I had a friend ask me to post this question and see what peoples thoughts are on the issue.
He works for an OTS regulated entity and recently had an internal privacy audit. The auditor cited the entity for not obtaining written contracts or signed NPI protection agreements with appraisal companies and title/settlement companies with whom they share NPI about mortgage loan transactions.
In the case of appraisals, the only information being shared is the applicants name while in the case of title/settlement companies nearly all of the applicant’s information is being shared.
It is my belief that the sharing of the NPI falls under the exception to notice and opt out requirements of 12 CFR 573.14 (below) as it is necessary to effect (for appraisals) and effect and enforce (for title/settlement services) the transaction that was initiated at the customers’ request.
Thoughts? Even if the exception is in place is there still a need to obtain an agreement or provide a privacy notice?
========================================================
12 CFR § 573.14 Exceptions to notice and opt out requirements for processing and servicing transactions.
(a) Exceptions for processing transactions at consumer's request. The requirements for initial notice in §573.4(a)(2), for the opt out in §§573.7 and 573.10, and for service providers and joint marketing in §573.13 do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
(1) Servicing or processing a financial product or service that a consumer requests or authorizes;
………
(b) Necessary to effect, administer, or enforce a transaction means that the disclosure is:
(1) Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) Required, or is a usual, appropriate or acceptable method:
(i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product;
………..