The Gramm-Leach-Bliley Act enacted new privacy-related provisions applicable to banks and their subsidiaries, as well as a wide range of other businesses engaged in financial and financially related activities. This Act limits the instances in which a bank may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a bank (and subsidiary) to disclose its privacy policies and practices to all of its customers concerning the sharing of information with both affiliates and nonaffiliated third parties.
The Board of Directors acknowledges its customers’ expectations that their financial and personal information is private. It is the Bank’s policy not to disclose such information unless disclosure is:
- Required by law
- Specifically allowed by law, or
- Requested by the customer, directly or indirectly
At a minimum, the following steps will be taken:
- Conduct an inventory of information collection and disclosure practices;
- Evaluate agreements with third parties that involve the disclosure of consumer information;
- Establish mechanisms to handle opt-out elections by consumers (where / if appropriate);
- Develop or revise any existing privacy policies to reflect the new regulatory requirements;
- Determine how to deliver privacy notices to consumers;
- Conduct employee training and establish a privacy compliance program; and
- Set target dates for all features of the implementation program.
This Law/ Regulation applies only to non-public personal information regarding individuals who obtain financial products or services primarily for personal, family, or household purposes. This Law / Regulation does not apply to information on companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes.
Principal Privacy Requirements
The three principal requirements relating to the privacy of consumer financial information in the Gramm-Leach-Bliley Act (GLBA) are:
- Bank must provide its customers with Notices describing its privacy policies and practices, including policies related to the disclosure of nonpublic personal information to any affiliate and to any nonaffiliated third parties. These Notices must be provided at the time the customer relationship is established and annually thereafter;
- Subject to exceptions, banks may not disclose nonpublic personal information about consumers to any nonaffiliated third party unless consumers are given a reasonable opportunity to direct that such information not be shared (to opt out); and
- Banks generally may not disclose a customer account number to any nonaffiliated third party for marketing purposes.
Definitions Applicable To the Privacy Law/Regulation
It is important to understand the defining terminology used throughout the Privacy Law/Regulation. Key terms include:
- Affiliate: Any company that controls, is controlled by, or is under common control with another company.
- Clear and Conspicuous: Means that a Notice is reasonably understandable and is designed to call attention to the nature and significance of the information in the Notice. If a Notice is provided on a web page, the Notice must be designed to call attention to the nature and significance of the information in its text or by visual cues to encourage scrolling down if necessary to view the entire Notice and ensure that other elements on the site do not distract attention from the Notice.
- Collect: To obtain information that the bank organizes or can retrieve by the name of an individual or by an identifying number, symbol, or other identifying particular assigned to the individual.
- Consumer: An individual who obtains or has obtained a financial product or service from the bank that is to be used primarily for personal, family, or household purposes (or that individual’s personal representative). Examples of a consumer include: (1) An individual who applies for credit regardless of whether the credit is approved; (2) An individual who provides nonpublic personal information in order to obtain a determination about whether he or she may qualify for a loan, regardless of whether the loan is extended; and (3) An individual who provides nonpublic personal information in connection with obtaining financial, investment, or economic advisory services (regardless of whether a continuing relationship is established); and (4) An individual for whom the bank holds ownership or servicing rights to a loan, even if these rights are held in conjunction with another institution.
- Control of A Company: Means ownership, control, power to vote 25 percent or more of the outstanding shares of the company, control in any manner over the election of a majority of directors, trustees, or general partners of the company, or the power to exercise a controlling influence over the management of a company.
- Customer: A consumer who has a customer relationship with the bank.
- Customer Relationship: A continuing relationship between a consumer and the bank under which the bank provides one or more financial products or services to the consumer. A consumer has a Continuing Relationship with the bank if the consumer (1) Has a deposit or investment account; (2) Obtains a loan from the bank; (3) Has a loan for which the bank owns the servicing rights; (4) Purchases an insurance product; (5) Holds an investment product through the bank (i.e., IRA, Custodian for Securities or Assets); (6) Enters into an agreement or understanding whereby the bank undertakes to arrange or broker a home mortgage loan; (7) Enters into a lease of personal property with the bank; or (8) Obtains financial, investment, or economic advisory services from the bank for a fee. It is important to understand, however, that no Customer Relationship exists if: (1) The consumer obtains a financial product or service only in isolated transactions (i.e., using the bank’s ATM to withdraw cash from an account at another bank, purchasing a Cashier’s Check or money order, etc.); (2) The bank sells the consumer’s loan and does not retain the servicing rights; or (3) The bank sells the consumer airline tickets, travel insurance, or traveler’s checks in isolated transactions.
- Financial Product or Service: Any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity. A Financial Service includes a bank’s evaluation or brokerage of information that the bank collects in connection with a request or an application for a financial product or service.
- Non-Affiliated Third Party: Any person except: (1) A bank’s affiliate; (2) A person employed jointly by the bank and any company that is not the bank’s affiliate; and (3) Any company that is an affiliate solely by virtue of the bank’s (or bank’s affiliate) direct or indirect ownership or control of the company in conducting merchant banking activities, investment banking activities, or insurance company activities.
- Non-Public Personal Information: Personally identifiable financial information and any list, description, or other grouping of consumers that is derived using any personally identifiable financial information that is not publicly available. Non-Public personal information includes any list of individuals’ names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available (i.e., account number). Non-Public Personal Information does not include publicly available information or any list, description, or other grouping of consumers that is derived without using any personally identifiable financial information. Non-Public Personal Information does not include any list of individuals’ names and addresses that contains only publicly available information, is not derived using personally identifiable information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of the bank.
- Personally Identifiable Financial Information: Any information (1) A consumer provides to the bank to obtain a financial product or service; (2) About a consumer resulting from any transaction involving a financial product or service between the bank and a consumer; and (3) The bank otherwise obtains about a consumer in connection with providing a financial product or service to the consumer. Personally identifiable information includes: (1) Information a consumer provides to the bank on an application for credit or other financial product or service; (2) Account balance information, payment history, overdraft history, and credit or debit card purchase information; (3) The fact that an individual is or has been one of the bank’s customers or has obtained a financial product or service from the bank; (4) Any information about the bank’s customer if it is disclosed in a manner that indicates that the individual is or has been the bank’s customer; (5) Any information that a consumer provided to the bank (or bank’s agent) or that the bank obtains in connection with the collection or servicing of a loan; (6) Any information the bank collects through an Internet “cookie” (an information collecting device from a web server); and (7) Information from a consumer report.
Personally Identifiable Information does not include: (1) A list of names and addresses of customers of an entity that is not a financial institution; and (2) Information that does not identify a consumer (i.e., aggregate information or blind data that does not contain personal information such as account numbers, names, or addresses).
- Publicly Available Information: Any information that the bank has a reasonable basis to believe is lawfully available to the general public from Federal, State, or Local government records, widely distributed media, or disclosures to the general public that are required to be made by Federal, State or Local Law. Publicly available information in government records includes information in government real estate records and security interest filings. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet Service Provider or a Site Operator requires a fee or a password, so long as access is available to the general public.
- Reasonable Basis: The bank has a Reasonable Basis to believe that information is lawfully made available to the general public when the bank has taken steps to determine (1) That the information is of the type that is available to the general public; and (2) Whether an individual can direct that the information not be made available to the general public and, if so, that the consumer has not done so. We have a reasonable basis to believe that mortgage information is lawfully made available to the general public when information of this type is included on the public records in the jurisdiction. We have a reasonable basis to believe that an individual’s telephone number is available to the general public when we have located a telephone number in the telephone book or the consumer has informed us that the telephone number is not unlisted.
Initial Privacy Notice – Timing Requirements
We will provide a clear and conspicuous Privacy Notice Disclosure to a customer at the time a customer relationship is established. A customer relationship is established when the bank and the consumer enter into a continuing relationship, such as loan origination or at account opening. When an existing customer obtains a new financial product or service, we need not provide a subsequent Privacy Notice Disclosure if the most recent Notice to that customer was accurate with respect to the new financial product or service.
A Privacy Notice Disclosure will be provided to any consumer before we disclose any nonpublic personal information about that consumer to any nonaffiliated third party.
Annual Privacy Notice – Timing Requirements
We will provide a clear and conspicuous Annual Privacy Notice to all customers no less than annually during the continuation of the customer relationship. Annually means that the Notice will be provided at least once in any period of 12 consecutive months. We may define the 12-month period as a calendar year, and will issue the Annual Notice on or before December 31st of each calendar year. We are not required to provide an Annual Notice to former customers or to any consumer for which no customer relationship exists. A former customer is a customer whose loan is paid in full, whose loan is charged off, or whose deposit account is inactive and/ or closed.
The bank has chosen to use the alternative method of delivery for Annual Privacy Notices by posting the notice on our website. This method is only to be used during the period of time in which the bank meets the following conditions:
- the bank does not disclose nonpublic personal information to nonaffiliated third parties of than those allowed in the current exceptions;
- the bank does not include in the annual privacy notice an opt-out for affiliated sharing of non-public information;
- the requirements for sharing nonpublic personal information for affiliate marketing purposes have already been satisfied or the annual privacy notice is not the only notice provided to satisfy such requirements;
- the information included in the privacy notice has not changed since the customer received the previous notice; and
- the bank uses the model form provided in Regulation P as its annual privacy notice.
The bank will also continuously post the annual privacy notice in a clear and conspicuous manner on its website, which does not require a login, agreement or condition to access the notice. The website must also state the consumer privacy notice has not changed and include a telephone number for the customer to request that the notice be mailed to them upon request. If the customer requests a copy by telephone, the bank must mail the notice within 10 days of the request. The bank must also make the consumer aware that this notice is available at least once per year. This is to be accomplished by inserting a clear and conspicuous statement on a periodic statement, loan statement and/or any other notice or disclosure the bank provides under any provision of law. The statement must inform customers that the annual privacy notice is available on the bank’s website and that the bank will mail the notice to customers who request it by calling a specific telephone number.
If the bank has changed the privacy practice or shares information in a a manner that causes the bank to be required to provide customers the right to opt-out, the bank will no longer be allowed to utilize this alternative method.
Information to be Included in Privacy Notices
The Initial and Annual Privacy Notices will include the following:
- The categories of nonpublic personal information that we collect;
- The categories of nonpublic personal information that we disclose;
- The categories of affiliates and nonaffiliated third parties to whom we disclose nonpublic personal information (see Exceptions, which need not be disclosed).
- The categories of nonpublic personal information about our former customers that we disclose;
- The categories of nonpublic personal information about our former customers that we disclose to affiliates and nonaffiliated third parties (see Exceptions, which need not be disclosed);
- A separate statement of the categories of nonpublic personal information that we disclose to a nonaffiliated third party (categorized) to perform services for the bank or functions on the bank’s behalf (this disclosure applies when the only applicable Exception is that of marketing products or joint marketing services);
- An explanation of the consumer’s right to Opt-Out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method by which the consumer may exercise that right;
- Any disclosure that we make under the Fair Credit Reporting Act (the Notice regarding the ability to Opt-Out of the disclosure of information among affiliates);
- Our policies and practices concerning protecting the confidentiality and security of nonpublic personal information; and
- A statement that we disclose information to other nonaffiliated third parties only as permitted by law.
In the event we do not disclose nonpublic personal information about customers or former customers (information may be provided under an allowable Exception), and we do not wish to reserve the right to disclose nonpublic financial information to affiliates or nonaffiliated third parties, we may provide a simplified Initial and Annual Notice. This abbreviated Notice will contain:
- A statement that non-personal information is not disclosed to affiliates or nonaffiliated third parties unless that information is necessary to effect, administer, or enforce a transaction that the consumer requests, or authorizes, or for servicing, processing, or maintaining an account that the consumer requests or authorizes;
- The categories of nonpublic personal information that we collect;
- Our policies and procedures with respect to protecting the confidentiality and security of nonpublic personal information; and
- A statement that we disclose information to other nonaffiliated third parties only as permitted by law.
Limits on Disclosure of Non-Public Personal Information to Nonaffiliated Third Parties
Unless an Exception applies, we will not directly (or through any affiliate) disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:
- We have provided the consumer an Initial Notice;
- We have given the consumer a reasonable opportunity to Opt-Out of disclosure (before the information is disclosed); and
- The consumer does not Opt-Out.
An Opt-Out Notice must be provided to all consumers whether or not there is a continuing relationship, and may be provided in person, by mail, or electronically (if consumer agrees to accept notice electronically). The consumer must be given 30 days to Opt-Out from the date the consumer acknowledges receipt of the Notice, from the time the Notice is delivered electronically, or 30 days from the time the written Notice is mailed.
Limits on Sharing Account Number Information for Marketing Purposes
We will not disclose (directly or indirectly) an account number or similar form of access number or code for a consumer’s credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer except in the following instances:
- We may provide account number/ code information to a Consumer Reporting Agency;
- We may provide such information to our agent or service provider in order that such persons may perform marketing of our products and services (as long as the service provider is not authorized to directly initiate charges to the account); and
- We may provide account / code information in a private label credit card program, or similar program where the participants in the program are identified to the customer when the customer enters into the program.
Notice and Opt-Out Requirements Exceptions for Processing and Servicing Transactions
The Initial Privacy Notice and Opt-Out Notice need not be provided to any consumer when we disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
- Servicing or processing a financial product or service that a consumer authorizes or requests;
- Maintaining or servicing the consumer’s account with us, or with another entity as part of a private label credit card program;
- A proposed or actual securitization, secondary market sale, or similar transaction related to a transaction of the consumer;
- Information that is released with the consent or at the direction of the consumer (provided the consumer has not revoked the consent or direction);
- Information provided to a company that performs marketing services for us, and information provided to other financial institutions for which Joint Marketing activities are performed (evidenced by a contractual agreement);
- To protect the confidentiality or security of our records pertaining to the consumer, service, product, or transaction;
- To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating us, persons that are assessing our compliance, and our attorneys, accountants, and auditors;
- Information to comply with Federal, State, or Local Laws, rules, and other applicable legal requirements; or
- In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit.
Risk Assessment and Management
The board directs management to take steps necessary to identify internal and external threats that could cause unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. A risk assessment will be reviewed and updated annually. This may be conducted in conjunction with other risk assessments for other functional areas of the bank.
General Instructions for Bank Employees
Bank employees will not access customer information unless this access is needed in the performance of assigned duties. Reliant Bank will collect, retain and use information about our customers only when the bank believes it will help administer our business or provide products, services and other opportunities to customers. Pursuing customer deposit information or credit files to satisfy a personal curiosity is strictly prohibited. We must recognize, however, that in the course of performing bank duties, bank employees may acquire confidential information considered to be extremely sensitive by customers. The information must not be revealed to unauthorized persons. In addition, this information should not be discussed with other within the bank unless their duties also require the information.
Vendors, Contractors, and Nonaffiliated Third Parties
Due to the specialized expertise needed to design, implement, and service new technologies, the bank may need vendors to provide resources we are unable to provide on our own. The board and senior management will remain responsible for the performance and actions of these vendors while they perform work for the bank.
Bank may provide nonpublic information to vendors, contractors or a nonaffiliated third party to perform services for or functions on behalf of the bank, including the marketing of the bank’s own products and services. Any decision regarding the sharing of customer information should reflect the type of relationship the banks seeks to maintain with its customers and its customers’ expectation of privacy. In such instances, Bank will insist that the third party adhere to similar privacy principles and enter into an agreement with the contractor that requires the contractor to maintain the confidentiality of the customer information.
Management must determine the adequacy of the service providers system of safeguarding information based on the type of provider and its own independent standards. Depending on the service provider, management may wish to review audits, summaries of its test results for security, or other internal or external evaluations of the bank’s service providers.
The vendor management program provides more detailed information on this subject.
Our Bank, in general, does not collect, store or use medical information. However, there are instances where medical information is relevant – applications for creditors’ life, disability, mortgage life insurance or when insurance is required on key individuals where the franchise value of a small business hinges on one or two people. In these instances, the prospective borrower will know what information is required, and can expressly consent to its being obtained and used.
We recognize that, when customers provide medical information for a specific purpose, they do not wish it to be used for other purposes, such as for marketing or in making a credit decision. If a customer provides personal medical information, we will not disclose the information, unless authorized by the customer.
Identity theft is a growing form of fraud that involves criminals obtaining personal information about an individual in order to take over a person’s account, apply for credit in another person’s name or engage in other illegal activities. Because the financial services industry has a tradition of confidentiality and trust, our bank continues to position ourselves as our customers’ partners in privacy.
The Bank uses a combination of safeguards to protect customer information, such as employee training, rigorous security standards, strict codes of conduct, encryption and fraud detection. The Bank works with law enforcement officials to pursue individuals who fraudulently use information and is ready to help unfortunate identity theft victims restore their good name.
Reliant Bank continues to help protect customers against, and to educate customers about how to protect themselves from criminal use of their information.
Our bank shares nonpublic, personal information about its customers with a credit bureau. Banks frequently share experience and transaction information with a credit bureau, and, in turn, credit bureaus make a business of sharing such information with banks. This permits the financial system to operate with a high degree of transparency, lowers the cost of credit, and ensures that individuals with good credit are not forced to subsidize those with bad credit.
We may share any customer information, including nonpublic, personal information, with affiliates and subsidiaries that it controls without providing customers the opportunity to opt‐out, except as permitted by law.
Because the GLBA and the FCRA contain the most extensive requirements governing the disclosure of consumer information by the bank, below is a discussion on the relationship between these laws:
Fair Credit Reporting Act
Principal FCRA Information Sharing Provisions
The FCRA sets standards for the collection, communication, and use of information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Communication of this information may be considered a “consumer report” subject to the FCRA’s requirement. The definition of consumer report contains a number of exceptions, including exceptions that permit the bank to:
- Share with any other party, information solely as to the bank’s transactions or experiences with a consumer; and
- Share with bank affiliates other types of information, such as information from a credit report or a consumer’s loan application, if it is clearly and conspicuously disclosed to the consumer that such information sharing may occur, and the consumer is given an opportunity to direct that the information not be shared, i.e., to “opt out.”
If the Bank shares consumer report information among affiliates or with third parties, it may become a consumer reporting agencies subject to the FCRA’s requirements applicable to those entities. These requirements relate to furnishing consumer reports only for permissible purposes, maintaining high standards for ensuring the accuracy of information in consumer reports, resolving customer disputes, and other matters.
The bank will not be subject to the FCRA’s substantial requirements, which apply to consumer reporting agencies, if the bank communicates only transaction or experience information to third parties or among its affiliates. The bank will not become a consumer reporting agency if it shares with its affiliates other information that would ordinarily be considered consumer report information if it does so in accordance with the consumer opt‐out process noted above. The FCRA does impose a number of requirements on persons that use consumer reports or furnish information to consumer reporting agencies, and these provisions can apply to the banks and our subsidiaries. Several of these provisions protect the privacy of consumer information, including one that requires the bank to use or obtain consumer reports only for specific permissible purposes under the statute. Another provision requires the banks soliciting consumers for offers of credit based on information in consumer reports (“prescreened offers”) be provided a clear and conspicuous notice with each offer, informing consumers, among other things, how they can opt out of further solicitations.
Electronic Fund Transfer Act (EFTA)
The EFTA and the Federal Reserve Board’s Regulation E (12 C.F.R. Part 205) require we make certain disclosures at the time a consumer contracts for an electronic fund transfer service or before the first electronic fund transfer is made involving the consumer’s account. For example, the bank must disclose the circumstances under which, in the ordinary course of business, we may provide information concerning the consumer’s account to third parties, whether or not the third party is affiliated with the bank. This disclosure must encompass any information that may be provided concerning the account, not just information relating to the electronic fund transfers themselves. The EFTA and Regulation E requirements apply to demand deposit, savings deposit and other consumer asset accounts.
Children’s Online Privacy Protection Act (COPPA)
The COPPA and the Federal Trade Commission’s implementing regulations apply to bank that operates commercial web sites or online services (or portions thereof) that are directed to children, or that operate web sites or online services that knowingly collect personal information from children under the age of 13.
COPPA and the FTC’s regulations establish a number of requirements applicable to operators of covered web sites and online services, including requirements that the operator must provide online notice about its information practices with respect to children. With limited exceptions, the operator also must obtain verifiable parental consent prior to any collection, use, or disclosure of personal information from children. The operator also must provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance. Operators also are prohibited from conditioning a child’s participation in a game, the offering of a prize, or any other activity upon the child’s disclosing more personal information than is reasonably necessary to participate in such activity. Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected. The bank does not specifically market to children or “entice” participation of anyone under the age of 13 through the Bank’s website.
GLBA AND FCRA COMPARISONS
The GLBA and the FCRA both govern the disclosure of consumer information by the bank. The statutes differ in the scope of coverage and requirements with respect to the bank’s treatment of consumer information. As a result, what may be a permissible disclosure under one statute may be prohibited or subject to different conditions under the other statute. Because compliance with one statute will not entail compliance with the other, it is strongly advised to evaluate the requirements of both laws in connection with our disclosures of consumer information.
While the FCRA restricts only the disclosure of “consumer report” information (information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected for certain specified purposes), the GLBA applies to all personally identifiable financial information of a consumer that is not publicly available, including information about the bank’s transactions and experiences with the consumer, and even the fact that the bank has a relationship with the consumer. As a result, although the bank could disclose information about its transactions and experiences with its consumers to nonaffiliated third parties under the FCRA without condition, such a disclosure would trigger notice and opt‐out requirements under the GLBA (subject to specific exceptions, such as reporting to credit bureaus in accordance with the FCRA).
The GLBA is also narrower than the FCRA to the extent that it restricts the disclosure of information only to nonaffiliated third parties. If information is consumer report information, the FCRA restricts its disclosure both to nonaffiliated third parties and to affiliates. While the GLBA may permit us to disclose consumer report information to nonaffiliated third parties in accordance with the notice and opt‐out requirements, such a disclosure could turn us into a consumer reporting agency under the FCRA, triggering numerous statutory obligations. The consumer’s opt‐out right also functions differently under the two statutes. Under the GLBA, the bank is prohibited, subject to specific exceptions, from sharing information with nonaffiliated third parties unless the bank has provided consumers with a privacy notice and an opportunity to opt out of the information sharing. If the consumer does not opt out, we may share information with nonaffiliated third parties. If a consumer opts out of third‐party sharing, we may nonetheless share such information with affiliates because the GLBA does not provide consumers with an option to limit a bank’s sharing of information with the bank’s affiliates.
Under the FCRA, the bank may share consumer report information with its affiliates if it provides consumers with a notice about the intended disclosure and an opportunity for consumers to opt out of the information sharing. Unlike the GLBA, the bank is not prohibited from making such disclosures without providing notice and opt‐out. Failure to provide a notice and opt‐out may turn the bank into a consumer reporting agency. With respect to nonaffiliated third parties, the FCRA provides no similar opportunity for the bank to disclose consumer report information without becoming a consumer reporting agency. There is no option to provide consumers with a notice and opt‐out. If the bank shares consumer reports with nonaffiliated third parties the bank may become a consumer reporting agency. The FCRA contains no significant explicit exceptions to the notice and opt‐out rights other than that for transaction or experience information. The GLBA sets forth a number of specific exceptions to its general restrictions on information disclosure, including exceptions for sharing information with service providers and joint marketers, for disclosures necessary to process or service transactions, and for a variety of other circumstances.