Skip to content
BOL Conferences
Thread Options Tools
#53475 - 01/10/03 04:14 PM URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
HURRY! HELP ! EXAMINERS ON SITE! We've developed our notice, which is our privacy policy notice. The board has adopted this notice as our policy. Examiner says it is not our policy just a notice. Can any one provide any defense?
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
General Discussion
#53476 - 01/10/03 04:40 PM Re: URGENT - Privacy Notice VS Privacy Policy
Jack Holzknecht Offline

Gold Star
Joined: Aug 2001
Posts: 330
Louisville, KY
tressa,
The message of your notice and the message of your policy should be consistent but shouldn't necessarily be the same. The agencies required, and to a large extent dictated, the content of the notice. You should have a policy (and procedures) for each compliance topic. The policy should indicate the board's intention to comply with the requirements of the law and/or regulation, the person responsible for compliance, the audit and training requirements, etc.

If the examiner presses the issue, they can criticize your policy, but can not cite you for the failure to develop a policy, because you do have one.

Return to Top
#53477 - 01/10/03 04:43 PM Re: URGENT - Privacy Notice VS Privacy Policy
SkyDiver Offline
Gold Star
SkyDiver
Joined: Jul 2002
Posts: 274
Northeast
You can re-emphasize that the Board considers it the bank's policy and then be prepared for suggestions from the examiner on how to expand the notice (policy) into an examiner acceptable policy format/framework/scope.

Return to Top
#53478 - 01/10/03 04:48 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
Thanks for the advice. These are safety and soundness examiners and I'm used to dealing with compliance examiners.
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53479 - 01/10/03 05:18 PM Re: URGENT - Privacy Notice VS Privacy Policy
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
tressaj-
I'm curious to find out how your exam goes in regards to Privacy. Our examiners arrived on Wednesday (S/S) and I know that prior to their arrival there was much communication going on regarding Privacy. Are your regulators FDIC?

Return to Top
#53480 - 01/10/03 05:26 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
We had a combo of FDIC and state. FDIC was interested in "security standards for customer information - FIL22-2001" I realize there is a tie-in to privacy, but the examiner admits this in not his area of expertise, and I think he's pulling more Reg P in than necessary. I feel sure we'll be criticzed as far as FIL-22-2001 is concerned. We do have several different IT policies that probably cover a good deal of the requirements, butI don't know if that will get us very far. This particular FIL is one that I've forwarded over and over to IT manager with no response. I guess we'll pay the price!
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53481 - 01/10/03 05:30 PM Re: URGENT - Privacy Notice VS Privacy Policy
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
In our exam (OCC) we were criticized for not placing the physical (storing reports, shredding) privacy portion together with the IT plan.
_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#53482 - 01/10/03 05:39 PM Re: URGENT - Privacy Notice VS Privacy Policy
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
tressaj - If these are Safety and Soundness, is it a Privacy Policy they want to see, or an Information Security Policy?

Many banks that thought they had complied with the requirements of Gramm-Leach-Bliley had a rude awakening to find they did not address the Information Security component which DOES require a written policy an program that must be approved by the Board.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#53483 - 01/10/03 05:45 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
He started out with info security policy and has wandered over to Privacy. He admits this is not his Info security not his "area". I think we honeslty deserve some criticism, but I don't like the idea of mixing the two issues. I'm usually pretty vocal with consumer examiners, but I'm also out of my element here so I don't have a lot of ammunition. Conveniently our IT manager is off on Fridays.
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53484 - 01/10/03 05:45 PM Re: URGENT - Privacy Notice VS Privacy Policy
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
tressaj-
Thanks, FDIC is here, and prior to their arrival there seemed to be alot of telephone conversation regarding Appendix B to Part 364 - Interagency Guidelines Establishing Standards for Safeguarding Customer Information. I unfortunately, was not the one directly doing to the communicating. I'm sure that had I been directly involved it wouldn't have become as much of an issue. Fortunately I was able to come up with all the written documentation dating back to 2000, to present to show we've taken all the required steps. Now it's just "wait & see".
If something else comes up of interest, would you mind sharing?
Thanks.

Return to Top
#53485 - 01/10/03 06:00 PM Re: URGENT - Privacy Notice VS Privacy Policy
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
If the examiner is looking into an area that is not his "jurisdiction", then he can make all the verbal suggestions he wants, but I do not think they should go into the written report. You may want to talk to the Examiner-in-Charge if that person is different than the examiner who is questioning the policy.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#53486 - 01/10/03 06:03 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
He is the EIC. It's Friday noon here, so they've probably left for the day. They already had mgmt meeting yesterday before he even addresed this issue, so I'm hopeful it won't effect our rating. I thought it was odd that he'd cover after mgmt meeting.
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53487 - 01/10/03 06:06 PM Re: URGENT - Privacy Notice VS Privacy Policy
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
Perhaps he's just doing you a favor? If you are expecting Compliance anytime in the next few months, then you probably would want to consider formalizing a Privacy Policy. Our Privacy Policy covers not only our actual privacy practice (with respect to sharing/opt-out/etc.) but also covers when a Privacy Notice will be given to a customer, and when the annual privacy notice will be mailed.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#53488 - 01/10/03 06:10 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
We had compliance exam in March 2002. No problems, but maybe they just didn't catch it. We'll have something in place prior to next exam (I hope!)
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53489 - 01/10/03 06:59 PM Re: URGENT - Privacy Notice VS Privacy Policy
Ted Dreyer Offline
Diamond Poster
Ted Dreyer
Joined: Apr 2001
Posts: 2,245
Under section .6(a)(8) your privacy notice is required to state your "policies and practices with respect to protecting the confidentiality and security of nonpublic personal information". The sample clause in the regulation states "We maintain physical, electronic and procedural safeguards that comply with federal standards to guard your nonpublic personal information." So if your Information Security Program is not sufficient, it could be that your privacy notice is not accurate in that respect. Is that the argument the examiner is making?

Return to Top
#53490 - 01/10/03 07:30 PM Re: URGENT - Privacy Notice VS Privacy Policy
Anonymous
Unregistered

My bank is also in the process of a Safety and Soundness exam and they have spent an enormous amount of time focusing on Privacy and Info. Security. They wanted to see EVERY single piece of paper that was used to create our Info. Security Policy. What a mess. WE have a privacy policy and info. security policy in place, but they wouldn't even read them until they say the documentation used to create them...we honestly couldn't provide them with much!! I wish they would leave.

Return to Top
#53491 - 01/10/03 09:20 PM Re: URGENT - Privacy Notice VS Privacy Policy
OnTheEdge Offline
Diamond Poster
Joined: Apr 2002
Posts: 1,677
SmallTown, USA
I don't think so. Although that a good point. He's gone for the day and didn't mention anything else to me about it. Sadly, I agree with him that we've missed the mark on establishing standards for customer information requirements. He's gone and hopefully, because he didn't even look at this until after the exit with mgmt it won't be too harsh. I'm certainly going to do my best to prode this along and get it covered before the next exam.
_________________________
The opinions expressed are mine and do not necessarily reflect those of my employer.

Return to Top
#53492 - 01/10/03 09:31 PM Re: URGENT - Privacy Notice VS Privacy Policy
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
Bonnie M-
Have you been through a recent S/S Exam where GLBA was reviewed? We have a Privacy Policy, and Information Security Policy - do you suppose the two should cross-reference each other?

Return to Top
#53493 - 01/10/03 10:03 PM Re: URGENT - Privacy Notice VS Privacy Policy
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
Cheryle - They will be here next month. Actually, we have a combined Privacy and Information Security Policy/Program. It passed muster last year, so we shall see.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#53494 - 01/11/03 12:28 AM Re: URGENT - Privacy Notice VS Privacy Policy
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
Bonnie M -
Good Luck - at least you have more than the two week notice we received. We will see how our's goes, the team is very pleasant to work with (so far...)

Return to Top