We have an bank employee that sells nondeposit investment products. I suppose that he would be considered an agent for a non-affiliate company, ICAA. Is it ok for him to use a bank report of maturing Certificate of Deposits to market our customers for nondeposit investment products?

Our Privacy Policy has the following for sharing infor.:
For our everyday business purposes Yes
For our marketing purposes Yes
For joint marketing with other financial co. Yes
For our affiliates' everyday business purposes No Don't share
For our affiliates to market you No Don't share
For non-affiliates to market you No Don't share

Sounds like if the other business is an affiliate or not, you're clearly saying you won't be sharing.

When he's marketing products that aren't yours to your customers, he's acting for a non-affiliate business.

That would be me opinion based on how I'm reading it. Seems like there are multiple potential concerns here for privacy and information security.

We have this on Joint Marketing. Doesn't that make a difference?

A formal agreement between nonaffiliated financial companies that
together market financial products or services to you.
• Our joint marketing partners may include other banks, insurance companies, and investment and securities companies.

So you are saying that you have a written joint marketing agreement with this company and includes the required restrictions on use of your customer's information to only marketing jointly sponsored products?

Yes

Reviving an old thread to seek some clarification from conflicting information.

We have dual employees who work for the bank and a third party non-affiliate investment/insurance company. Our privacy statement says:

For our everyday business purposes - Yes (we share) - No (you can't limit sharing)
For our marketing purposes - Yes (we share) - No (you can't limit sharing)
For joint marketing with other financial companies - Yes (we share) - No (you can't limit sharing)
For our affiliates’ everyday business purposes – No - We do not share
For our affiliates’ everyday business purposes - No - We do not share
For nonaffiliates to market to you - No - We do not share

Is it permissible for the bank to share a list of customers with the dual employees so they can contact the customers for investment opportunities (maturing CDs, non-merchant capture businesses, etc)?

If we have a joint marketing agreement with the firm, does our privacy policy appear to be correct? If we don't have a joint marketing agreement with the firm, do we need to change our non-affiliate sharing to "yes" (we share) and provide an opt out - or stop sharing the information?

Depends on the products the non-affiliate is selling. Are they really marketed as a joint product/service and is there a formal agreement in place.

J.4. I am a bank. I have a financial advisory center on my premises that is operated by people employed both by me and by an insurance company. The shared employees do not sell bank products. They sell insurance products and services offered by the insurance company pursuant to a third-party arrangement. We provide the employees with information about our customers so that they may solicit our customers on behalf of the insurance company. Do we have to provide our customers with an opportunity to opt out of these disclosures?

You must provide a reasonable opportunity for your customers to opt out of any disclosure of their nonpublic personal information to a nonaffiliated third party unless one of the exceptions applies. Although a dual employee himself or herself is not a “nonaffiliated third party,” providing customer information to a dual employee for purposes of marketing the insurance company’s products and services to your customers is deemed to be providing the information directly to the insurance company. Because the insurance company is a nonaffiliated third party, you must provide your customers a reasonable opportunity to optout of disclosure of their nonpublic personal information prior to disclosing such information to the dual employees unless the disclosure is covered by an exception.

The exception at § 216.13 specifically permits you to disclose nonpublic personal information about your customer to the nonaffiliated insurance company without providing the customer an opportunity to opt out if three requirements are met:

• The insurance company must market financial products or services offered under a joint agreement between you and the insurance company. The joint agreement must be a written agreement under which you and the insurance company “jointly offer, endorse, or sponsor” a financial product or service. Simply agreeing to share customer information with the insurance company would not satisfy this contractual requirement. Rather, your agreement with the insurance company must provide for the joint offering, endorsement, or sponsorship of the financial product or service. For example, a third party agreement that provides the insurance company will use your name in its marketing materials or offer insurance products and services on your premises would
demonstrate that you are jointly offering, endorsing, or sponsoring the products or services with the insurance company;

• You must have provided your customers with an initial privacy notice, including a separate statement describing your joint marketing that satisfies § 216.6(a)(5); and

• You must have a written contract that restricts the insurance company from disclosing or using your customer’s nonpublic personal information for any purpose other than to offer insurance products and services to those customers.

In addition to the foregoing requirements, the prohibition against disclosing a consumer’s account number for use in telemarketing, direct mail marketing, or other marketing through electronic mail, as set forth in § 216.12, applies to your arrangement with the insurance company.

Randy, thanks for providing the info. We are looking into the contract with the third party to see if those conditions are met. Just wanted some clarification, which you have provided.

So, if we have the arrangement Randy describes above and meet all three exceptions, should our privacy notice state "Yes" under "For joint marketing with other financial companies" or instead "Yes" under "For nonaffiliates to market to you"?