If so, what kind of mail should we be retaining and for how long? We have read that if we can reproduce the mailing (such as an account statement) on request, then we can shred it immediately.
—
by
Disclaimer: The Electronic Commerce Security Act (ECSA) was repealed and replaced with the Uniform Electronic Transaction Act (UETA), effective June 25, 2021. Please note that this change may affect the continued accuracy of this guidance as it pertains to the ECSA. We are unaware of any recordkeeping requirements specifically for mail that has been sent to…
-
Can we post a summary of our privacy policy in our lobby or should we post our current privacy notice in full to fulfill our signage requirements?
—
by
We are not aware of a requirement in Illinois or federal law to post signage containing your privacy policy in bank lobbies. While you are required to provide adequate notice of your customer identification program (CIP), which many banks fulfill by posting a CIP notice in their lobbies, the privacy requirements in Regulation P do…
-
Our privacy notice currently states that for Illinois customers, we will not share their personal information for marketing purposes “without your authorization.” Our account agreement does not consent to disclosure. We are aware of an Illinois Department of Financial and Professional Regulation (IDFPR) interpretive letter stating that Illinois law does not require banks to provide customers with “a specific method to authorize disclosure or to opt in” and that banks are not prohibited from “incorporating a customer’s consent to disclosure into the terms of an account or loan agreement” — provided the customer is given a reasonable opportunity to opt out. If our account agreements do not contain such terms, is our privacy notice sufficient to prove the customer’s “opt in” to disclosure of their personal information?
—
by
No, we do not believe notifying a customer at account opening that you will not share their personal information with nonaffiliates is sufficient to prove that a customer has opted-in to disclosure of their personal information. As you noted, IDFPR Interpretive Letter 01-01 clarifies that the privacy protections in the Illinois Banking Act do “not…
-
A customer asked to deposit several checks totaling more than $5,000 and then requested that the funds be wired out. The customer claimed to be helping a friend, but we suspect they may be involved in a money mule scheme. Our primary regulator is the FDIC, and we are familiar with the steps for filing a suspicious activity report (SAR) but would like to know who in addition to FinCEN we should contact regarding this matter. Is it appropriate to alert local law enforcement, and is there a hotline we should call? We do not want to provide information we are prohibited from disclosing.
—
by
In addition to FinCEN, we believe it would be appropriate to alert local law enforcement, your local FBI field office, and your FDIC regional office of a suspected money mule scheme. The FDIC’s SAR rules direct banks to file a SAR “with the appropriate federal law enforcement agencies and the Department of Treasury in accordance…
-
How must subpoenas be served on financial institutions? Should we accept a subpoena only if it is served via certified mail, and how should we respond if a subpoena is sent via fax or email? Also, for civil matters such as a divorce proceeding, are we required to wait a certain number of days before sending documents to the requesting party? Must we give our customer time to quash the subpoena, if necessary?
—
by
In Illinois, a subpoena may be served by personal service or by certified or registered mail. Consequently, we do not believe you are required to respond to a subpoena served via fax or email. The Illinois Banking Act requires banks to mail a copy of a subpoena to a customer before responding, “unless the bank…
-
We are merging with another institution which is owned by our bank holding company and are changing our bank name. We need to update our privacy notice to change our bank’s name, but we will not be making any other changes. Do we need to send a revised privacy notice when the only change is the bank’s name?
—
by
No, we do not believe your bank is required to send a revised privacy notice to customers when the only change to the notice is the bank’s name. Regulation P requires banks to provide a revised privacy notice before disclosing any nonpublic personal information about a consumer other than as described in its current privacy…
-
Does the Taxpayer First Act (TFA) apply only to customers who complete Form 4506-T, providing consent to us obtaining a copy of their tax return information directly from the IRS, or does it also apply to the redisclosure of information received directly from the taxpayer? Also, does the TFA apply to commercial loan participations when we share the taxpayer’s information with participating banks? If so, should we provide a written disclosure to commercial loan applicants requesting they consent to the sharing of financial information with other financial institutions for loan participation purposes?
—
by
The TFA’s consent requirement applies only to tax return information provided by the IRS. It does not apply to the redisclosure and use of information received directly from the taxpayer. However, a customer’s tax return information remains subject to financial privacy laws, which may require the customer’s consent before disclosure to a third party, unless…