Privacy of Consumer Financial Information

Question 1

What is covered/governed under the Privacy Act? (4)

GLBA and Sections 502-504

Answer 1

-GLBA governs the treatment of nonpublic personal information about consumers by banks

• Section 502, subject to exceptions, prohibits a bank from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless:
• -the bank satisfies various notice and opt-out requirements, and
• -the consumer has not elected to opt out of the disclosure
• Section 503 requires the bank to provide notice of its privacy policies and practices to its customers
• Section 504 authorizes the issuance of regulations to implement these provisions

Question 2

The regulation establishes rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information. Summarize the four main duties/limitations on banks established under the act.

Answer 2

• A financial institution must provide notice of its privacy policies and practices, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14, or 15 of the regulation. If the financial institution provides the consumer’s nonpublic personal information to a nonaffiliated third party under the exception in section 13, it must provide notice of its privacy policies and practices to the consumer. Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If the financial institution complies with these requirements, it is not required to provide an opt out notice.
• Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notice of its privacy policies and practices to its customers.
• A financial institution generally may not disclose consumer account numbers to any nonaffiliated third party for marketing purposes.
• A financial institution must follow re disclosure and reuse limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.

Question 3

Generally, what information must be included in the privacy notice? (3)

Answer 3

In general, the privacy notice must describe a financial institution’s policies and practices with respect to collecting and disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.

Also, the notice must provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties other than as permitted by exceptions under the regulation (for example, sharing for everyday business purposes, such as processing transactions and maintaining customers’ accounts, and in response to properly executed governmental requests).

The privacy notice must also provide, where applicable under the Fair Credit Reporting Act (“FCRA”), a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.

Question 4

What is a financial institution?

Answer 4

A “financial institution” is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Question 5

What is nonpublic personal information? (3)

Answer 5

Nonpublic personal information” generally is any information that is not publicly available and that:

• a consumer provides to a financial institution to obtain a financial product or service from the institution;
• results from a transaction between the consumer and the institution involving a financial product or service; or
• a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

Question 6

Are lists of consumer information considered nonpublic personal information?

Answer 6

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution’s depositors would be nonpublic personal information even though the same names and addresses might be published in local telephone directories, because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers from public mortgage records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about those customers without having to provide notice or opt out.

Question 7

What is a nonaffiliated third party?

Answer 7

A “nonaffiliated third party” is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate. An “affiliate” of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.

Question 8

What is the Opt Out Right?

Answer 8

The Right—Consumers must be given the right to “opt out” of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulation.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer’s transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right.

For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

Question 9

What are the Opt Out Right exceptions included in section 13,14,&15 of the regulation?

Answer 9

Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

• Section 13: To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution’s own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides an initial notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the disclosure and confidentiality requirements of section 13.
• Section 14: As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or provision of an account statement.
• Section 15: For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution’s attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators.

Question 10

What is a consumer?

Answer 10

is an individual, or that individual’s legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

Question 11

What is a financial service?

Answer 11

A “financial service” includes, among other things, a financial institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service.

For example, a financial service includes a lender’s evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Question 12

What are customers?

Answer 12

A “customer” is a consumer who has a “customer relationship” with a financial institution. A “customer relationship” is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

• For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:
° maintains a deposit or investment account;
° obtains a loan;
° enters into a lease of personal property; or
° obtains financial, investment, or economic advisory
services for a fee.

Question 13

Why is the distinction between consumers and customers important under the Privacy act?

Answer 13

Because financial institutions have additional disclosure duties with respect to customers. Under the regulation, all customers are consumers, but not all consumers are customers.

Question 14

What are a banks disclosure duties with respect to a consumer vs. a customer?

Answer 14

Consumers who are not customers:
-are entitled to an initial privacy and opt out notice before the financial institution shares nonpublic personal information with nonaffiliated third parties outside of the exceptions in sections 13, 14, and 15.

-are entitled to an initial privacy notice before the financial institution shares nonpublic personal information with a nonaffiliated third party under the exception in section 13.

Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If a financial institution complies with these requirements, it is not required to provide an opt out notice.

Customers:

• entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution unless an exception to the annual privacy notice requirement applies.
• When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Question 15

In the following examples is the person a customer or consumer?

• individual purchases a bank check from a bank where the person has no account
• individual uses the ATM of a bank where the person has no account, repeatedly.

Answer 15

-The individual is a consumer in both instances as isolated transactions alone with not cause a consumer to be treated as a customer.

Question 16

What are the duties of financial institutions under the ACT? (3)

Answer 16

• For banks that intend to disclose nonpublic personal information outside of exceptions in 13, 14, 15 will have to provide opt out rights to their customers and consumers who are not customers.
• all banks must provide initial and annual notices of their privacy policy to their customers (unless an exception applies). And an initial notice to consumer who are not customers before disclosing nonpublic personal information to third parties other than under section 13-15
• All banks must abide by the reg limits on the disclosure of account number to nonaffiliated third parties and on the redisclose and reuse of nonpublic personal information received from nonaffiliated financial institutions.

Question 17

Before a financial institution discloses nonpublic personal information about any of its consumers to a nonaffiliated third party, and an exception in section 14 or 15 does not apply, then the financial institution must provide to the consumer what? (3)

Answer 17

• an initial notice of its privacy policies and practices;
• an opt out notice (including, among other things, a reasonable means to opt out); and
• a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

Question 18

Before a financial institution discloses nonpublic personal information about a consumer to a nonaffiliated third party under the exception in section 13, the financial institution must do what? (2)

Answer 18

• provide the consumer with an initial notice of its privacy policies and practices.
• enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the info other than to perform services for the institution or functions on the institution’s behalf, including use under exceptions 14 and 15.

If a bank complies with these requirements it is not required to provide an opt out notice.

Question 19

When would an institution need to provide a revised initial privacy notice to consumers?

Answer 19

Before the institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Question 20

A financial institution need not comply with the initial and opt out notice requirements for consumer who are not customers if the institution limits disclosure of non public personal information in the exceptions in sections ____ and ____.

Answer 20

14 and 15

Question 21

What are the notice duties to customers? (4)

Answer 21

In addition to the notice duties that apply to consumers (initial notice an opt out as applicable), regardless of whether the bank discloses or intends to disclose nonpublic personal information, they must provide notice to its customer of its privacy privacy policies and practices at various times.

Including:
• A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulation describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

• A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship unless an exception to the annual privacy notice requirement applies.
• Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.
• When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.

Question 22

What are the notice delivery rules for the initial notice to consumers?

customers?

Answer 22

Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example:

(1) hand-deliver a printed copy of the notice to its consumers,
(2) mail a printed copy of the notice to a consumer’s last known address, or
(3) for the consumer who conducts transactions electronically, post the notice on the institution’s web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice so that a customer can retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution’s web site, the institution may provide the current version of its privacy notice on its web site.

Question 23

In what situations is a bank not required to provide its customers an annual privacy notice? (2)

Answer 23

A financial institution is not required to provide an annual privacy notice to its customers if it:

(1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P section 1016.13) or 502(e) (corresponding to Regulation P sections 1016.14 and .15) or regulations prescribed under GLBA section 504(b); and
(2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503.

An institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

Question 24

For institutions that are required to provide an annual privacy notice to customers, what conditions must they meet to provide the annual notice through an alternative delivery method rather than in writing? (3)

If they meet the conditions for an alternative notice, how must they provide that notice? (3)

Answer 24

A financial institution may use an alternative delivery method for providing annual privacy notices to customers through posting the annual notices on their web sites if:

(1) no opt out rights are triggered by the financial institution’s information sharing practices under GLBA or under FCRA section 603, and opt out notices required by FCRA section 624 and Subpart C of Regulation V have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements;
(2) certain information included in the annual privacy notice has not changed since the previous notice; and
(3) the financial institution uses the model form provided in the regulation as its annual privacy notice.

In order to use this alternative delivery method, an institution must:

(1) insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that informs customers that the annual privacy notice is available on the institution’s web site, that the institution will mail the notice to customers who request it by calling a specific telephone number, and that the notice has not changed;
(2) continuously post the current privacy notice in a clear and conspicuous manner on a page on its web site, on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the web site; and
(3) mail its current privacy notice to those customers who request it by telephone within ten calendar days of the request.

Question 25

What disclosures regarding nonpublic personal information must institutions provide in their privacy notices to consumers? (9)

Answer 25

1. categories of information collected;
2. categories of information disclosed;
3. categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;
4. policies and practices with respect to the treatment of former customers’ information;
5. categories of information disclosed to nonaffiliated third parties that perform services for the institution or functions on the institution’s behalf and categories of third parties with whom the institution has contracted (Section 13);
6. an explanation of the opt out right and methods for opting out;
7. any opt out notices that the institution must provide under the FCRA with respect to affiliate information sharing;
8. policies and practices for protecting the security and confidentiality of information; and
9. a statement that the institution makes disclosures to other nonaffiliated third parties for everyday business purposes or as permitted by law (Sections 14 and 15).

Question 26

When is a bank permitted to provide a “short form” initial notice?

Answer 26

A financial institution may provide to consumers who are not also customers a “short form” initial notice if it is provided together with an opt out notice stating that the institution’s privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it.

Question 27

What are a bank’s limitations and permissions on disclosing account numbers?

Answer 27

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution’s own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer’s account). The regulation also does not bar a financial institution from disclosing account numbers to participants in private-label or affinity card programs, if the participants are identified to the customer when the customer enters the program.

Question 28

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

For nonpublic personal information received under a section 14 or 15 exception the financial institution is limited to disclosing/using the information how? (3)

Answer 28

For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

° Disclosing the information to the affiliates of the financial institution from which it received the information;

° Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and

° Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors).

Question 29

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

For nonpublic personal information received other than under a section 14 or 15 exception, the recipient’s use of the information is unlimited, but its disclosure of the information is limited to what? (3)

Answer 29

° Disclosing the information to the affiliates of the financial institution from which it received the information;

° Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

° Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list in accordance with the privacy policy of the financial institution that provided the list, subject to any opt out election or revocation by the consumers on the list, and in accordance with appropriate exceptions under sections 14 and 15.

Question 30

The regulation requires a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers).

Does the regulation required the bank to describe their privacy practices and procedures in detail?

Answer 30

The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution’s policies.

Question 31

When reviewing privacy, what should examiners review to determine the bank’s compliance with the act? (4)

Answer 31

Determine a financial institution’s compliance with the regulation, specifically in meeting the following requirements:

• Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice;
• Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out;
• Appropriately honoring consumer opt out directions; Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and

-Disclosing account numbers only according to the limits in the regulation.

Question 32

True or false:

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of the exceptions (with or without also sharing under Section 13) is the most expansive degree of information sharing permissible.

Answer 32

True

Consequently, these institutions are held to the most comprehensive compliance standards imposed by the regulation.

Question 33

If a bank shares nonpublic personal information with nonaffiliated third parties under section 14 and or 15 and outside of the exceptions (with or without sharing under 13), what should examiners review? (4)

Answer 33

• Privacy notice (presentation content and delivery, with or without section 13 notice and contracting)
• short form notice (optional for consumers)
• consumer notice delivery rules
• opt out rules

Question 34

If the bank shares nonpublic personal information with nonaffiliated third parties under sections, 13 and 14 and/or 15 but not outside of the exceptions, what should examiners review? (3)

Answer 34

• Privacy notice
• Consumer delivery notice rules
• section 13 notice and contracting

Question 35

If a bank shares nonpublic personal information with nonaffiliated third parties only under sections 14 and/or 15, what should examiners review? (3)

Answer 35

• Privacy notice
• simplified notice (if applicable)
• customer notice delivery rules

Question 36

If a bank shares nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of the exceptions (with or without also sharing under Section 13).

Then, how should an examiner sample and review the disclosure of nonpublic personal information?

Answer 36

• select a sample of third party relationships and obtain a sample of information shared between the bank and the third party, both inside and outside of the exceptions. The sample should include a cross section of relationships, but emphasize higher risk ones.
• Compare the categories of information shared and with whom the information was shares to those stated in the privacy notice and verify that what the bank tells consumers (including customers) in its notices about its polices and practices in this regard are consistant with what the bank actually does.
• compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (also customers) who chose not to opt out is shared.
• If the bank also shares under section 13, obtain and review contracts with nonaffiliated third parties that perform services for the bank not covered by the exceptions in section 14/15. Determine if the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for with the information was disclosed.

Question 37

True or false:

An opt out notice may not be combined with the bank’s privacy notice.

Answer 37

false they can be combined.

Question 38

What is the required content of the opt-out notice? (4)

Answer 38

• explain the right to opt out
• describe the bank’s policy regarding disclosure of nonpublic personal information
• describe the means to opt out
• describe how the bank treats joint relationships, as applicable.

Question 39

If a bank shares nonpublic personal information with nonaffiliated third parties under section, 13,14, and or 15 but not outside of these exceptions.

Then, how should an examiner sample and review the disclosure of nonpublic personal information? (5)

Answer 39

1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature.
   a. Compare the information shared and with whom the information was shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions. (Sections 13, 14, 15)
   b. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent.
   c. If the model privacy form is used, determine that it reflects the institution’s policies and practices. For institutions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
2. Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed

Question 40

If a bank shares nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Then, how should an examiner sample and review the disclosure of nonpublic personal information? (2)

Answer 40

1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the financial institution and the third party.
   a. Compare the information shared and with whom the information was shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

Question 41

True or false:

The procedures regarding sharing nonpublic personal information with nonaffiliated third parties only under sections 14 and/or 15 only applies to customers.

Answer 41

True. See module 3 in the manual.

Question 42

What sampling and review procedures should examiners follow if the bank Rediscloses and reuses nonpublic personal information received from a nonaffiliated financial institution under sections 14 and or 15? (3)

Answer 42

B. Select a sample of information received from nonaffiliated financial institutions, to evaluate the financial institution’s compliance with redisclosure and reuse limitations.

1. Verify that the institution’s redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution’s own affiliates
2. Verify that the institution only uses and shares the information pursuant to an exception in Sections 14 and 15

Question 43

What sampling and review procedures should examiners follow if a bank rediscloses nonpublic personal information received from a nonaffiliated bank outside of sections 14 and 15? (4)

Answer 43

B. Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the financial institution’s compliance with redisclosure limitations.

1. Verify that the institution’s redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution’s own affiliates, except as otherwise allowed in the step 2 below.
2. If the institution shares information with entities other than those under step 1 above, verify that the institution’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice.
3. Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution

Question 44

What procedures should an examiner follow when reviewing and sampling a bank that participates in account number sharing? (3)

Answer 44

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution’s consumers.

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution’s own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution’s own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to the accounts.

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program.

Question 45

A bank meets the exception to opt out requirements under section 13 if they meet what conditions? (2)

Answer 45

The opt out requirements do not apply when a bank provides nonpublic personal information to a nonaffiliated third party to perform services or function on your behalf, if the bank:

• provides the initial notice as required
• enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including under an exception in section 14 or 15 in the ordinary course of business.
  ex: If you disclose nonpublic personal information under this section to a financial institution with which you perform joint marketing, your contractual agreement with that institution meets the requirements if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in § 1016.14 or § 1016.15 in the ordinary course of business to carry out that joint marketing

Question 46

A bank meets the exceptions to notice and opt out requirements for processing and servicing transactions under section 14, if they meet what conditions? (3)

Answer 46

• The requirements for initial notice and opt out for service providers and joint marketing do not apply if a bank discloses nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests in connection with:
  (1) Servicing or processing a financial product or service that a consumer requests or authorizes;
  (2) Maintaining or servicing the consumer’s account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
  (3) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer

Question 47

A bank meets the exceptions to notice and opt out requirements under section 15 if they satisfy what conditions? (10)

Answer 47

• The requirements for initial notice and opt out for service providers and joint marketing do not apply when you disclose nonpublic personal information:
• with the consent or at the direction of the consumer, provided they have not revoked it
• To protect confidentiality/ security of consumer records
• to protect/ prevent fraud, unauthorized transactions, or liability
• for required institutional risk control or to resolve consumer disputes or inquiries
• to persons holding legal interest to the consumers or acting as a fiduciary rep.
• to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, or persons assessing compliance (auditors).
• in accordance with RTFPA to law enforcement agencies, federal regulators
• to a consumer reporting agency in accordance with FCRA
• in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of business assets
• to comply with federal or local laws, criminal or civil investigations, subpoenas or summons, and to respond to judicial process or other regulatory process.