Topic: Privacy
-
We have not made changes to our privacy policy or practices in over two years. We share customers’ nonpublic personal information for our everyday business purposes, such as processing transactions, maintaining accounts, responding to court orders and legal investigations, and reporting to credit bureaus, but we do not share this information with affiliates (as we have none) or nonaffiliated third parties for marketing purposes. Are we still required to send an annual privacy policy notice to our customers?
—
by
No, we do not believe you are required to send customers an annual privacy notice, since your bank appears to qualify for an exemption from the annual privacy notice requirement. The Gramm–Leach–Bliley Act (GLBA) generally requires financial institutions to provide initial privacy policy disclosures to new customers and to send their privacy notices annually to…
-
We are a federal savings bank owned by a mid-tier holding company that is owned by a mutual holding company. All three entities have the same board members and officers. Do we need to list our holding companies as affiliates on our privacy notice if we do not share information with them?
—
by
No, we do not believe that you need to list your bank’s holding companies on your initial, annual, or revised privacy notices if you do not share information with them. Under Regulation P, the holding companies that own your bank are considered your affiliates. However, if you “do not disclose, and do not wish to…
-
We distribute a fee schedule for deposit accounts, and some at the bank think this fee schedule needs to include an “Equal Housing Lender” statement. We’re also wondering whether this would be required for privacy notices and disclosures — both of which we provide to both deposit and loan customers. Are these documents required to have the “Equal Housing Lender” statement? How about the “Member FDIC” disclosure?
—
by
We do not believe that these documents need to include the “Equal Housing Lender” statement, nor do they need to include the “Member FDIC” disclosure. The Federal Reserve’s Equal Housing Lender advertising requirements apply to “any form of advertising of any loan for the purpose of purchasing, constructing, improving, repairing, or maintaining a dwelling.” Consequently,…
-
We are extending a bridge loan that will be secured by the borrowers’ current home and a new home that is being purchased. The borrowers’ current home is owned by three people — two borrowers who reside there and a third individual who does not reside there and is not a borrower on the bridge loan. Our loan documentation system (LaserPro) added the third person to the Closing Disclosure. However, we do not believe the third individual is entitled to receive the Closing Disclosure since they are not a borrower and are not entitled to rescind the transaction. Can you confirm that this is correct, and that Illinois law does not require the third person in this scenario to receive the Closing Disclosure?
—
by
Yes, we agree that the third individual in this scenario should not be included in the Closing Disclosure, since they are not a borrower on the bridge loan and a security interest is not being taken in their principal dwelling. While this individual may need to sign certain documents to perfect your bank’s lien on…
-
Under Regulation P, our bank is not required to send the annual privacy notice since we meet its criteria for an exemption (i.e., we do not share our customers’ nonpublic personal information with third parties, and we have not changed our policies and practices on disclosing nonpublic personal information since our most recent privacy notice sent). However, we are aware that some states, such as California and Vermont, have more restrictive laws that may require us to mail an annual privacy notice even if we qualify for Regulation P’s exemption. Our former compliance officer required that we mail annual privacy policy notices to our customers residing in Vermont and California. Are we still required to send privacy notices for customers in those two states, and are there other states with laws similar to them?
—
by
We are not aware of a list or 50-state survey for which states have more restrictive privacy laws than the federal law, and unfortunately, we cannot comment on state laws outside of Illinois. However, a Data Privacy Primer published by the Sedona Conference in 2018 identifies California as requiring “explicit prior consent” from consumers before…
-
Two of our customers recently separated and do not appear to be in communication. The couple have joint deposit accounts and a joint lock box. The wife requested statements for the joint accounts, which we have provided. The wife does not have a key to the lock box and has asked to see the access log. Since this is a joint lock box account, can we provide the wife with the access log without a subpoena?
—
by
Yes, we believe that your bank may provide an access log to the wife, as she continues to be a joint lessor of the lock box. Both federal and Illinois financial privacy laws permits banks to disclose a customer’s financial records to that customer, and both joint lessors should have equal access to account records…
-
We inadvertently sent one business customer’s account statement to another business customer. The statement included the business customer’s name and address, but the account number was masked. Does federal or state law require us to provide notice to the business customer whose statement was inadvertently disclosed to a third party?
—
by
We believe that the federal data breach notification requirements are inapplicable to the unauthorized disclosure of a business customer’s account statement, and it is likely that Illinois’ data breach notification requirements also are inapplicable. However, your bank may wish to consider notifying this customer as a courtesy. The federal data breach notice requirements outlined in…
-
We are a national bank, and we recently moved our wealth and farm management groups into a separate, state-chartered trust company that will be regulated by the IDFPR and the Federal Reserve. Which compliance regulations apply to a trust company? Do the following apply? BSA, OFAC, AML, CIP, USA Patriot Act, FACT Act, Elder Financial Abuse, UDAAP, and GLBA.
—
by
Trust companies are subject to all the laws mentioned in your question. Broadly speaking, there are no exemptions for trust companies in the laws and regulations that generally apply to banks, bank holding companies, and their subsidiaries. Also, you mention in your question that the trust company will be regulated by the IDFPR and the…
-
We would like to use a third-party vendor to print and mail postcards to our internet customers. Is it permissible to send the vendor a list of our customers’ names and addresses? What due diligence is required? In the alternative, should we only use the vendor to print the postcards and address and mail them ourselves?
—
by
Yes, it is permissible to share a list of customer names and addresses with a third-party vendor for purposes of printing postcards if certain requirements are met. Customer names and addresses may be shared with a third party if you provide your customers with an initial notice that accurately reflects your privacy policies and procedures,…
-
If we have personal information about payable on death beneficiaries for a deposit account, such as birth dates and social security numbers, and there is a security breach, may we contact the beneficiaries to let them know that their information has been compromised?
—
by
Yes, we strongly recommend contacting deposit account beneficiaries to notify them of a data breach affecting their personal information. The Illinois Personal Information Protection Act requires notification of any Illinois resident when there is “unauthorized acquisition of computerized data” containing the resident’s personal information. “Personal information” includes an individual’s name in combination with a social…