New to posting here so please point me in the right direction if I have selected the wrong forum.

I am researching what impact the European Union General Data Protection Regulation (GDPR) may have on my organization. We are a credit union that is localized to one state (Virginia) and we have a very small number of members who happen to reside in Europe. The regulation appears to apply to any organization that monitors online behavior of EU residents (not citizens) so I’m examining what changes would be required to comply. I’ve found some good resources about the rule but have not seen much discussion directed at US institutions with an incidental European presence.

Has anyone at a similarly situated institution looked into this issue at all? Any insight? Thanks!

I'm also questioning if GDPR is a relevant risk for US-based community banks with a few European customers. Any recent guidance or insights?

This American Banker article suggests we should be making changes: https://www.americanbanker.com/news/eus-new-data-privacy-law-creates-headaches-for-us-banks

After researching the requirements, including the involvement of IT Security, we have chosen not to comply with the requirements of GDPR at this time. Unless the Agencies produce persuasive guidance on why we should comply, I do not think that my institution will change it mind between now an May 2018.

Reg Warrior,

Can you expand on your decision? Did you make this decision because you DON'T have customers that reside in the EU? If you do have customers that reside in the EU, are you simply choosing to ignore the regulation?

According to this article, The GDPR extends its coverage to persons and organizations that are based outside of the EU, but process data related to EU residents either for the purpose of providing services, goods, or monitoring behavior within the EU, regardless of whether the bank has an establishment within EU.”

https://www.linkedin.com/pulse/how-does-general-data-protection-regulation-impact-us-heba-tawadross/

Has anyone else conducted extensive research on this? The law firm that we usually do business with has advised us that their license does not permit them to render legal advice on foreign laws.

If it were my decision, we would comply with GDPR. I provided all the information and articles to IT and executive management. It was their decision not to comply. A query of our system indicates that we have less than 20 individuals that live in countries that will be governed by the GDPR.

Very interesting conversation. "Liability" under the acronym and its enforcement seems incredibly conjectural.

On its face, this seems to be just another reason not to bank non U.S. persons unless they are a significant piece of your business.

As the compliance date for GDPR approaches, I'm wondering if anyone has anything else to add? We've researched and asked questions, but really haven't come up with anything concrete. Our regulator says they will not examine for compliance with foreign laws and regulations, and they have no advice for us.

We've heard that if a U.S. customer goes to Europe on vacation and uses their debit card, GDPR now applies. Is that really true?!?

We are a small community bank with a handful of European customers. They are not a significant piece of our business, so the best way to comply would be to close them out, IMO.

Mel, that is one of the ways the GDPR is being interpreted.

We have les than 50 members that live in Europe, and I have same the same thought process Mel. We decided to pull a month of ACH (debit, credit, IAT) transactions and found only .0030% were from IAT. Not enough transactions for the GDPR headache.

We are trying to create a statement to be added our policies that lists the reasons why we do not need to comply with GDPR. Some include that we do not market in the EU, we do not use the Euro or other European currency in our daily transactions, and our bylaws dictate our membership area.

Good luck.

I believe more in avoidance than compliance, but ACFE has gathered some resources.

We have less than 40 and I would advocate closing them out before having to deal with this. I'm sure I would have no problem getting buy in as no one would want to layer on complying with another onerous regulation for the number of accounts we have with the balances they carry.

There is a lot of hype regarding this right now. But we have been told by two very large audit firms that the rule does not apply to us as we do no market in the EU.

Rather than start a new thread, I think this is the best place to ask. We've encountered a new question/issue to resolve.

In the list of 28 countries under GDPR, some (Italy, for example) consider any person born in their country to be a natural born citizen. Let's say someone born in Italy moves to the US fairly early in life, then spends the rest of their life here. Do they have dual citizenship? Is it possible they are somehow covered by the GDPR? I'd think not until they returned to live in Italy, but there's so much grey area in this regulation.

The institution at which this person has loans & accounts is a US citizen and has never returned to Italy, not even for vacation. We don't want to close their accounts. The institution also decided in 2018 not to bank any EU subjects, and closed a couple accounts for customers that were residing in EU countries, to avoid having to follow the GDPR. Has anyone else encountered a similar scenario?