Regulation P & GLBA Training

Transcription

1 Regulation P & GLBA Training

2 Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed of several components, including: Financial Privacy Rule Safeguards Rule

3 Right to Financial Privacy All employees should receive a copy of the Bank s Right to Financial Privacy Act Policy. Confirm with the Bank s personnel department that all new employees are provided a copy as well. The Bank should confirm that there are information sharing agreements between the Bank and affiliates, including service agreements and/or contracts between the Bank and nonaffiliated third parties either to obtain or provide information or services. The Bank is responsible for maintaining complaint logs, monitoring telemarketing scripts and any other information obtained from nonaffiliated third parties Note: Review telemarketing scripts to determine whether the contractual terms set forth under CFPB s limits on sharing account number information for marketing purposes are met and whether the Bank is disclosing account number information in violation of CFPB s exception to opt out requirements for service providers and joint marketing.

4 Right to Financial Privacy Important Definitions: Consumer: An individual who obtains or has obtained from you a financial product or service that is to be used primarily for personal, family, or household purposes in an isolated transaction. EX: Purchase of a money order. Customer: A consumer with whom you have a continuing relationship in which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family or household purposes EX: Opens and maintains a deposit account with you. NOTE: For loans, a person becomes a customer at origination. Therefore, an applicant is a consumer.

5 Right to Financial Privacy - Requests The Right to Financial Privacy Act applies only to requests for customers that are individuals or partnerships of five or fewer individuals. Requests from the state and local government agencies and nongovernmental entities are generally covered by state law. The Internal Revenue Service follows a separate set of rules as well.

6 Right to Financial Privacy - Requests Right to Financial Privacy Act Process All Bank Personnel: Do not tell any employee or Bank personnel, other than the person you directly refer the request to, about the request. Is the request, or demand, from: A state or federal government agency (including the IRS)? Refer the request to the Security Officer and provide any relevant documentation. Another financial institution? Do not respond to the request; transfer the request directly to the officer in charge of the account. Other than a state or federal government agency or another financial institution? Advise the requestor that all information about Bank customers is confidential; and the Bank will not acknowledge whether or not the person about whom the request is made is a customer of the Bank.

7 Right to Financial Privacy - Requests Privacy Notice - Required Content Simplified Notice (For non-disclosure of nonpublic personal information) Right to Disclose Notice (For disclosure of nonpublic personal information) Short Form Notices - Required Content Opt-Out Notice - Required Content Opt-Out Notice Delivery Initial Privacy Notices Customer Initial Notice Consumer Initial Notice Annual Privacy Notice Revised Notices

8 Privacy Notice Required Content All notices must be clear and conspicuous, meaning they must be: Reasonably understandable AND Designed to call attention to the nature and significance of the information. Do you disclose or reserve the right to disclose nonpublic personal information except to nonaffiliated third parties as permitted by the exceptions under "exception to notice and opt out requirements for processing and servicing transactions" ( ) or "other exceptions to notice and opt out" ( )? Yes = Simplified notice (for non-disclosure of nonpublic personal information) No = Right to disclose notice (for disclosure of nonpublic personal information)

9 Simplified Notice (For non-disclosure of nonpublic personal information) Include the categories of nonpublic personal information you collect. Include policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Include the fact that the Bank does not disclose nonpublic personal information about current and former customers to affiliates or nonaffiliated third parties, except as authorized by and NOTE: To satisfy this requirement, the notice may simply state that you make disclosures to nonaffiliated third parties as permitted by law.

10 Right to Disclose Notice (For disclosure of nonpublic personal information) Include all categories of nonpublic personal information the Bank collects. Include all categories of nonpublic personal information you disclose about your consumers and former customers. Include all categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your consumers and former customers. Include a statement describing the Bank's disclosure of nonpublic personal information under an exception listed in "Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions" ( ) or "Other Exceptions to Notice and Opt-Out" ( ). NOTE: You are not required to list those exceptions in your initial and annual privacy notices or provide detailed information about the parties to whom you make such disclosures; rather, you are allowed to state only that you make disclosures to other nonaffiliated third parties as permitted by law.

11 Right to Disclose Notice (For disclosure of nonpublic personal information) If you disclose nonpublic personal information under the "Exception to Opt Out Requirements for Service Providers and Joint Marketing" ( ) and no other exception in or permits the disclosure, include a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted under Include an explanation of the consumer s right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time. Include any notices you may provide under the Fair Credit Reporting Act (FCRA) regarding ability to opt out of disclosures of information among affiliates. Include policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. NOTE: Appendix A of the Privacy Rule provides sample clauses that illustrate some of the requirements for the content of notices.

12 Short Form Notices Required Content If the Bank wishes to disclose nonpublic personal information about a consumer who is not your customer outside the exceptions, you may choose to provide a short-form initial notice along with your opt-out notice. EX: Notice on ATM saying the Bank's privacy policy is available upon request with an explanation on how to obtain the notice.

13 Opt-Out Notice Required Content State that you disclose, or reserve the right to disclose such information. State that the consumer has the right to opt out of the disclosure. Provide the customer with information about the financial products or services that the customer obtains to which the opt-out direction would apply. State how the consumer may exercise the right to opt-out. Include check-off boxes prominently displayed, A reply form included with the notice, An electronic means to opt-out, OR A toll free number.

14 Opt-Out Notice Required Content Describe how you will treat an opt-out direction by a consumer who obtains a product or service from you jointly with other consumers: The Bank considers an opt out by a joint customer as applying to all associated joint customers, OR Each joint customer is permitted to opt-out separately. State that the customer may opt-out at any time.

15 Opt-Out Notice Delivery Provide an additional copy/version of the Initial Notice if opt-out is given separately. Give a reasonable amount of time for response before disclosing information. Mail notice allowing consumer to respond by toll free number, return mail or other reasonable means: 30 days Online: 30 days For isolated transaction: ask for decision before completing the transaction Allow customers to opt-out at any time in the future. Honor opt-out notices until revoked by the customer in writing or electronically. Continue to honor opt-out after customer relationship ends.

16 Initial Privacy Notices Initial Notice for a Customer: Provide an up-to-date Privacy Notice before the customer relationship is established by: Hand delivery of printed copy, Mailing a printed copy, Posting on the Bank's electronic site and requiring receipt of acknowledgement from customer, OR Posting notice on the screen of ATM and requiring receipt of acknowledgment - for isolated transactions ONLY. Provide Opt-Out Notice. Provide reasonable opportunity to Opt-Out. Mail notice allowing customer to respond by toll free number, return mail or other reasonable means: 30 days Online: 30 days If opt-out notice is given separately, provide another copy/version of the Initial Notice.

17 Initial Privacy Notices Initial Notice for a Consumer: Provide up-to-date Privacy Notice if: You plan to disclose nonpublic personal information about him or her to a nonaffiliated third party AND The information you may disclose is not exempt from opt-out requirements. Provide the Opt-Out Notice. Allow reasonable opportunity to Opt-Out. For isolated transaction: ask for decision before completing the transaction.

18 Annual Privacy Notice Provide customers with notice of privacy policies and practices that conform to the procedures for creating the notice above. NOTE: Annual privacy notices should also be sent to each customer whose loan the Bank has the right to service. Annual privacy notices are not required for consumers or previous customers.

19 Annual Privacy Notice: Alternative Available if: You do not disclose nonpublic personal info to non-affiliated third parties, other than under an exception); You don t provide an Opt-out option; You have previously provided a privacy notice; Your privacy policy has not changed since the last time you issued it; AND, You use the model privacy form in the appendix to Reg P for the annual privacy notice. If available, you can satisfy the notice if you provide the abbreviated notice on an account statement, coupon book or other disclosures, and post your privacy notice on your website.

20 Annual Privacy Notice: FAST Act May not need to send it at all: the FAST Act, passed by congress, elmininated the requirement to send an annual privacy notice so long as you: You do not disclose nonpublic personal info to non-affiliated third parties, other than under an exception); and, Your privacy policy has not changed since the last time you issued it NOTE: This has been past by law, but Reg P has yet to be updated.

21 Revised Notices If the Bank s privacy policies and procedures have changed since the most recent notice provided? Yes: Provide a revised notice that reflects changes, a new opt-out notice, and a reasonable opportunity to opt-out BEFORE disclosing nonpublic personal information outside of what was described in the most recent privacy notice. No: You may continue disclosing nonpublic personal information. However, continue sending out the Annual Privacy Notice despite the fact there has been no changes.

22 GLBA Safeguards Rule Objectives To ensure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the security or integrity of such information; and Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

23 The Safeguards Rule The Safeguards Rule requires all financial institutions to design, implement and maintain administrative, technical and physical safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions such as credit reporting agencies that receive customer information from other financial institutions.

24 Definition Customer Information Customer information means any record containing nonpublic personal information about a customer of the Bank, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the Bank or Bank affiliates.

25 Definition Non-Public Personal Information Personally identifiable financial information that is: Provided by a consumer to the Bank; Resulting from any transaction with the consumer or any service performed for the consumer; or Otherwise obtained by the Bank. The term also includes any lists, descriptions or other groupings of individuals that are derived using personally identifiable financial information that is not publicly available.

26 Non-Public Personal Information Examples SSN Financial account numbers Driver s License number Credit Card numbers DOB Name, Address, Phone number when collected with financial data Details of financial transactions Confirming whether or not a financial transaction took place

27 Why Protect Customer Information? It s the law. Several laws, including the Gramm-Leach-Bliley Safeguards Rule, require the Bank to protect customer information; and protecting customer information protects customers from identity theft. Obtaining non-public personal information is the main source of identity theft.

28 Written Information Security Plan The Safeguards Rule requires the Bank to develop a written information security plan that describes the Bank s program to protect customer information. The plan must be appropriate to the Bank s size and complexity. As part of the plan, the Bank must: Designate one or more employees to coordinate the information security program; Identify and assess the risks to customer information in each relevant area of the Bank s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; Design and implement a safeguards program; and Regularly monitor and test it; Select service providers that can maintain appropriate safeguards, make sure Bank contracts require them to maintain safeguards, and oversee their handling of customer information; Evaluate and adjust the program in light of relevant circumstances, including changes in the Bank s business or operations, or as a result of security testing and monitoring.

29 Safeguarding Customer Information Process for Managing and Controlling Risk: Implement strong access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals. Example: Create strong password requirements that include the use of upper case, lower case, numbers and symbols #, etc.). Implement controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain information through fraudulent means. Example: Train employees on phishing scams to prevent employees from inadvertently disclosing information to unauthorized individuals. Implement access restrictions at physical locations containing customer information, such as buildings, computer facilities and records storage facilities to permit access only to authorized individuals. Example: Only allow certain Bank officers access to alarm codes and/or put locks or codes on doors where records are stored. Implement encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access. Do not allow full authorization within the system to any one employee. Example: Do not allow employees who input new customer account information the authority to change addresses or other contact information.

30 Safeguarding Customer Information Implement check-backs to ensure the information on completed customer forms match what was input into the system. Implement employee background checks for personnel with access to sensitive information. Ensure all employee workstations have up-to-date firewalls and virus protection software. Use software to detect actual and attempted attacks or intrusions. Train employees on the proper destruction of customer information, both physical and computerbased. Scan all paper information to protect against fire and water damage. Ensure all personnel back up their computers daily. Engage with a third party to conduct penetration testing to ensure controls are effective. Audit information security practices to ensure they are being adhered to by all personnel. Train employees at least annually on the importance of safeguarding customer information. Create internet policies for personnel and block sites that are likely to cause damage to internal systems.

31 Safeguarding Customer Information Vendor Management The Bank should take the appropriate steps to ensure the safety of consumer information when handled by a third party service provider: Conduct thorough due diligence before selecting a service provider who will have access to sensitive customer information. Conduct due diligence on existing service providers if it was not done prior to engagement. Evaluate: Measures taken by the service provider to protect customer information. Business reputation, complaints and litigation. Audit environment - request previous audit reports. Business resumption, continuity, recovery and contingency plans.

32 Safeguarding Customer Information Vendor Management Ensure the contract between the Bank and the service provider requires the provider to implement appropriate measures designed to meet the objectives of regulatory guidance on safeguarding customer information. Conduct ongoing monitoring of the service provider to confirm they are conforming with applicable laws and regulations. Periodically review audits, summaries of test results or other equivalent evaluations. Document all due diligence efforts and subsequent monitoring. Maintain with initial contract.

33 Types of Safeguards Safeguards to protect the security, confidentiality, and integrity of customer information fall into 3 basic categories: Administrative Safeguards; Technical Safeguards; and Physical Safeguards.

34 Administrative Safeguards Focuses on departmental processes and includes, but is not limited to: Adhering to policy for handling customer information. Following basic steps to protect customer information. Promoting awareness and knowledge about applicable policies and expectations. Limiting access to customer information to employees who have a business need to see it. Referring calls or requests for customer information to staff trained to respond to such requests. Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies.

35 Technical Safeguards Technical safeguards regarding hardware and networking are generally designed and provided by the Information Technology Department. Bank staff must be aware and knowledgeable regarding how customer information is safeguarded. PC/Workstations require technical safeguards: Use anti-virus software that updates automatically. Maintain up-to-date firewalls if your department manages them internally, particularly if your department uses broadband Internet access or allows staff to connect to the network from home. Use a password protected screensaver or logoff the terminal each time you step away. Do not store non-public personal information on personal PC or workstations, use the Bank s network only. Don t send non-public personal information via standard . Password safeguards: Never post passwords on or near your terminal. Don t give passwords out to anyone. Change passwords periodically as per Bank policy. Use complex passwords.

36 Physical Safeguards Basic Steps Lock and Secure rooms and file cabinets where customer information is kept and limit access to authorized employees. Ensure that storage areas are protected against damage from physical hazards, like fire or floods. Don t leave account numbers, bank documents or other similar documents in public view (Including applications, credit reports, denials, financial statements, etc.). Dispose of information appropriately. (i.e., Shred.)

37 Physical Safeguards Appropriate Disposal Store records in a secure area and limit access to authorized employees. Ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods.

38 Safeguard Failure Should be reported to the Board and corrective action should be monitored.

39 Annual Board Reporting Report overall status of the information security program and the Bank's compliance with laws and regulations regarding privacy of consumer information. Discuss potential and current service providers and results of due diligence. Discuss the results of the risk assessment including potential weaknesses. Discuss changes in controls. Report on findings from testing and management responses. Inform the Board of any security breaches or violations. Discuss recommended changes.

40 Incident Response The Bank should have an Incident Response Program designed to address incidents of unauthorized access to sensitive customer information maintained by the Bank or a service provider.

41 Components of a Response Program At a minimum, the Bank's response program should contain procedures for: Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; Notifying the Bank s primary federal regulator as soon as possible when aware of an incident involving unauthorized access to or use of sensitive customer information; Consistent with the agencies' Suspicious Activity Report (SAR) regulations, filing a timely SAR, and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities; Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and Notifying customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it.

42 Response Program Follow the response program in the event of unauthorized access to customer information. Investigate the nature and scope of the incident. Identify what customer information was accessed or misused. Notify primary Federal regulator as soon as possible when the incident involves sensitive information. Sensitive information is a customer's name, address or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Notify appropriate law enforcement authorities. File a SAR. Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information. Example: Freeze account, close affected account, send a new debit card, etc. Notify customers when warranted. If the incident is at the fault of a service provider, it is the Bank's responsibility to notify customers and the regulator. However, the Bank may authorize or contract with a service provider to notify the customer and regulator on their behalf.

43 Incident Response Notifying Customers Notifying a customer is required when the Bank becomes aware of an incident of unauthorized access to sensitive customer information and determines that misuse of its information has occurred or is reasonably possible. Note: Notification may be delayed if it will interfere with a criminal investigation and law enforcement provides the Bank with a written request for delay. Timely notification is required as soon as it will no longer interfere with an investigation. Determine affected customers or groups of customers. Create a clear and conspicuous notice including: Description of incident. Type of information obtained. Description of what the Bank has done to protect customer information from further unauthorized access.

44 Incident Response Notifying Customers Request for the customer to review all accounts and report suspicious activity. Reminder to be vigilant over the next months. Request for the customer to promptly report incident of suspected identity theft to the Bank. A description of fraud alerts and instructions on how to place one in their credit report. Recommendation to periodically obtain credit reports and explanation on how it may be done free of charge. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft. Notify nationwide consumer credit reporting agencies prior to sending notices to a large number of customers. Deliver to customers in a manner that will ensure a customer can reasonably be expected to receive it.

45 Regulation P Penalties Although there are no specific penalties designated in Regulation P, the regulators have the authority to assess a civil money penalty in accordance with the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) for non-compliance.

46 GLBA Penalties Violation of GLBA may result in: Civil penalties for the Bank, up to $100,000 for each violation. Civil penalties the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation. Criminal penalties may include up to 5 years in prison. Removal of management, directors, officers etc. and potentially barring them, permanently, from working in the banking industry. Fines of up to $1,000,000 for an individual or the lesser of $1,000,000 or 1% of the total assets of the Bank.

47 Questions? If you have any additional questions, contact Compliance Alliance at or