Skip to content
 

Preparing for Reg P ComplianceHave You Considered the Customer?

by John Byrne, Esq., Senior Counsel & Compliance Manager, ABA

During the past year, I have spoken to dozens of banker groups on how to implement Regulation P of the Gramm-Leach-Bliley Act. While we spend a good portion of the time covering the elements of a proper response to the compliance challenges faced by the industry, there is a clear need to also address the potential confusion that may occur when customers begin to receive their privacy notices. Even with the required "clear and conspicuous" language that each institution must adopt, customers will want to know why they are receiving multiple notices that differ in size and length. One area of major importance to all institutions is explaining to our customers why these various privacy notices (that will also be coming in annually) are arriving.

A key component of the privacy response is to communicate with your customers beyond the scope of the regulation. For example, we suggest a series of "Q&A's" for staff that receive questions from customers about the privacy policy, identity theft, and other related matters. This resource can be handled on an as needed basis or in written materials. The choice is yours. We strongly urge you, however, to consider drafting a communication on certain third party issues. Specifically, answering the question about what a third party may do with information and why they may send the customer a privacy policy.For instance, ABA uses the following sample communication in the material they have prepared for training:

Question: Will the third parties keep my information confidential?
Answer: We will not share customer information with any company that does not agree to keep your information confidential. We carefully select the third-party companies we work with and any information that is shared is always subject to a strict confidentiality agreement. Moreover, it is a violation of federal law for a third party to reuse customer information received from us unless that information is also publicly available elsewhere.

Question: To ensure that the third party behaves properly, the bank should review contracts with all partners as the regulation requires, but what about the privacy notices? I have heard that the average middle-income individual will receive approximately 21 privacy notices! If that is the case, the customer's bank will bear the brunt of the privacy questions, not the mutual fund, insurance company or mortgage lender. How should you handle this?
Answer: First, make sure that you know the policies of all of your services providers, joint marketing partners and other third parties. Inform your customer that various policies will be coming and that they may differ. Let them know that specific questions should be referred to the originating company.

Second, if you link to a third party's website from yours, make it clear that the visitor is leaving your site and the privacy policy may change.

Finally, know when your partner is sending their policies, so you can be ready for questions.As we work to comply with Regulation P, don't forget that the customer is the most important part of this privacy equation. Compliance is good but retaining the trust of your customer is more important. We need to do both!

Copyright © 2001 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 11, No. 1, 1/01

First published on 01/01/2001

Filed under: 
Compliance
Filed under compliance as: 
Customer Information
Identity Theft
IT
Marketing
Policies
Privacy

Report a problem with this page

Search Topics