Most, if not all posters, probably already know these "facts" relating to the Pricacy Act, but I'm sharing them just in case at least one poster does not know.

Our completed FDIC exam brought up two issues:

The Privacy Statement needs to include words to the effect that "We do not share information about former customers, except as permitted by law."

If a current customer applies for a loan (or another deposit account), identification must be secured from that customer (or current ID compared to the ID that was submitted when the first account was opened) and the OFAC list needs to be reviewed with a copy of the ID and a screen shot from the OFAC source placed in the file.

There is good news: Compliance exams (FDIC) are now every two years, CRA every 5 years (small bank environment)!

Our FDIC exam (big bank) was 6 months ago and this didn't come up. But we will address it before they come back. As a side thought, did the examiners want you to provide the former customer with the privacy notice that you wouldn't share their info ? Seems like more useless interpretations on impossible regulations.

I just asked (they are just leaving) and no notice is required to ex-customers. The cited section is 332.6 (a) (4).

By the way, we also passed to prior Privacy Act exam, but that doesn't mean a thing, as you know.

Does anybody ever really "pass" an exam? I think it's more like, "You made it this time, pal, but we'll be back soon."

You are correct , of course, although it's such a different experience now versus, say ten years ago. The FDIC Examiners are actually understanding and helpful, versus the opposite of that in the past. As long as you convey interest and effort, they are now "from the government and here to help you." Now that is a really big change!

Ipso, I only wish I could say the same thing about the FDIC. Our experience with our FDIC GLBA 501(b) exam was less than "we're here to help."

In reply to:

---

and the OFAC list needs to be reviewed with a copy of the ID and a screen shot from the OFAC source placed in the file.

---

That sounds like an examiner making up policy as he/she goes along. There is NOTHING in the OFAC regulation that requires that. The CIP rules have not yet been finalized, so where does the examiner cite the authority that requires such extreme paperization of the file?

You check the OFAC list, if the name doesn't match, you move on. If the examiner doubts it, you can check the OFAC list while they are there and see there is still no match. Why in G-d's name do you need a shot of an blank OFAC screen?????? Talk about your repeated redundancies....

As a relatively new Privacy Officer, I just can't wait for my first Privacy Exam!!!

I concur with Bonnie - based on what are they requiring you to maintain this type of documentation. Sounds like they are making things up!

Bonnie, I wonder how our exam will go. We started using new account review forms, and we have a box to check to say we ran the name against the OFAC list. Many times, the personal banker will make a notation next to the box, like OK or No Match Found. We haven't been copying the screen, but we figured the check in the box reminds our people to do it and idicates that they did it.

At several banks I have worked at over the years - one being a major bank in NYC that had the clout to fight back - the OCC required a screen print of the negative OFAC report, unless the OFAC screening was fully automated and you could demonstrate that each and every account was covered and show the reports rec'd when a potential hit arose. For manual checks, they wanted the screen prints. Perhaps a checklist that is initialed will suffice. But they want evidence of the check (or a system).

I don't think that only the big banks should fight back on this one. There is no regulatory retention requirement for proof of compliance. Therefor, I believe it would fall under all the other regulatory requirements that only require proof through adequate procedures - i.e., delivery of early ARM disclosures for example. I don't think any bank should stand still for examiners making up documentation rules as they go along. Unless they found that you had a hit show up during your periodic existing account scrub that should have been caught at account opening, I think you can use that to show that your current procedures are affective.