The bank regulatory agencies have issued GLB privacy exam guidance to examiners. By studying what the examiners have been provided, we have a good idea what you should expect when you are examined for privacy compliance.
There are five specific areas of privacy compliance requirements the examiners will focus on:
Whether your institution has provided its privacy notices on time and in the correct manner and whether those notices are accurate and clear and conspicuous;
Whether you have provided a proper opt out notice if you are disclosing nonpublic personal information to nonaffiliated third parties outside the exceptions allowed by the privacy rule;
If you have provided an opt out right, whether you are appropriately honoring consumer opt out directions;
If you have received nonpublic personal information from a nonaffiliated financial institution, whether you are lawfully using or disclosing it;
Whether you are abiding by the restrictions on disclosing account numbers.
In addition, the examiners will look at how consistent your privacy notice is with what your actual privacy policies and practices are, and how effective your internal controls and procedures are for monitoring your compliance with the privacy regulation.
The examiners will begin by discussing with management how your bank shares information with affiliates and nonaffiliated third parties, how it treats nonpublic personal information, and how it administers opt-outs. They will look at how you process requests for nonpublic personal information, how you deliver privacy notices to consumers, how you prevent unlawful disclosures of account numbers, and how you prevent unlawful disclosure and use of information you receive from nonaffiliates. For institutions that must provide an opt out right, the examination will include scrutiny of how the opt out process is managed.
You can expect the exam to include an analysis of the information you collect from or about consumers through whatever means - Internet cookies, or an application for investment products.
They will want to know about any complaints you've received from consumers regarding the treatment of nonpublic personal information, whether those were received by telephone, email, letter, or in person, so be sure you have a central point of aggregation for any privacy complaints you receive.
You'll need to be prepared to defend your categorization of information sharing under the exceptions in Section __.13, __.14, and __.15. Be ready to show that you correctly concluded the exceptions applied.
In terms of internal controls and procedures, the regulators will look at whether you have a procedure in place to review the privacy implications of new products and services, new servicing arrangements, new marketing arrangements. They will review the effectiveness of your management information systems, your monitoring procedures, and your privacy training program. The privacy knowledge level of management and personnel will be explored.
The examiners will come armed with six different modules, as well as decision trees to help them determine which of the modules to use for a given exam. The scope of the exam will be dictated by which module is applicable. For example, if a financial institution does not receive nonpublic personal information from a nonaffiliate, does not share information except under the exceptions in Sections __.14 and __.15, and does not share account numbers or similar access numbers or codes with nonaffiliates, the examiners will utilize Module 3. This module, which will apply to the examinations of most community banks, is short and uncomplicated. It focuses primarily on verifying that the privacy practices of the institution are accurately represented in the privacy notice, that the privacy notices are clear, conspicuous, accurate, complete, and timely and reasonably delivered.
Use the Examination Checklist included in the procedures to assess your own compliance before the examiners arrive. It will help you spot trouble areas and deficiencies.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
