I need major help, please. I have a document from the FDIC: Quick View that states: Two-year grandfathering of service agreements. Until July 1, 2002, a contract that a bank has entered into with a nonaffiliated third party to perform services for the bank or functions on the bank's behalf satifies the provisions of 40.13(a)(2) of this part, even if the contract does not include a requirement that the third party maitain the confidentiality of nonpublic personal information, as long as the bank entered into the agreement on or before July 1, 2000.

I also have a document from the OCC 12CFR Part 30, effective July 1, 2001 that states: Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank entered into the contract on or before March 5, 2001.

Which one is correct? There is a whole year difference in the time required. One would be expiring in two weeks. Surely they are not speaking of two different issues, are they?

Thanks for any clarification.

Requests and opinions are mine not my employer.

Both are correct. They deal with two very different requirements.

The first one relates to __.13 of the GLB privacy rule, which requires you to have confidentiality clauses with service providers with whom you are sharing customer NPI under the joint marketing/service provider exception to the opt out requirement. This contract clause is to restrict/limit the service provider's use of the information and require them to maintain confidentiality.

The second one relates to the contractual provision you are required by the Information Security Guidelines to have with all service providers who have access to customer NPI. That contractual provision must bind the service provider to implement and maintain an information security program designed to achieve the objectives of the guidelines.

Concerning the first one, FDIC, would an addendum be sufficient?

Concerning the second one, OCC, does it mean that all new contracts must be prepared by July 1, 2003 to include the clause?

And concerning both, does it mean that only service providers that have access to customer info are affected? Does it also cover cleaning people for example? What about appraisers and credit bureau since they fall into the exception to perform, do their contracts need this clause?

Thanks so much for your help.

I should make it clear that each of the bank regulatory agencies has a virtually identical requirement to the two described in this post.

Yes, an addendum would be sufficient (in either case - the confidentiality requirement under the privacy rule and the info security program requirement under the InfoSec guidelines.

All service providers that have access to customer NPI in order to provide a service to your institution are affected by the information security program requirement.

Contracts entered into before 3/5/01 are given until 7/1/2003 to be brought into compliance with the information security requirement. Those entered into after that date must be compliant from inception.

Don't confuse the various exceptions:

1. there's the privacy rule exception that says you can share customer NPI with a nonaffiliated third party and not have to provide an opt out to your customer so long as the sharing falls within subpart .13, .14, or .15. If it falls under .13, however, you must disclose the sharing to your customer, must have a written joint marketing agreement (if you're using the joint marketer exception), and must (whether using the .13 service provider exception or joint marketer exception) have the contractual confidentiality clause.
2. there is no exception to the information security guidelines requirement that you have a contractual provision that requires the service provider to implement and maintain an infosec program designed to achieve the guidelines. If the entity meets the definition of "service provider" under those guidelines, you have to get the contractual agreement.

Thank you so much for clarifying it. I need to explain it to our attorney (for contract review) so I wanted to make sure I understood it.

Opinions and requests are mine not my employer