GDPR, GLBA, and Privacy (Reg P) Flashcards
A compliance officer is monitoring the bank’s opt-out forms and procedures for compliance with the requirements of the Privacy of Consumer Financial Information Regulation. A violation of this regulation will occur if the bank’s opt-out form:
A. Requires the consumer to mail the form back to the bank to be effective
B. Requires the signatures of all joint account holders to be effective for joint accounts
C. Requires the consumer to call a toll-free telephone number during normal business hours in order to opt-out
D. Permits its online banking customers to opt out electronically by completing the form on the bank’s online banking site
B. Requires the signatures of all joint account holders to be effective for joint accounts
For joint accounts, an executed opt-out notice by any one account holder is considered effective as to all account holders. Such notices may be mailed by customers, and/or the bank may require the customer to call a toll-free telephone number or complete an electronic form to opt-out.
Your bank has ten joint marketing agreements with non-affiliated third parties to offer additional financial products to your customers. Each of the contracts renews every two years. Prior to renewal, you should review the new contracts to determine whether:
A. It would be cost-effective to offer the products directly
B. The third party has provided privacy notices to your customers
C. The products offered by the third party are competitively priced
D. The contract contains the appropriate third-party confidentiality clause
D. The contract contains the appropriate third-party confidentiality clause
A requirement for any joint marketing agreement is to ensure the parties have appropriate contract language to ensure the confidentiality of customer information. Third parties need not provide privacy notices to customers. Ensuring products are competitively priced and determining whether it may be more cost-effective for the bank to offer the products directly may be wise steps, but they are not required by regulation.
The goal of information security is to maintain which standards of a bank’s informational assets (i.e., customer records)?
A. Identity, disclosure, and disposal
B. Control, identity, and assessment
C. Confidentiality, disposal, and access
D. Confidentiality, integrity, and availability
D. Confidentiality, integrity, and availability
Requires banks to:
- Ensure security and confidentiality of customer information
- Protect against any anticipated threats or hazards to the security or integrity of such information
- Protect against unauthorized access to or use of such records
The business has prepared a remediation plan to comply with a recent regulatory change regarding the provision of annual privacy notices to the bank’s customers. What is the role of the compliance department to assure regulatory changes are made by the effective date?
A. The compliance department should only be involved if the changes are not accomplished by the effective date of the revised regulation
B. The compliance department should lead the effort to ensure the proper privacy notices are delivered in a timely manner to all affected customers by the required date of the regulatory change
C. The compliance department should have no role other than monitoring the Federal Register to ensure there are no further changes to the regulation
D. The compliance department should be sent regular updates by the business to ensure the changes are made in a timely manner
D. The compliance department should be sent regular updates by the business to ensure the changes are made in a timely manner
The compliance officer becomes aware of a change to the General Data Protection Regulation (GDPR). The change involves additional notification requirements to affected parties. The bank currently has no European resident customers, but it does share information with firms that do business in Europe. When developing an action plan for this regulatory change, how should the compliance officer BEST respond?
A. The business should immediately be notified of the new notification requirement, and affected disclosures should be changed
B. The third-party firms that do business in Europe should be notified of the change and the bank’s disclosures should be modified to reflect the changes
C. The compliance officer should convene a committee of stakeholders to discuss the changes and consider their impact on the business
D. As the bank currently has no European customers, there is no immediate need to notify the business of any needed action
D. As the bank currently has no European customers, there is no immediate need to notify the business of any needed action
The GDPR rules apply to European customers of U.S. banks. If the bank has no European customers, the GDPR rules do not apply. The fact the bank shares information with third parties that do business in Europe does not extend coverage of the GDPR rules to the bank. The bank should monitor to ensure that if it gains European customers in the future, the rules will be implemented at the bank.
The bank has recently acquired another institution. The acquired bank has a number of European resident customers that have CDs with the bank. When considering how to handle these new accounts, which of the following is an appropriate step the bank should take?
A. The bank must appoint a European Data Officer, who will regularly report data activities to the European Union
B. The bank must ensure that these customers’ data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
C. The bank must send an appropriate Privacy and Data Opt-Out notice to all affected customers notifying them of the bank acquisition
D. The bank must immediately divest itself of these new accounts unless it is willing to jointly sponsor these customers with a European financial institution
B. The bank must ensure that these customers’ data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Ensuring customer data is kept in a form which permits identification for no longer than necessary is a core requirement of the GDPR regulations. There is no need for the bank to appoint a European Data Officer or send Privacy and Data Opt-Out notices to customers. There is also no requirement to jointly sponsor customers with a European financial institution.
When evaluating a bank’s Information Security Program for compliance with regulatory standards, an auditor should review:
A. Whether the program is designed to ensure the security and confidentiality of customer information
B. Whether the program is designed to restrict consumer access to account data
C. Whether the program is designed to prevent inadvertent disclosure of protected health information to an affiliated entity
D. Whether the program is designed to limit the access to customer information to essential personnel
A. Whether the program is designed to ensure the security and confidentiality of customer information
Information security is all about protecting customer information, and that is what an auditor should review. Another way to state this is ensuring the security and confidentiality of customer. Restricting consumer access to account data is not a primary goal of a program, and restrictions are not applicable for just health information to affiliates. The program applies to the bank, not affiliated entities, and essential personnel may not be the only employees who need access to the data.
Based on findings of the most recent examination, the bank has committed to improving its Information Security Program. What is the MOST appropriate item for the compliance professional to report as part of the plan to report to the bank’s examiners?
A. Ensure that training is provided to only those employees that possess personally identifiable information (PII) of customers
B. Ensure that a process is established to notify the bank’s primary federal regulator whenever customer information is suspected to be misused
C. Ensure that the effectiveness of the program and any recommended improvements are reported to the Bank’s Board of Directors at least annually
D. Ensure that all doors in the bank’s backroom operations are retrofitted with keycard entry systems
C. Ensure that the effectiveness of the program and any recommended improvements are reported to the Bank’s Board of Directors at least annually
It is a regulatory requirement to report to the Board of Directors, at least annually, of the program’s effectiveness and any recommended improvements. Training is required of all employees who may possess sensitive information, not just those having PII. There is no requirement to notify the bank’s regulator when it suspects information to be misused, nor is there a requirement to retrofit doors with keycards (even if this is a good recommendation).
The compliance professional becomes aware of a number of consumer complaints alleging that the bank did not provide the opportunity to opt-out of information sharing with non-affiliated third parties. What should the compliance professional do FIRST?
A. Report this regulatory violation to the bank’s primary federal regulator
B. Prepare a letter to the affected customers apologizing for the disclosure and offer free credit report monitoring
C. Validate that the bank does indeed share information with non-affiliated third parties without providing prior opportunity for customers to opt-out
D. Contact the third parties and ensure the information is not used for any marketing purpose
C. Validate that the bank does indeed share information with non-affiliated third parties without providing prior opportunity for customers to opt-out
For an opt-out notice to be required, the bank must indeed share information with non-affiliated third parties. Therefore, the first step would be to ascertain whether such a notice is even required. It does not matter whether a third party uses the information for marketing purposes; if information is shared, an opt-out notice would be first required. A letter to affected customers could be a nice touch, but not the first step to take, and in almost no case would be it appropriate to notify the bank’s regulator first.
In which of the following situations may customers be told that information about their accounts has been requested by a federal government agency?
A. The bank is asked to provide additional information about an IRS Form 1099
B. The Secret Service is conducting its protective functions and furnishes a compliance certificate
C. A customer’s records relating to a crime against another bank are subpoenaed by a federal grand jury
D. The government is engaging in an authorized foreign intelligence activity and furnishes a compliance certificate
A. The bank is asked to provide additional information about an IRS Form 1099
The Right to Financial Privacy Act contains no requirement to inform the customer that a federal government agency has been requested information regarding their accounts. In fact, it is not a good idea to inform the customer in the vast majority of situations. In addition, the customer should already be aware that the federal government agency needs certain financial information. The only situation that is not covered by the RFPA is answer A. The IRS certainly needs information around 1099 forms, and it is not an RFPA issue to inform the customer that the IRS needs this information
The PRIMARY purpose of the Right to Financial Privacy Act is to:
A. Require a financial institution to keep customers informed of inquiries about their accounts by federal government agencies
B. Establish specific procedures for federal government agencies seeking information about a customer’s financial records
C. Establish a process by which a customer may object to a financial institution releasing his account information to federal government agencies
D. Prohibit a financial institution from providing customer information to anyone without the customer’s permission
B. Establish specific procedures for federal government agencies seeking information about a customer’s financial records
Under the Right to Financial Privacy Act, a customer’s authorization to release information must include which of the following?
A. Customer’s TIN
B. Date the account was opened
C. Records to be disclosed
D. Authorization for a period of one year
C. Records to be disclosed
