Privacy Notices

Content and Timing
Notices are the most visible and measurable aspect of privacy compliance. Spend some time to make sure you get these right.

Initial notices
The first principle of the new privacy laws is that consumers and customers have a right to know - before they tell you anything - how you will treat their personal information. That is what the initial notice is designed to accomplish.

The initial notice goes to customers and consumers alike. Give customers the initial notice before you establish a relationship with them. Thus, a customer must get the initial notice before the loan is made or the account is opened.

Consumers get slightly different treatment. Giving the notice to a consumer is triggered by the bank's plans, if any, to share information. You give the initial notice to consumers before any information about them leaves the bank.

This initial notice is a critical part of the compliance program. Like the old method of posters on the wall, a.k.a compliance wallpaper, these notices set the tone of the relationship as well as the ground rules. Draft notices that place the bank in a positive light. In short, use privacy requirements to sell.

Annual notices
Annual notices are designed to remind customers about your policies. They are also an opportunity for you to communicate any changes.

As far as timing goes, annual notices are as described: they have to go to customers once a year. The regulation gives you some breathing room by permitting these notices to go once each calendar year. Note that this is much more relaxed than the escrow notice schedule in RESPA. The privacy rule frees you from counting months since the last notifications were sent. However, it is still a good idea to keep a calendar of notices. At a minimum, you'll need to be able to tell the examiner when the annual notices went out.

Your obligation to send annual notices to customers runs to each customer as long as the individual remains a customer. If that relationship ends, you may stop sending annual notices. However, remember that customers may have multiple relationships with your bank. You will need to have a process for cross-checking if you want to avoid sending notices triggered by each relationship.

Notice delivery
There is a fundamental good faith standard in the delivery of notices. Although the regulation spells out several specific options - including hand-delivering the notice to the customer - the bottom line is that the bank should use a method and level of effort that are consistent with ensuring that the consumer actually receives the notice. Whether the consumer reads it is not your problem.

The most common form of paper notice delivery is likely to be using the U.S. Postal Service. Mailing a copy to the consumer's last known address meets the delivery standards.

You can deliver notices electronically if the consumer agrees to receive the notice in that form. Electronic disclosures have several additional tests. The notice may be posted on the bank's website however the bank must do more than simply post the notice. It must take steps to ensure that the consumer found it and knew it for what it was.

The electronic notice must require the consumer to acknowledge receipt of the notice as a "necessary step" to obtaining a product or service. This is a bit like the flood insurance rule of no insurance, no loan. In other words, no consumer may obtain a product over the Internet unless and until the consumer acknowledges that they have seen the privacy notice.

The ATM rule is similar. An isolated transaction at an ATM would be subject to the "must acknowledge" rule. The screen must require the consumer to acknowledge the notice before the consumer can continue the transaction.

The regulation specifically prohibits banks from delivering oral notices. For purposes of ADA compliance for visually impaired customers, it looks like you may have to use Braille.

ACTION STEPS

Use a checklist to prepare and review privacy notices.
Maintain a schedule and calendar for when notices are provided.
If you maintain notices on a website, be sure that you have a mechanism for tracking when and how customers check the notice.
Work with your operations staff to develop and maintain electronic notices for websites and ATMs. Be sure to make the screen a requirement for the consumer and not an option.
Review your procedures for meeting with new customers - both loan applicants and those who want to open deposit accounts. Work with branch staff to determine what procedures will work best for privacy notification purposes.
Schedule an audit of annual renotifications for next summer to make sure your system is working.