Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
Privacy
Begin With Scope and Coverage
Any rule starts with scope and coverage established in the definition sections. The new privacy rule is no exception. Some of the most important aspects of the privacy rule are contained in the definition section. Before you do anything else, master the definitions and get used to the new compliance lingo that this rule creates.
Collect
The rule covers information that you collect. "Collect" is a multi-step process. Step number one is obtaining information. This term is not limited by the source from which you obtained the information. The operative trigger is that you collect information.
Clearly, information obtained from the customer would fall within the scope of the new regulation's definitions. However, information that you obtain from other sources - such as credit bureaus and other third-party sources - is also included. In fact, the definition explicitly says that your source does not matter. The key thing to base your policies and procedures on is the fact that the information exists in the bank rather than on how it got there.
The next step in this process is to be able to organize or retrieve information by the name of an individual or by an identifying number or other such symbol. The issue of critical importance here is whether or not you can get at the information in a meaningful way.
Think creatively about accessing information. This is much more than today's state-of-the-art. It includes tomorrow's capabilities and those of the last century. This would include accessing a database by name or account number. It would also include pulling a signature card or a loan file.
Consumer or Customer?
And what is the point of the distinction between consumers and customers? Consumers and customers have different rights and receive different information from you. These two definitions are critical in determining what disclosure to provide and when. Unfortunately, like most compliance definitions, this distinction doesn't come naturally. It is going to have to be learned.
A consumer is an individual with whom the bank has at least some relationship or communication. However, this relationship can be as minimal as applying for credit - and then being turned down. It also includes prequalification requests and collection of information on deposits or for investment advice purposes. Essentially, a consumer is an individual about whom you have some information but with whom you do not yet have an established ongoing account relationship.
The regulation uses the word "consumer" for a purpose. The definition of consumer includes applicants for loans or deposits that are primarily for personal use. It excludes business purpose transactions. Essentially, a consumer is any individual who steps forward from the crowd and asks to conduct some of their personal business with you.
The definition is triggered by collecting information; not by what you do with it. This includes any information you gather for an account or loan request which you later deny.
Including denials as well as approvals is important because the bank has collected information - much of which is not publically available. This means that your information security efforts should include the "reject" pile as well as the approved and closed loans and the ongoing accounts. The protected status of the personal information is not affected by the decision made by the bank on a particular product or application.
A customer is a step beyond a consumer. A customer is a person who actually has a continuing relationship with the bank. Think of a continuing relationship as one which triggers mailing statements or supporting the product in operations. A customer is an individual who has a continuing product relationship with the bank, such as a loan or a deposit account.
A customer relationship can be established by direct contact, such as opening a deposit account or filing an application for a loan which the bank approved. Or the customer relationship can be established indirectly when the bank purchases the servicing rights to the customer's loan. It doesn't matter which door the customer comes through; what matters is the information about the individual held within the bank and the ongoing relationship status.
Note that it only takes one such product relationship to establish the customer status, rather than the consumer status. As with the consumer definition, however, this is limited to relationships for personal use. Thus a business checking customer who applied for a mortgage and was denied would be a consumer for purposes of the information collected on the mortgage application but would not have become a customer because the loan was denied and there is no on-going relationship with a personal product.
The customer relationship can also be undone, as by selling the loan and the servicing. This does not, however, give you the freedom to use the information about the loan you have just sold. It affects your ongoing obligations for notification requirements and opt-out procedures. However, the information you collected or acquired retains its protected status, even though the customer is no longer a customer. In addition, if the customer has any other ongoing relationships with you, such as a deposit account, they remain a customer for those purposes.
Financial Institution
If you are a bank or a thrift, you are a financial institution. The most significant part of the definition of financial institution are the examples of what are not financial institutions. Excluded from the banking agencies regulations are entities that are subject to jurisdiction of the Commodity Futures Trading Commission, the Federal Agricultural Mortgage Corporation, and secondary market entities created by Congress.
There are many agencies issuing privacy protection regulations under FinMod. If you are part of a holding company that includes non-bank affiliates, you may need to be tracking the regulations of other agencies. All of the regulations issues are substantially similar, but there are subtle and important differences.
Financial product or service
The rules regarding consumers and customers are triggered by the request for or successful attainment of a financial product or service.
Financial product or service is broadly defined to include any product or service that the financial institution can or does offer. These products are not limited to the traditional bank products of loans and deposit accounts. This definition includes new, non-traditional products such as brokerage activities and insurance sales. Any information collected in connection with these activities is included in the regulation's protections. Also important, all of the notification requirements, including opt-out notices and systems, must fully comply with the regulation.
ACTION STEPS
- Review the databases that you have. Maintain a customer information inventory.
- Analyze the processes by which information can come into the bank. Map how the information comes in, how it is used, where and how it is stored, and who has any access to it.
- Review your procedures - old and new - for taking applications or for collecting any kind of information. Decide what will work for your bank to distinguish between customers and consumers. You may decide simply to treat everyone as a customer for initial notice purposes.
- Consider how you will give notices on the Internet to customers and consumers. Again, you may find it easier to simply treat all as customers.
- Watch closely your relationships with third-party vendors. Maintain information to support whether they are affiliates or non-affiliates. Priority targets should include lending relationships and investment product partners.
- Privacy protection is a service that consumers want. Use it to win customers and win customer loyalty.
Copyright © 2000 Compliance Action. Originally appeared in Compliance Action, Vol. 5, No. 9, 8/00
Rate This Article
Current Rating For the Feature:
| Total Ratings for this Feature: 0 |
|