Topic: Privacy
-
We allow our customers to opt out of personal information sharing verbally or in an email. When a customer makes a verbal request to opt out, our frontline staff sends an email to notify our back office. Our compliance team reviews both these emails and a report from our core system on customers who have opted out when reviewing our privacy procedures. We recently discovered that when a customer opens an account (which we require to be done in-person), our frontline staff can note an opt-out request in our core system — removing the need to send an email to our back office. However, our core system does not record the date of the opt out request. How should our compliance team review our privacy procedures if we don’t have a record of the date a verbal opt-out request was made? We are aware that Regulation P does not require banks to retain documentation of a customer’s opt out request.
—
by
If you are unable to record the date of an opt out direction in your core system, we recommend continuing your practice of having frontline staff send an email to your back office to document the date of the customer’s opt out direction. Regulation P requires you to “comply with a consumer’s opt out direction…
-
We are acquiring a bank and would like to know if we are required to provide the bank with our privacy policy as part of the merger booklet?
—
by
In our view, reviewing the other party’s privacy policies in a merger or acquisition should be an integral part of each party’s respective due diligence process. The representations made in both organizations’ privacy policies remain effective after the acquisition, and the successor entity may need to reconcile differences between the predecessor banks’ terms and promises.…
-
Will California be able to enforce the California Consumer Privacy Act (CCPA) notice rules against our bank if we have a customer who is a California resident? We do not have a physical presence in California.
—
by
Yes, the California Attorney General may be able to enforce the CCPA’s notice rules against your bank, depending on the following factors. Also, a California resident or a class of California residents conceivably could sue your bank for violations of the CCPA, even though it does not have a physical presence in that state. The…
-
We are considering using cookies on our website. Are we required to have a separate website privacy policy to disclose the use of cookies to visitors of our website, in addition to our general privacy policy under the Gramm–Leach–Bliley Act (GLBA)?
—
by
We are not aware of a requirement that a bank post either the GLBA privacy notice or a website privacy policy on its website. However, we do recommend adopting and posting a website privacy policy that describes your bank’s privacy practices with respect to the collection and use of consumer information, including through the use…
-
Under the Taxpayer First Act (TFA), are we required to obtain a taxpayer’s express permission to share their tax return information only if we obtain it from the IRS, as opposed to receiving it directly from the taxpayer?
—
by
Yes, the TFA’s consent requirement applies only to tax return information provided by the IRS. However, a customer’s tax return information remains subject financial privacy laws, which may require the customer’s consent before disclosure to a third party, unless an exception applies. The TFA amended the Internal Revenue Code to require that “[p]ersons designated by…
-
Under the Taxpayer First Act, are we required to obtain taxpayer consents from non-borrowing spouses? Also, is there any guidance for banks related to a borrower who refuses to sign a taxpayer consent form? Can a loan be denied on this basis, and would such a denial present any fair lending concerns?
—
by
We recommend obtaining a taxpayer consent form for any taxpayer whose tax return information you will be requesting from the IRS. For a non-borrowing spouse, your bank may be requesting a joint tax return that will include tax return information for both spouses, and in that case, we recommend obtaining both spouses’ consent. If a…
-
Regarding the Taxpayer First Act (TFA), if we have a commercial loan with twelve guarantors, must all twelve sign taxpayer consent forms, or can we add a signature addendum allowing all guarantors to sign the same form? If borrowers or guarantors provide updated tax return information after loan origination, do we need to obtain new consent forms, or would the original consent form cover all future tax returns? Also, if we have a loan participation that was originated before Act’s consent provisions became effective, but sold after the effective date, is the consent form required at the time of the sale?
—
by
Yes, we believe that your bank can have all twelve guarantors sign the same consent form. The TFA requires express consent from each taxpayer before obtaining their tax return information, but there is no requirement that each taxpayer provide their consent on a separate form. We believe that your bank can structure a consent form…
-
We had an account with three joint owners. One of the owners died, and the account was closed by his son, who was a joint owner on the account. The deceased customer’s other son (who was not a joint owner) has requested copies of account statements and provided us with documentation that he will be issued letters of office naming him as a co-administrator for the deceased customer’s estate. Does the son who will be appointed as a co-administrator have the authority to request this documentation?
—
by
Once the son has been appointed as an administrator for the deceased customer’s estate, he will be entitled to access information relating to the account as of the date of your customer’s death. However, since there continue to be living owners of the account following the decedent’s death, the administrator would not be entitled to…
-
Are we required to send monthly account statements to deceased customers? We have a few customers that we know are deceased and are the sole owners of their accounts. The account statements are generated monthly for these customers, and when we mail them out, they get returned to us. Can we reduce the frequency of these statements from monthly to yearly?
—
by
No, you are not required to send account statements to deceased customers that are being returned to your bank. In fact, it is advisable to discontinue mailing periodic statements (whether monthly or yearly) to a customer that you know is deceased, in order to prevent the statements containing personal financial information from falling into the…
-
What responsibilities, if any, do we have under the California Consumer Privacy Act to our customers who live in California, when we have branches only in Illinois?
—
by
Whether your bank has any responsibilities under the California Consumer Privacy Act (CCPA) depends on several factors, including whether you do business in California and whether you collect any personal information about your California customers that is not already covered by the Gramm–Leach–Bliley Act (GLBA). The CCPA, which takes effect on January 1, 2020, creates…