Thread Options
#29697 - 08/27/02 06:47 PM Privacy Act audit
rexinaudit Offline
Gold Star
Joined: Dec 2001
Posts: 292
New England
Has anyone found that their bank's annual Privacy Act mailing was not sent to all customers?

In our bank's recent mass mailing of the annual Privacy Notices, the customer relationship management software was used to produce one mailing address per "household". This caused a problem in that we have some households [persons with same mailing address] with multiple adults who have separate accounts. Only one Privacy Notice was mailed to just one of the persons in these households. We discovered this during the Privacy Audit.

What is the proper corrective action? Should we send more Privacy Notices to account holders missed in the first mailing?

Or, should we merely correct the procedures to be used next year to prevent a repeat problem?
My opinions are not legal advice, not my employer's, and may change anytime.

Return to Top
#29698 - 08/27/02 08:43 PM Re: Privacy Act audit

In my opinion, you still have the "twelve consecutive month" period to mail your privacy policy for 2002, so you still have time in which to do so. If it easily ascertained who was missed in the mailing, I would correct it this year. As my experience as an auditor and compliance officer, you don't want technical violations in your workpapers where the examiners can see that you were made aware of the problem and did not fix it. (especially since you still have the time). And then of course, next year you would be able to adjust your automated system accordingly.

Return to Top
#29699 - 08/28/02 05:27 PM Re: Privacy Act audit
Maria Offline
Platinum Poster
Joined: Apr 2001
Posts: 502
Sylacauga, Al, United States
I have not had your situation happen to me since I request report copies of the customer mailing list used which is to be pulled by name not address. I would think your bank was very pleased that you found it especially in the year that it occurred. If it were me, I would send out the notices asap to all that did not originally receive it and keep excellant documentation to reflect the correction. I would also have documented procedures to reflect that it would not happen again. I would think that an examiner would be less "hard" if they saw it corrected and procedures to keep it from happening again. And I am sure your bank is not the first, and won't be the last to accidently make the mistake.

Opinions are mine not my employer.

Return to Top
#29700 - 09/05/02 03:53 PM Re: Privacy Act audit
Ted Dreyer Offline
Diamond Poster
Ted Dreyer
Joined: Apr 2001
Posts: 2,245
I agree with Anonymous above. There is no requirement that your annual privacy notices be sent out all at once. You only have to send one out in each 12 consecutive month period. Depending on what 12 month period your institution selected you may still be in the allowable time frame for this year's notices.

Return to Top

Moderator:  Andy_Z