Skip to content
 

Privacy Implementation Check-Up

FDIC's Privacy Implementation Guide (FIL 2001-3) contains materials that every bank should use. It raises several issues related to implementation and monitoring that should be on everyone's agenda. One issue that is clarified is that the Privacy Act does not govern information sharing among affiliates. That is subject to the FCRA. As a result, the consumer cannot "opt out" of information sharing with affiliates. Look to FCRA for guidance on notices related to information sharing among affiliates - but don't expect it before July.

Exceptions
The exceptions allow the bank to process and service a consumer's transaction through third parties without violating an opt-out request. Consumers cannot opt out of certain transactions that are so tied to the bank's business or the nature of the transaction conducted by the customer that the third party is essential. Examples include the bank's use of a marketing firm, steps taken by the bank to protect against fraud or unauthorized transactions (calling OFAC), and processing or servicing checks.

Exceptions prohibit sharing of account numbers in any third-party marketing. There are only two narrow exceptions to this. One is that the third party not be allowed to charge the customers' accounts.

Although the wisest and safest procedure would be to never, never share account numbers, if there is a reason for doing this, the bank should consider placing seeds in the list. That way, if the marketer violates the agreement and uses the account numbers, the bank is likely to learn about it first hand - when it's seed is contacted.

The exceptions do require that banks provide in their third-party contracts for customer information protections. These clauses belong in all contracts. As with Y2K, you need to compile an inventory of third party contracts. Unlike Y2K, you need to maintain an on-going monitoring process for all new and renewed contracts.

Timing
FDIC provides a time table for implementing privacy. The guidance also stresses that even banks that do not intend to share must send initial and annual notices. Non-sharing banks will have simpler notices than banks that do share information, but the notice must go to the customer.

All notices must be sent in time for the customer to receive them by July 1, 2001. Any bank that intends to share information must send notices in time for the customer to receive the notice, consider the choices, and exercise the opt out well before July 1, 2001 so that the bank can implement the opt-out and have it in place by July 1. And remember that former customers - whose records you may still have - should also receive notices.

FDIC (and Compliance Action) strongly recommends that the bank follow a time-line that will achieve compliance in time. The scheduling on the time line should be determined by what sort of notices and information sharing the bank will use.

Senior Management
Developing a privacy policy should involve participation of all departments in the bank. This will ensure that nothing is overlooked.

FDIC also recommends involving the board of directors. Although the act does not specifically require a board-adopted policy, having one is strongly recommended. It is always a good way to involve the board, and it provides a statement of commitment to the entire organization.

Another aspect to consider is how your bank's information sharing practices and policies are similar to or different from the practices of affiliates. What your affiliates do may have an impact on what you can promise and deliver.

Record Retention
Among the things that you should review, FDIC recommends that you also review record retention practices. Serious leakage can occur in record retention. We tend to think of old records as uninteresting and unnecessary. But they contain all of the information that the bank is supposed to protect.

Audits
Unlike Y2K, privacy won't come to an end on July 2, 2001. It will become a program and process that must be maintained. All the usual monitoring and auditing must take place in the future. As you develop your program, begin designing the maintenance for the program. This is the best opportunity to know where you will need to look, where training is needed, and how to set up controls so that future practices and contracts are in full compliance.

Copyright © 2001 Compliance Action. Originally appeared in Compliance Action, Vol. 6, No. 1, 2/01

First published on 02/01/2001

Filed under: 
Compliance
Filed under compliance as: 
Audit
Compliance/Compliance Management
CRA
FDIC
OFAC
Privacy
Record Retention

Report a problem with this page

Search Topics