SUBPART
A
Initial Privacy Notice (§4)
1. Does the institution
provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices to all customers not later than when the customer
relationship is established, other than as allowed in paragraph (e) of
section four (4) of the regulation? [§4(a)(1))]
(Note: no
notice is required if nonpublic personal information is disclosed to
nonaffiliated third parties only under an exception in Sections
14 and 15,
and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a customer
relationship when it originates a consumer loan. If the institution
subsequently sells the servicing rights to the loan to another financial
institution, the customer relationship transfers with the servicing
rights. [§4(c)])
2. Does the institution
provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices to all consumers, who are not customers, before
any nonpublic personal information about the consumer is disclosed to
a nonaffiliated third party, other than under an exception in §§14
or 15? [§4(a)(2)]
3. Does the institution
provide to existing customers, who obtain a new financial product or service,
an initial privacy notice that covers the customer's new financial product
or service, if the most recent notice provided to the customer was not
accurate with respect to the new financial product or service? [§4(d)(1)]
4. Does the institution
provide initial notice after establishing a customer relationship only
if:
a) the customer relationship is not established at the customer's election;
[§4(e)(1)(i)]
or
b) to do otherwise would substantially delay the customer's transaction
(e.g. in the case of a telephone application), and the customer agrees
to the subsequent delivery? [§4
(e)(1)(ii)]
5. When the subsequent
delivery of a privacy notice is permitted, does the institution provide
notice after establishing a customer relationship within a reasonable
time? [§4(e)]
Annual Privacy
Notice (§5)
6. Does the institution
provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices at least annually (that is, at least once in any
period of 12 consecutive months) to all customers, throughout the customer
relationship? [§5(a)(1)and
(2)]
(Note: annual
notices are not required for former customers. [§5(b)(1)and
(2)])
7. Does the institution
provide an annual privacy notice to each customer whose loan the institution
owns the right to service? [§§5(c),
4(c)(2)]
Content of Privacy
Notices (§6)
8. Do the initial,
annual, and revised privacy notices include each of the following, as
applicable:
a. the categories
of nonpublic personal information that the institution collects; [§6(a)(1)]
b. the categories of nonpublic personal information that the institution
discloses; [§6(a)(2)]
c. the categories of affiliates and nonaffiliated third parties to whom
the institution discloses nonpublic personal information, other than
parties to whom information is disclosed under an exception in §14
or §15;
[§6(a)(3)]
d. the categories of nonpublic personal information disclosed about
former customers, and the categories of affiliates and nonaffiliated
third parties to whom the institution discloses that information, other
than those parties to whom the institution discloses information under
an exception in §14
or §15;
[§6(a)(4)]
e. if the institution discloses nonpublic personal information to a
nonaffiliated third party under §13,
and no exception under §14
or §15
applies, a separate statement of the categories of information the institution
discloses and the categories of third parties with whom the institution
has contracted;
[§6(a)(5)]
f. an explanation of the opt out right, including the method(s) of opt
out that the consumer can use at the time of the notice; [§6(a)(6)]
g. any disclosures that the institution makes under §603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h. the institution's policies and practices with respect to protecting
the confidentiality and security of nonpublic personal information;
[§6(a)(8)]
and
i. a general statement--with no specific reference to the exceptions
or to the third parties--that the institution makes disclosures to other
nonaffiliated third parties as permitted by law?
[§6(a)(9), (b)]
(Note: sample clauses for these items appear in Appendix A of the
Regulation.)
9. Does the institution
list the following categories of nonpublic personal information that it
collects, as applicable:
a. information
from the consumer; [§6(c)(1)(i)]
b. information about the consumer's transactions with the institution
or its affiliates; [§6(c)(1)(ii)]
c. information about the consumer's transactions with nonaffiliated
third parties; [§6(c)(1)(iii)]
and
d. information from a consumer reporting agency? [§6(c)(1)(iv)]
10. Does the institution
list the following categories of nonpublic personal information that it
discloses, as applicable, and a few examples of each, or alternatively
state that it reserves the right to disclose all the nonpublic personal
information that it collects:
a. information
from the consumer;
b. information about the consumer's transactions with the institution
or its affiliates;
c. information about the consumer's transactions with nonaffiliated
third parties; and
d. information from a consumer reporting agency? [§6(c)(2)]
(Note: examples are recommended under §6(c)(2)
although not under §6(c)(1).)
11. Does the institution
list the following categories of affiliates and nonaffiliated third parties
to whom it discloses information, as applicable, and a few examples to
illustrate the types of the third parties in each category:
a. financial
service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)]
and
c. others? [§6(c)(3)(iii)]
12. Does the institution
make the following disclosures regarding service providers and joint marketers
to whom it discloses nonpublic personal information under §13:
a. as applicable,
the same categories and examples of nonpublic personal information disclosed
as described in paragraphs (a)(2)
and (c)(2) of section six (6) (see questions
8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs marketing
on the institution's behalf or on behalf of the institution and another
financial institution; [§6(c)(4)(ii)(A)]
or
c. that the third party is a financial institution with which the institution
has a joint marketing agreement? [§6(c)(4)(ii)(B)]
13. If the institution
does not disclose nonpublic personal information, and does not reserve
the right to do so, other than under exceptions in §14
and §15,
does the institution provide a simplified privacy notice that contains
at a minimum:
a. a statement
to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the confidentiality
and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an institution
may always use a full notice.)
14. Does the institution
describe the following about its policies and practices with respect to
protecting the confidentiality and security of nonpublic personal information:
a. who is authorized
to have access to the information; and [§6(c)(6)(i)]
b. whether security practices and policies are in place to ensure the
confidentiality of the information in accordance with the institution's
policy? [§6(c)(6)(ii)]
(Note: the institution is not required to describe technical information
about the safeguards used in this respect.)
15. If the institution
provides a short-form initial privacy notice with the opt out notice,
does the institution do so only to consumers with whom the institution
does not have a customer relationship? [§6(d)(1)]
16. If the institution
provides a short-form initial privacy notice according to §6(d)(1),
does the short-form initial notice:
a. conform to
the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution's full privacy notice is available upon
request; [§6(d)(2)(ii)]
and
c. explain a reasonable means by which the consumer may obtain the notice?
[§6(d)(2)(iii)]
(Note: the institution is not required to deliver the full privacy
notice with the short-form initial notice. [§6(d)(3)])
17. Does the institution
provide consumers who receive the short-form initial notice with a reasonable
means of obtaining the longer initial notice, such as:
a. a toll-free
telephone number that the consumer may call to request the notice; [§6(d)(4)(i)]
or
b. for the consumer who conducts business in person at the institution's
office, having copies available to provide immediately by hand-delivery?
[§6(d)(4)(ii)]
18. If the institution,
in its privacy policies, reserves the right to disclose nonpublic personal
information to nonaffiliated third parties in the future, does the privacy
notice include, as applicable, the:
a. categories
of nonpublic personal information that the financial institution reserves
the right to disclose in the future, but does not currently disclose;
[§6(e)(1)]
and
b. categories of affiliates or nonaffiliated third parties to whom the
financial institution reserves the right in the future to disclose,
but to whom it does not currently disclose, nonpublic personal information?
[§6(e)(2)]
Opt
Out Notice (§7)
19. If the institution
discloses nonpublic personal information about a consumer to a nonaffiliated
third party, and the exceptions under §§13,14,
and 15 do
not apply, does the institution provide the consumer with a clear and
conspicuous opt out notice that accurately explains the right to opt out?
[§7(a)(1)]
20. Does the opt
out notice state:
a. that the
institution discloses or reserves the right to disclose nonpublic personal
information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)]
and
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]
21. Does the institution
provide the consumer with the following information about the right to
opt out:
a. all the categories of nonpublic personal information that the institution
discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the information
is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of that
information; [§7(a)(2)(i)(A)]
and
d. the financial products or services that the consumer obtains to which
the opt out direction would apply? [§7(a)(2)(i)(B)]
22. Does the institution
provide the consumer with at least one of the following reasonable means
of opting out, or with another reasonable means:
a. check-off
boxes prominently displayed on the relevant forms with the opt out notice;
[§7(a)(2)(ii)(A)]
b.
a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent via
electronic mail or a process at the institution's web site, if the consumer
agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)]
or
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
(Note: the institution may require the consumer to use one specific
means, as long as that means is reasonable for that consumer. [§7(a)(iv)])
23. If the institution
delivers the opt out notice after the initial notice, does the institution
provide the initial notice once again with the opt out notice? [§7(c)]
24. Does the institution
provide an opt out notice, explaining how the institution will treat opt
out directions by the joint consumers, to at least one party in a joint
consumer relationship? [§7(d)(1)]
25. Does the institution
permit each of the joint consumers in a joint relationship to opt out?
[§7(d)(2)]
26. Does the opt
out notice to joint consumers state that either:
a. the institution
will consider an opt out by a joint consumer as applying to all associated
joint consumers; [§7(d)(2)(i)]
or
b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]
27. If each joint
consumer may opt out separately, does the institution permit:
a. one joint
consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]
b. the joint consumers to notify the institution in a single response;
[§7(d)(5)]
and
c. each joint consumer to opt out either for himself or herself, and/or
for another joint consumer? [§7(d)(5)]
28. Does the institution
refrain from requiring all joint consumers to opt out before implementing
any opt out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution
comply with a consumer's direction to opt out as soon as is reasonably
practicable after receiving it? [§7(e)]
30. Does the institution
allow the consumer to opt out at any time? [§7(f)]
31. Does the institution
continue to honor the consumer's opt out direction until revoked by the
consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]
32. When a customer
relationship ends, does the institution continue to apply the customer's
opt out direction to the nonpublic personal information collected during,
or related to, that specific customer relationship (but not to new relationships,
if any, subsequently established by that customer)? [§7(g)(2)]
Revised Notices (§8)
33. Except as permitted
by §§13,
14, and 15,
does the institution refrain from disclosing any nonpublic personal information
about a consumer to a nonaffiliated third party, other than as described
in the initial privacy notice provided to the consumer, unless:
a. the institution
has provided the consumer with a clear and conspicuous revised notice
that accurately describes the institution's privacy policies and practices;
[§8(a)(1)]
b. the institution has provided the consumer with a new opt out notice;
[§8(a)(2)]
c. the institution has given the consumer a reasonable opportunity to
opt out of the disclosure, before disclosing any information; [§8(a)(3)]
and
d. the consumer has not opted out? [§8(a)(4)]
34. Does the institution
deliver a revised privacy notice when it:
a. discloses
a new category of nonpublic personal information to a nonaffiliated
third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of nonaffiliated
third party; [§8(b)(1)(ii)]
or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that disclosure?
[§8(b)(1)(iii)]
(Note: a revised notice is not required if the institution adequately
described the nonaffiliated third party or information to be disclosed
in the prior privacy notice. [§8(b)(2)])
Delivery Methods
(§9)
35. Does the institution
deliver the privacy and opt out notices, including the short-form notice,
so that the consumer can reasonably be expected to receive actual notice
in writing or, if the consumer agrees, electronically? [§9(a)]
36. Does the institution
use a reasonable means for delivering the notices, such as:
a. hand-delivery
of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
[§§9(b)(1)(ii)]
c. for the consumer who conducts transactions electronically, clearly
and conspicuously posting the notice on the institution's electronic
site and requiring the consumer to acknowledge receipt as a necessary
step to obtaining a financial product or service; [§9(b)(1)(iii)]
or
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge receipt
as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]
(Note: insufficient or unreasonable means of delivery include: exclusively
oral notice, in person or by telephone; branch or office signs or generally
published advertisements; and electronic mail to a customer who does
not obtain products or services electronically. [§9
(b)(2)(i) and (ii), and (d)])
37. For annual
notices only, if the institution does not employ one of the methods described
in question
36, does the institution employ one of the following reasonable means
of delivering the notice such as:
a. for the customer
who uses the institution's web site to access products and services
electronically and who agrees to receive notices at the web site, continuously
posting the current privacy notice on the web site in a clear and conspicuous
manner; [§9(c)(1)]
or
b. for the customer who has requested the institution refrain from sending
any information about the customer relationship, making copies of the
current privacy notice available upon customer request? [§9(c)(2)]
38. For customers
only, does the institution ensure that the initial, annual, and revised
notices may be retained or obtained later by the customer in writing,
or if the customer agrees, electronically? [§9(e)(1)]
39. Does the institution
use an appropriate means to ensure that notices may be retained or obtained
later, such as:
a. hand-delivery
of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
[§9(e)(2)(ii)]
or
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the customer
who agrees to receive the notice at the web site? [§9(e)(2)(iii)]
40. Does the institution
provide at least one initial, annual, and revised notice, as applicable,
to joint consumers? [§9(g)]
SUBPART B
Limits on Disclosure to Nonaffiliated Third Parties (§10)
41. Does the institution
refrain from disclosing any nonpublic personal information about a consumer
to a nonaffiliated third party, other than as permitted under §§13,
14, and 15,
unless:
a. it has provided
the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt out before
the disclosure; [§10(a)(1)(iii)]
and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as well as
to customers [§10(b)(1)],
and to all nonpublic personal information regardless of whether collected
before or after receiving an opt out direction. [§10(b)(2)])
42. Does the institution
provide the consumer with a reasonable opportunity to opt out such as
by:
a. mailing the
notices required by §10
and allowing the consumer to respond by toll-free telephone number,
return mail, or other reasonable means (see question 22) within 30 days
from the date mailed; [§10(a)(3)(i)]
b. where the consumer opens an on-line account with the institution
and agrees to receive the notices required by §10
electronically, allowing the consumer to opt out by any reasonable means
(see question 22) within 30 days from consumer acknowledgement of receipt
of the notice in conjunction with opening the account; [§10(a)(3)(ii)]
or
c. for isolated transactions, providing the notices required by §10
at the time of the transaction and requesting that the consumer decide,
as a necessary part of the transaction, whether to opt out before the
completion of the transaction? [§10(a)(3)(iii)]
43. Does the institution
allow the consumer to select certain nonpublic personal information or
certain nonaffiliated third parties with respect to which the consumer
wishes to opt out? [§10(c)]
(Note: an institution may allow partial opt outs in addition to, but
may not allow them instead of, a comprehensive opt out.)
Limits on Redisclosure
and Reuse of Information (§11)
44. If the institution
receives information from a nonaffiliated financial institution under
an exception in §14
or §15,
does the institution refrain from using or disclosing the information
except:
a. to disclose
the information to the affiliates of the financial institution from
which it received the information; [§11(a)(1)(i)]
b. to disclose the information to its own affiliates, which are in turn
limited by the same disclosure and use restrictions as the recipient
institution; [§11(a)(1)(ii)]
and
c. to disclose and use the information pursuant to an exception in §14
or §15
in the ordinary course of business to carry out the activity covered
by the exception under which the information was received? [§11(a)(1)(iii)]
(Note: the disclosure or use described in section c of this question
need not be directly related to the activity covered by the applicable
exception. For instance, an institution receiving information for fraud-prevention
purposes could provide the information to its auditors. But "in
the ordinary course of business" does not include marketing. [§11(a)(2)])
45. If the institution
receives information from a nonaffiliated financial institution other
than under an exception in §14
or §15,
does the institution refrain from disclosing the information except:
a. to the affiliates
of the financial institution from which it received the information;
[§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same disclosure
restrictions as the recipient institution; [§11(b)(1)(ii)]
and
c. to any other person, if the disclosure would be lawful if made directly
to that person by the institution from which the recipient institution
received the information? [§11(b)(1)(iii)]
Limits
on Sharing Account Number Information for Marketing Purposes
(§12)
46. Does the institution
refrain from disclosing, directly or through affiliates, account numbers
or similar forms of access numbers or access codes for a consumer's credit
card account, deposit account, or transaction account to any nonaffiliated
third party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's
agents or service providers solely to market the institution's own products
or services, as long as the agent or service provider is not authorized
to directly initiate charges to the account; [§12(b)(1)]
or
b. to a participant in a private label credit card program or an affinity
or similar program where the participants in the program are identified
to the customer when the customer enters into the program? [§12(b)(2)]
(Note: an "account number or similar form of access number or
access code" does not include numbers in encrypted form, so long
as the institution does not provide the recipient with a means of decryption.
[§12(c)(1)]
A transaction account does not include an account to which third parties
cannot initiate charges. [§12(c)(2)])
SUBPART C
Exception
to Opt Out Requirements for Service Providers and Joint Marketing (§13)
47. If the institution
discloses nonpublic personal information to a nonaffiliated third party
without permitting the consumer to opt out, do the opt out requirements
of §7
and §10,
and the revised notice requirements in §8,
not apply because:
a the institution
disclosed the information to a nonaffiliated third party who performs
services for or functions on behalf of the institution (including joint
marketing of financial products and services offered pursuant to a joint
agreement as defined in paragraph (b)
of §13); [§13(a)(1)]
b the institution has provided consumers with the initial notice; [§13(a)(1)(i)]
and
c the institution has entered into a contract with that party prohibiting
the party from disclosing or using the information except to carry out
the purposes for which the information was disclosed, including use
under an exception in §14
or §15
in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]
Exceptions
to Notice and Opt Out Requirements for Processing and Servicing Transactions
(§14)
48. If the institution
discloses nonpublic personal information to nonaffiliated third parties,
do the requirements for initial notice in §4(a)(2),
opt out in §§7
and 10, revised
notice in §8,
and for service providers and joint marketing in §13,
not apply because the information is disclosed as necessary to effect,
administer, or enforce a transaction that the consumer requests or authorizes,
or in connection with:
a. servicing
or processing a financial product or service requested or authorized
by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the institution
or with another entity as part of a private label credit card program
or other credit extension on behalf of the entity; or [§14(a)(2)]
c. a proposed or actual securitization, secondary market sale (including
sale of servicing rights) or other similar transaction related to a
transaction of the consumer? [§14(a(3)]
49. If the institution
uses a Section
14 exception as necessary to effect, administer, or enforce a transaction,
is it :
a. required,
or is one of the lawful or appropriate methods to enforce the rights
of the institution or other persons engaged in carrying out the transaction
or providing the product or service; [§14(b)(1)]
or
b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]
i. carry out
the transaction or the product or service business of which the transaction
is a part, including recording, servicing, or maintaining the consumer's
account in the ordinary course of business; [§14(b)(2)(i)]
ii. administer or service benefits or claims; [§14(b)(2)(ii)]
iii. confirm or provide a statement or other record of the transaction
or information on the status or value of the financial service or
financial product to the consumer or the consumer's agent or broker;
[§14(b)(2)(iii)]
iv. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
v. underwrite insurance or for reinsurance or for certain other purposes
related to a consumer's insurance; [§14(b)(2)(v)]
or
vi. in connection with:
(1) the
authorization, settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or otherwise
paid by using a debit, credit, or other payment card, check, or
account number, or by other payment means; [§14(b)(2)(vi)(A)]
(2) the transfer of receivables, accounts or interests therein;
[§14(b)(2)(vi)(B)]
or
(3) the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]
Other Exceptions
to Notice and Opt Out Requirements (§15)
50. If the institution
discloses nonpublic personal information to nonaffiliated third parties,
do the requirements for initial notice in §4(a)(2),
opt out in §§7
and 10, revised
notice in §8,
and for service providers and joint marketers in §13,
not apply because the institution makes the disclosure:
a.
with the consent or at the direction of the consumer; [§15(a)(1)]
b.
i.
to protect the confidentiality or security of records; [§15(a)(2)(i)]
ii. to protect against or prevent actual or potential fraud, unauthorized
transactions, claims, or other liability; [§15(a)(2(ii)]
iii. for required institutional risk control or for resolving consumer
disputes or inquiries; [§15(a)(2(iii)]
iv. to persons holding a legal or beneficial interest relating to
the consumer; [§15(a)(2(iv)]
or
v. to persons acting in a fiduciary or representative capacity on
behalf of the consumer; [§15(a)(2(v)]
c. to insurance
rate advisory organizations, guaranty funds or agencies, agencies
rating the institution, persons assessing compliance, and the institution's
attorneys, accountants, and auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or to law
enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or from
a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f. in connection with a proposed or actual sale, merger, transfer,
or exchange of all or a portion of a business or operating unit, if
the disclosure of nonpublic personal information concerns solely consumers
of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal requirements;
[§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or regulatory
investigation, or subpoena or summons by Federal, state, or local
authorities; [§15(a)(7)(ii)]
or
i. to respond to judicial process or government regulatory authorities
having jurisdiction over the institution for examination, compliance,
or other purposes as authorized by law? [§15(a)(7)(iii)]
(Note: the regulation gives the following as an example of the
exception described in section a of this question: "A consumer
may specifically consent to [an institution's] disclosure to a nonaffiliated
insurance company of the fact that the consumer has applied to [the
institution] for a mortgage so that the insurance company can offer
homeowner's insurance to the consumer.")
|