The eBanking vendor should not have access to account information on customers who are not enrolled in eBanking.
When you look at the three categories of exceptions under the privacy rule, none would allow you to share in this manner. The sharing is not done under a joint marketing agreement. It is not necessary to effect, enforce, or administer a transaction initiated by the non ebanking customers. And the laundry list of exceptions in 216.15 would not appear to apply. http://www.bankersonline.com/regs/216/216-15.html
I would recommend taking steps immediately to code your deposit base in such a way that you could upload just the customers whose accounts involving Internet banking. If it is not possible to make that differentiation and it is necessary to upload all in order to provide the service to the few, you should actively explore how you could rectify the problem. In the meantime, make sure you're doing all you can to protect the information, once it gets uploaded, including having a contract provision, as required by the Information Security Guidelines, that requires the vendor to implement and maintain an information security program designed to achieve the objectives of the Guidelines.
First published on BankersOnline.com 5/6/02
Internet Banking, Vendors, and Privacy
Question:
The bank is uploading all of each day's new deposit statements to our ebanking vendor, including both statements for customers enrolled in Internet Banking and statements for those not enrolled in Internet Banking. For those who have enrolled in Internet Banking, we do have the permissible purpose of providing them access to their account statements; the ebanking vendor is providing this third-party service on the bank's behalf. However, for those customers who have not enrolled in Internet Banking, do we have a permissible purpose since the ebanking vendor is not providing a third-party service for these customers on the bank's behalf? [We do not offer an opt-out option.]
Answer: