PRIVACY IMPACT ASSESSMENT

Similar documents
PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

How To Use The Fdic External Service For Mortgage Servicing Rights

How To Understand And Understand The Role Of Reverse Mortgage Solutions

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

Office of Audits Report No. AUD The FDIC s Privacy Program 2011

Commodity Futures Trading Commission Privacy Impact Assessment

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

The Bureau of the Fiscal Service. Privacy Impact Assessment

The Bureau of the Fiscal Service. Privacy Impact Assessment

PRIVACY IMPACT ASSESSMENT

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

General Statement and Verification of Standards

The Bureau of the Fiscal Service. Privacy Impact Assessment

Our collection of information

U.S. Securities and Exchange Commission. Mailroom Package Tracking System (MPTS) PRIVACY IMPACT ASSESSMENT (PIA)

Name of System/Application: Customer Service Center Telecommunication System (CSCTCS)

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Chapter 50 General Accounting and Reporting Requirements

Iowa Student Loan Online Privacy Statement

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Privacy Impact Assessment

Privacy Impact Assessment. For. TeamMate Audit Management System (TeamMate) Date: July 9, Point of Contact: Hui Yang

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

GEORGIA TECH FOUNDATION, INC. COMMITTEE OPERATING PROCEDURES REAL ESTATE COMMITTEE

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

PRIVACY IMPACT ASSESSMENT

Financial Management Service. Privacy Impact Assessment

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

Privacy Impact Assessment For Central Processing System (CPS) Date: March 25, 2013

Cloud 2 General Support System

Protecting your privacy

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website

Marketing to the FDIC: Understanding the FDIC Service Categories. Understanding typical FDIC contractor service categories

Correspondent Seller Eligibility Policy

Personal Information Collection and the Privacy Impact Assessment (PIA)

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Third Party Relationships

PII Compliance Guidelines

How To Make Money From A Loan

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

A. SYSTEM DESCRIPTION

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website

Chapter 5. How to Process VA Loans and Submit Them to VA Overview

Solomon Hess SBA Management LLC 4301 North Fairfax Drive Arlington VA March 19, 2014

Privacy Impact Assessment of the Nationwide Mortgage Licensing System and Registry

Intel Enhanced Data Security Assessment Form

Supplier Security Assessment Questionnaire

How To Get A Deposit From A Bank With A Liboration Program Account

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Small Business IT Risk Assessment

A. SYSTEM DESCRIPTION

secure shredding Services Secure, Compliant, Cost-Effective, Environmentally Responsible Information Destruction Secure Shredding

Data Management Policies. Sage ERP Online

*TDA1086* Business Account Application

U.S. Securities and Exchange Commission. Integrated Workplace Management System (IWMS) PRIVACY IMPACT ASSESSMENT (PIA)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

advice backed by our knowledge and experience Delta Community Credit Union Business Services distinguished by

Selling Your USDA Loans To Coastal. First Quarter 2015

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

SchoolFront.com Privacy & Security

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

Privacy Impact Assessment for the. E-Verify Self Check. March 4, 2011

Protecting your privacy

A. SYSTEM DESCRIPTION

Vendor Management Best Practices

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

The Bureau ofthe Fiscal Service. Debt Information Management System. Privacy Impact Assessment

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013

Crew Member Self Defense Training (CMSDT) Program

MIS Privacy Statement. Our Privacy Commitments

Federal Trade Commission Privacy Impact Assessment

How To Understand The System'S Purpose And Function

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

Cultural Human Resources Council (CHRC) Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Policy

Privacy Policy. Effective Date: November 20, 2014

Bank Secrecy Act E-Filing. Privacy Impact Assessment (PIA) Bank Secrecy Act E-Filing. Version 1.5

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Institutional Account Application

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Office of Audits and Evaluations Report No. AUD DRR s Controls for Managing, Marketing, and Disposing of Owned Real Estate Assets

Sample. Provide the highest level of risk review and compliance measurement.

When you have completed these forms please return the signed documents and a banker will contact you.

Transcription:

PRIVACY IMPACT ASSESSMENT Mission Capital Advisors April 2011 FDIC External Service Table of Contents System Overview Personally Identifiable Information (PII) in MISSION Purpose & Use of Information in MISSION Sources of Information in MISSION Notice & Consent Access to Data in MISSION Data Sharing Data Accuracy in MISSION Data Security for MISSION System of Records Notice (SORN) Contact Us

System Overview When an FDIC-insured financial institution fails, the Federal Deposit Insurance Corporation (FDIC), in its receivership capacity, assumes the task of collecting and selling the assets (i.e. loans) of the failed financial institution and settling its debts, including claims of deposits in excess of the insured limit. The FDIC either sells the loans at the time of the financial institution s closing or retains the loans temporarily. Within FDIC, the Division of Resolutions and Receiverships (DRR) Asset Marketing Branch is responsible for conducting the sales of loans 1 that remain with the Receiver. DRR markets these loans through private Loan Sale Advisors, who are under contract to perform this service on behalf of the Receiver. FDIC is required to maximize 2 the price of resold assets following a bank failure. The use of Loan Sale Advisors helps FDIC obtain the highest return by tapping into a large pool of potential purchasers or bidders. To fulfill these functions, the FDIC has contracted with Mission Capital Advisors, to value and sell assets acquired when a financial institution fails. The MISSION solution provides a secure, online website where assets and loan pools may be viewed for purchase by authorized bidders. MISSION currently utilizes a third-party vendor, Pandesa ShareVault, to host the sales portion of its website. As part of the loan sale process, MISSION collects personally identifiable information (PII) from potential bidders who register to participate in the loan sale. Bidders typically refer to banks or private firms, but in some cases, bidders are individual members of the public, who are required to meet strict eligibility requirements set forth by FDIC and MISSION. Due to the nature of loan sales in the secondary market, MISSION must provide potential bidders with all the documents necessary for bidders to conduct appropriate due diligence. These loan sale documents often contain sensitive information, including PII on individual loan customers. Following a sale, the successful bidder is provided all data through Pandesa ShareVault. Data is removed from the Pandesa ShareVault host website within five months after the sale. MISSION retains a copy of the sale information and details in a secure archive network folder with restricted access. Backup tapes are encrypted and sent to a secure Iron Mountain facility. All data is deleted, destroyed or expunged upon request from the FDIC. Personally Identifiable Information (PII) in MISSION MISSION maintains personal identifiable information (PII) relating to borrowers and customers of failed financial institutions, as well as prospective bidders. MISSION requires prospective bidders to register on its website before they can access loan sale information containing PII. As part of the registration process, MISSION requires prospective bidders to provide the following information: individual or business name, work address, work phone number, fax number, Tax Identification Number (TIN) or Social Security Number (SSN), detailed company information (e.g., number of employees, date of 1 Loan portfolios from failed banks usually contain a variety of performing and non-performing loan products including mortgage, commercial, and consumer loans. 2 FDIC s mandate is to maximize the price of sold assets following a financial institution failure. Experience has proven that valuations must be performed at the asset-level to validate prices received for assets. The quality and quantity of information available for investor review is critical to receiving the maximum value for the assets. 1

formation, names/addresses of company owners/officers/directors/trustees/subsidiaries, etc.), financial information (e.g., company s revenue, assets, tangible net worth, etc.), proof of past loan purchase experience references, and professional references (banker, lawyer and accountant). Additional information collected may include electronic copies of Articles of Incorporation, Organization, Partnership or similar documentation, and FDIC Security Deposit Agreement. PII elements collected relating to the individuals and customers of the failed financial institution may include the following: name, home address, home email address, home telephone number, SSN, TIN, date of birth, place of birth, account number, account balance, and other credit information. Scanned data may include driver s license, tax returns, financial statements, previous and current credit reports, employment history or information, Employee ID Number (EID), and other data contained in the loan file at the time of the financial institution s closing. Purpose & Use of Information in MISSION MISSION obtains data directly from the failed financial institution. The data maintained in MISSION is both relevant and necessary to value, market and sell assets acquired from closed financial institutions at the highest possible rate of return. Sources of Information in MISSION Data for the MISSION website is directly obtained from the asset data acquired at or following the closing of a financial institution. Authorized DRR staff copies the information from the computer systems of the closed financial system and securely transmits the information to MISSION via Secure File Transfer Protocol (SFTP) or encrypted digital media. If files are in hard copy, an authorized subcontractor of FDIC or MISSION scans the contents of the loan files to support investor due diligence of all assets offered for sale. These filse are scanned either onsite or offsite by the authorized subcontractor. After the data has been scanned, MISSION performs data validation and organization, restacking and labeling all loan documentation in a consistent format to support bidder due diligence. MISSION then uploads all loan documentation to its secure, Virtual Data Room (VDR). The DRR Asset Marketing staff may obtain a current credit report on the borrower or guarantor from a credit reporting agency that is used to supplement the asset data and allow for the correct valuation of each asset. Notice & Consent Individuals (i.e. failed bank loan customers) do not have the opportunity to opt out of providing their information to MISSION. Data is collected directly from the failed financial institution and not collected from the individuals. FDIC is required to sell all assets acquired from the failed financial institution for the maximum amount possible and as soon as possible or after the closing of the financial institution. To achieve these goals, FDIC has employed the services of MISSION Loan Sales Advisors to value and market these assets. 2

Access to Data in MISSION Access to data in MISSION is limited to four main categories of users: FDIC authorized users: Authorized DRR Asset Management (AM) staff responsible for the expeditious sale of loans after the failure of a financial institution have access to the information in MISSION. AM staff manage and monitor the data being sent to MISSION and the sales after data is loaded. Additionally, the FDIC Oversight Manager and Technical Monitor in DRR monitor the activities of the staff at MISSION. Users must request access from the contract Oversight Manager in DRR and access to the MISSION website requires FDIC management approval. Access to the data is limited to users with the operational need to access the information. Authorized MISSION users: Authorized MISSION Loan Sales Advisors have access to the data in MISSION for the purpose of updating data and conducting and monitoring sales of loans/loan pools; underwriters for the purpose of updating data and preparing the loans/loan pools for viewing by authorized bidders on the MISSION website; administrative staff for the purpose of uploading data to the appropriate portion of the secure website; and information security/technical staff for the purpose of administering the site and record retention/disposal activities. Additionally, authorized subcontractors of MISSION, may have access to data for the purpose of providing image scanning, research and valuation support to the MISSION Loan Sale Advisors. Authorized subcontractors, including Pandesa ShareVault, which hosts MISSION s sales website, may have access to the website for purposes of system administration and customer service support. Authorized users access the data on a need to know basis as part of the duties performed for their employer. Authorized bidders/purchasers: Authorized bidders/purchasers have access to the data on the MISSION website for the purpose of reviewing the data in the loans/loan pools as part of the due diligence process and purchasing assets. Other federal government agency personnel: Federal government agency personnel may have access to data in MISSION on a need to know basis depending on the guarantor or participant to a loan. This may include the Small Business Administration (SBA), the U.S. Department of Agriculture (USDA) and the Farm Service Agency (FSA). Access is granted to only those loans and sales applicable to the guarantor or participant for the purpose of reviewing the status of the sale. Data Sharing Other Systems that Share or Have Access to Data in the System: No other systems currently share or have access to data in the MISSION system. System Name System Description Type of Information Processed N/A N/A N/A 3

Data Accuracy in MISSION Data is collected directly from the failed financial institutions. The FDIC inspects data for viruses and malicious code before forwarding it to MISSION. MISSION performs data validation, reviewing the loan file for completeness, verifying whether or not certain documents or data is missing, and, as feasible, updating this data prior to the sale of the loan/loan pool. Data Security for MISSION Within DRR, the FDIC Oversight Manager, Technical Monitors, and Program Manager are overall responsible for protecting the privacy rights of the public. Within MISSION, the Information Security Officer (ISO) and assistant ISO have overall responsibility for ensuring the proper use of data by the MISSION personnel and subcontractors who have access to the data. MISSION employees are responsible for protecting PII in accordance with MISSION corporate policies, Non-Disclosure Agreements, and Confidentiality Agreements. During the closing process of a failed financial institution, the DRR Asset Management (AM) staff copies the data from the computer systems of the closed financial institution and securely transmits the data encrypted via secure protocols. MISSION maintains audit trails of authorized users access to sales and assets. Audit trails include such information as the asset reviewed by a user, the date, and time. Additionally, the FDIC Oversight Manager and Technical Monitor in DRR monitor the activities of the staff at MISSION. Secured firewalls, Intrusion Detection Systems (IDS) and automatic session timeout are in use by MISSION and the data file host site at Pandesa ShareVault to assure unauthorized monitoring does not occur. System of Records Notice (SORN) MISSION operates under the applicable FDIC SORN: 30-64-0013, Insured Financial Institution Liquidation Records. Contact Us To learn more about the FDIC s Privacy Program, please visit: http://www.fdic.gov/about/privacy/. If you have a privacy-related question or request, email Privacy@fdic.gov or one of the FDIC Privacy Program Contacts. You may also mail your privacy question or request to the FDIC Privacy Program at the following address: 3501 Fairfax Drive, Arlington, VA 22226. 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information