1. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])

2. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]

3. Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]

4. Does the institution provide initial notice after establishing a customer relationship only if:
a) the customer relationship is not established at the customer's election; [§4(e)(1)(i)] or

b) to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]

5. When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]

Annual Privacy Notice (§5)

6. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]

(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])

7. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]

Content of Privacy Notices (§6)

8. Do the initial, annual, and revised privacy notices include each of the following, as applicable:

a. the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b. the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c. the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d. the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]

e. if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f. an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g. any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h. the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i. a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]

(Note: sample clauses for these items appear in Appendix A of the Regulation.)

9. Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a. information from the consumer; [§6(c)(1)(i)]

b. information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c. information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d. information from a consumer reporting agency? [§6(c)(1)(iv)]

10. Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a. information from the consumer;

b. information about the consumer's transactions with the institution or its affiliates;

c. information about the consumer's transactions with nonaffiliated third parties; and

d. information from a consumer reporting agency? [§6(c)(2)]

(Note: examples are recommended under §6(c)(2) although not under §6(c)(1).)

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum:

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy? [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice? [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the short-form initial notice. [§6(d)(3)])

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as:

a. a toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery? [§6(d)(4)(ii)]

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose; [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]

Opt Out Notice (§7)

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13,14, and 15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either:

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]

33. Except as permitted by §§13, 14, and 15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]

34. Does the institution deliver a revised privacy notice when it:

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])

Delivery Methods (§9)

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])

37. For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]

39. Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]

40. Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]

SUBPART B
Limits on Disclosure to Nonaffiliated Third Parties (§10)

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13, 14, and 15, unless:

a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d. the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])

42. Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a. mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§10(a)(3)(i)]

b. where the consumer opens an on-line account with the institution and agrees to receive the notices required by §10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)] or

c. for isolated transactions, providing the notices required by §10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [§10(a)(3)(iii)]

43. Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)

Limits on Redisclosure and Reuse of Information (§11)

44. If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a. to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b. to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c. to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])

45. If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a. to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b. to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c. to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]

46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a. to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [§12(b)(1)] or

b. to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [§12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. [§12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [§12(c)(2)])

SUBPART C
Exception to Opt Out Requirements for Service Providers and Joint Marketing (§13)

47. If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions (§14)

48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a. servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b. maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a(3)]

49. If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a. required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

i. carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]

ii. administer or service benefits or claims; [§14(b)(2)(ii)]

iii. confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]

iv. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]

v. underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or

vi. in connection with:

(1) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]

(2) the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or

(3) the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]

Other Exceptions to Notice and Opt Out Requirements (§15)

50. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a. with the consent or at the direction of the consumer; [§15(a)(1)]

b.

i. to protect the confidentiality or security of records; [§15(a)(2)(i)]

ii. to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2(ii)]

iii. for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2(iii)]

iv. to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2(iv)] or

v. to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2(v)]

c. to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]

d. in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]

e. to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]

f. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]

g. to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]

h. to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or

i. to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")