TOOLBOX. ABA Financial Privacy

ABA Financial Privacy TOOLBOX This tool is designed to help you craft or revise your privacy policy and design your disclosures. It contains three sample privacy policy notices, the first of which is likely to meet the needs of most community banks. The other samples are designed for institutions with affiliates or that use third parties beyond the special exceptions in the law. It is best to complete the information self-assessment (Tool 2) first to determine which sample is the most appropriate starting place for your institution. Understand the Requirements of the GLB Act Draft Your Written Privacy Notice Sample 1 (for institutions without affiliates, including most community banks) Sample 2 (for institutions with affiliates) Sample 3 (for institutions with affiliates, joint marketing, and third party sharing outside of the exceptions) Ensure Third Parties Abide by Your Privacy Standards 1-800-BANKERS www.aba.com

TOOL 3 CONTENTS Summary of Gramm-Leach-Bliley Regulation...3 Sample Privacy Policy Notices...5 Some Considerations in Preparing Your Privacy Notice...16 Sample Privacy Language for Third-party Contractors...18 Exceptions to the Opt-Out Provisions...20 C H E C K L I S T ABA Financial Privacy TOOLBOX Building Your Privacy Program Involve Your Board and Senior Management Consider a Board Privacy Resolution Review Your Employee Code of Conduct Appoint a Privacy Manager or Designate a Responsible Person Review Your Security Officer s Responsibilities Conducting an Information Self-Assessment Perform an Information Self-Assessment How do you collect information? How do you share customer information within your organization? How do you share information with third parties? How do you provide customer notice? How do you provide customers the right to opt out? How do you allow customer access and correction? How do you provide information security? How do you handle customer questions and concerns about privacy? Understand the Requirements of the GLB Act Draft Your Written Privacy Notice Sample 1 (for institutions without affiliates, including most community banks) Sample 2 (for institutions with affiliates) Sample 3 (for institutions with affiliates, joint marketing, and third party sharing outside of the exceptions) Ensure Third Parties Abide by Your Privacy Standards Going Beyond GLB: Medical Privacy & Identity Theft Stress The Importance of Keeping Medical Information Confidential Be Proactive in Preventing and Resolving Cases of Identity Theft Training Your Employees Implement Privacy Training Implement Training on Combating Pretext Calling 1-800-BANKERS www.aba.com Communicating with Customers Communicate Your Institution s Policy Toward Privacy Communicate the Benefits of Information Sharing 1-800-BANKERS www.aba.com 2

TOOL 3 Summary of Gramm-Leach-Bliley Regulation Summary of Gramm-Leach-Bliley Act Privacy Regulations (Regulation P) Effective Date The rule is effective November 13, 2000, but compliance is voluntary until July 1, 2001. Financial institutions must provide initial privacy notices to all existing customers by the July 1st date. Privacy Policy Notices Financial institutions are required to provide privacy policy notices that clearly and conspicuously, as well as accurately, reflect the institutions privacy policies and information-sharing practices. The final regulation mandates that the notices include the categories of information collected and disclosed, but institutions do not have to detail every source from which an institution collects personal information. In fact, the categories of information collected may be described in general terms, without specific examples. This will allow community banks, in most instances, to provide short statements and be in full compliance with the rule. Another option for privacy policy disclosure is to post the notice on your website for a customer who obtains the financial product electronically and agrees to receive the notice electronically. The disclosure must be reasonably understandable and designed to call attention to the nature and significance of the information. How and When to Provide Notices A current privacy policy notice is required from all institutions, both at the time an individual establishes a customer relationship with the financial institution and annually thereafter as long as the relationship exists. The regulations distinguish between consumers and customers. A customer is defined as a consumer with whom you have a continuing relationship. A customer must receive an initial privacy notice. Consumers, however, do not have a right to a privacy notice unless the institution plans to share that individual s nonpublic personal information with nonaffiliated third parties. If a financial institution subsequently revises its information-sharing practices, the institution must first provide customers (and consumers whose nonpublic personal information the institution plans to share with nonaffiliated third parties) with its revised privacy policy notice and, if appropriate, a new opt out notice. Separate notices are not required, however, for each new financial product or service if the existing privacy policy notice is accurate for that new product or service. Nonpublic Personal Information The rule utilizes new terminology to determine what is protected information. The term nonpublic personal information means any personally identifiable financial information of a customer or consumer. This is an extremely broad term. Any information is considered financial if requested by the institution for the purpose of providing a financial product or service. Also, the fact an individual is or has been a customer of a financial institution is personally identifiable financial information. Disclosure of Publicly Available Information Information will be deemed publicly available, and excluded from the definition of nonpublic personal information, if the institution has a reasonable basis to believe that the information is lawfully made available to the general public. An institution will have a reasonable basis for believing that information is lawfully made available if the financial institution has taken steps to determine that the information is of the type that is available to the general public and, if an individual could direct that the information not be made available to the general public, whether the individual has done so. Opt Out The ABA was successful in persuading Congress to include a number of exceptions (discussed below) to the privacy portion of the GLB Act that requires institutions to allow customers to opt out of third-party sharing. For the most part, community financial institutions will not have to offer the opt out because the transfers, if any, will be for traditional business activities and not for marketing purposes. Prior to disclosing a customer s or consumer s nonpublic personal information (not covered by an exception) with nonaffiliated third parties, financial institutions must provide a reasonable means and opportunity to opt out of having information shared, such as a toll-free telephone number. A financial institution, however, may not 3

TOOL 3 require a person to write his or her own letter in order to opt out. If a financial institution offers one or more alternative reasonable means to opt out, the institution may require use of one of those methods. A financial institution will need to honor an opt-out request as soon as reasonably practicable. Exceptions There are certain exceptions that permit financial institutions to share nonpublic information with third parties without providing privacy opt-out notices. These exceptions include disclosures of nonpublic personal information: made in connection with certain processing and servicing transactions; with the consent, or at the direction, of a customer or consumer; to protect against potential fraud or unauthorized transactions; to respond to judicial process; to provide the information to an employee of the institution who happens also to be an employee of a nonaffiliated third party. In addition, the GLB Act provides an exception for products or services provided pursuant to a joint marketing agreement between two or more financial institutions. In order to take advantage of this exception, however, financial institutions must disclose that it shares such information and must and enter into agreements to maintain the confidentiality of personal information. The last section (page 20) in this tool contains the portion of Regulation P that outlines these exceptions. Confidentiality, Security, and Integrity Section 501 of the Act requires the agencies to issue regulations establishing standards governing the administrative, technical and physical safeguards of customer information. The regulatory agencies issued a proposed rule in early June. However, for the required notices, Regulation P clarifies that institutions need only generally describe, in their privacy notices, who has access to the information and the circumstances under which the information may be accessed. Limits on Reuse of Information Section 502 of the Act bans the reuse of information by third parties. The agencies decided that no monitoring of reuse by financial institutions would be required since institutions routinely put language in their contracts prohibiting reuse of information. Financial institutions, however, should review their existing contracts with third parties. 4

TOOL 3 Sample Privacy Notices 1 We have included three sample privacy policy notices below. While many variations of such privacy policy notices are possible, these notices provide examples of the types of notices that financial institutions can consider depending on their information-sharing practices. 2 For most community banks, Sample 1 will meet your needs. You should, of course, confirm that the language you choose to use matches your specific situation. You could be subject to regulatory action and legal liability if your practices do not match your disclosed policies. We encourage you to consider offering additional information to customers about your information practices beyond the GLB Act requirements (e.g. medical data protection and identity theft prevention). We also encourage you to educate your customers about your information practices and the importance of responsible use and protection of their financial information. This will help to maintain the tradition of trust that characterizes your institution and our industry. Tools 4 through 6 are designed to assist you in these efforts. Sample 1 Designed for an institution that: Does not have affiliates; Does not disclose nonpublic personal information to third parties except as allowed in the law; 3 and Has no joint marketing agreements. Sample 2 Designed for an institution that: Has affiliates; Does not disclose nonpublic personal information to third parties except as allowed in the law; and Has no joint marketing agreements. Sample 3 Designed for an institution that: Has affiliates; Discloses information under the service provider/joint marketing opt-out exception; and Discloses information to third parties outside the opt-out exceptions. 1 This section was written by L. Richard Fischer, a partner with Morrison & Foerster, Washington, D.C. Mr. Fischer s practice focuses on financial services law and he is considered the nation s leading expert on financial privacy. Among other publications, Mr. Fischer is the author of the treatise entitled The Law of Financial Privacy, (2d ed.), published by Warren, Gorham & Lamont. 2 The sample privacy policy notices are based on sample clauses that are contained in Appendix A of the privacy regulations of the federal banking agencies. Institutions may use these sample clauses to meet the Section 503 privacy policy notice obligations. 3 See the Summary of Gramm-Leach-Bliley Act at the beginning of this tool for a summary of these exceptions (page 4) and see the final section of this tool for the text from the regulators final rule for the exceptions (page 20). 5

TOOL 3 Sample 1 Designed for an institution that does not have affiliates, does not disclose information outside of the Section 502(e) opt-out exceptions, and has no joint marketing agreements The sample privacy policy notice contained below is designed primarily for use by community banks to meet the privacy policy notice obligations contained in Section 503 of the Gramm-Leach-Bliley Act. This sample policy is based on three assumptions: 1) Your institution does not have affiliates; 2) Your institution is only disclosing nonpublic personal information to third parties in accordance with the opt out exceptions contained in Section 502(e) of the GLB Act; 4 and 3) Your institution has no joint marketing agreements. Based on these three assumptions, your institution s privacy policy notice is required to contain an accurate description of the following items of information: The categories of nonpublic personal information your institution collects; The fact that your institution does not disclose nonpublic personal information about current or former customers to affiliates or nonaffiliated third parties, except as authorized by the Section 502(e) exceptions; and Your institution s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Sample 1 of the sample privacy policy notices is designed to meet these obligations. Before using this sample privacy policy notice, you should ensure that the information contained in it is consistent with your institution s actual privacy policies and practices. 6 4 See the section in this tool called Exceptions to the Opt-Out Provisions In Gramm-Leach-Bliley (page 20) which contains the parts of the regulations relating to the many exceptions available to the industry.

TOOL 3 Sample 1 Sample Privacy Policy Notice Protecting your privacy is important to [institution name] and our employees. We want you to understand what information we collect and how we use it. In order to provide our customers with a broad range of financial products and services as effectively and conveniently as possible, we use technology to manage and maintain customer information. The following policy serves as a standard for all [institution name] employees for collection, use, retention, and security of nonpublic personal information. What Information We Collect We may collect nonpublic personal information about you from the following sources: Information we receive from you on applications or other loan and account forms; Information about your transactions with us or others; and Information we receive from third parties such as credit bureaus. Nonpublic personal information is nonpublic information about you that we obtain in connection with providing a financial product or service to you. For example, nonpublic personal information includes information regarding your account balance, payment history, and overdraft history. What Information We Disclose We are permitted under law to disclose nonpublic personal information about you to other third parties in certain circumstances. For example, we may disclose nonpublic personal information about you to third parties to assist us in servicing your loan or account with us, to government entities in response to subpoenas, and to credit bureaus. We do not disclose any nonpublic personal information about you to anyone, except as permitted by law. If you decide to close your account(s) or become an inactive customer, we will continue to adhere to the privacy policies and practices described in this notice. Our Security Procedures We also take steps to safeguard customer information. We restrict access to your personal and account information to those employees who need to know that information to provide products or services to you. Employees who violate these standards will be subject to disciplinary measures. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information. 7

TOOL 3 Sample 2 Designed for an institution that has affiliates, shares nonexperience information with them, but does not disclose information outside of the Section 502(e) opt-out exceptions The sample privacy policy notice presented below is based on the following assumptions: 1) Your institution collects information from its affiliates; 2) Your institution shares nonexperience information (from an application or credit report) with its affiliates and, thus, is required to provide an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act; and 3) Your institution only discloses nonpublic personal information to affiliates and nonaffiliated third parties in accordance with the opt-out exceptions. Before using this sample privacy policy notice, you should ensure that the information contained in this sample privacy policy notice is consistent with your institution s actual privacy policies and practices. 8

TOOL 3 Sample 2 Sample Privacy Policy Notice Protecting your privacy is important to [institution name] and our employees. We want you to understand what information we collect and how we use it. In order to provide our customers with a broad range of financial products and services as effectively and conveniently as possible, we use technology to manage and maintain customer information. The following policy serves as a standard for all [institution name] employees for collection, use, retention, and security of nonpublic personal information. What Information We Collect We may collect nonpublic personal information about you from the following sources: Information we receive from you on applications or other loan and account forms; Information about your transactions with us, our affiliates or others; and Information we receive from third parties such as credit bureaus. Nonpublic personal information is nonpublic information about you that we obtain in connection with providing a financial product or service to you. For example, nonpublic personal information includes information regarding your account balance, payment history, and overdraft history. What Information We Disclose We are permitted under law to share information about our experiences or transactions with you or your account (such as your account balance and your payment history with us) with companies related to us by common control or ownership ( affiliates ). We also may share additional information about you or your account (such as information we receive from you in applications and information from credit reporting agencies) with our affiliates. You may direct us not to disclose to our affiliates information that does not relate solely to our or our affiliates experiences or transactions with you or your account (such as the application information and credit bureau information) by calling us at 1-800-xxx-xxxx. We also are permitted under law to disclose nonpublic personal information about you to nonaffiliated third parties (i.e., third parties that are not members of our corporate family) in certain circumstances. For example, we may disclose nonpublic personal information about you to such third parties to assist us in servicing your loan or account with us; to government entities in response to subpoenas; and to credit bureaus. We do not disclose any nonpublic personal information about you to any other third parties, except as permitted by law. If you decide to close your account(s) or become an inactive customer, we will continue to adhere to the privacy policies and practices described in this notice. Our Security Procedures We also take steps to safeguard customer information. We restrict access to your personal and account information to those employees who need to know that information to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information. 9

TOOL 3 Sample 3 Designed for an institution that has affiliates, shares nonexperience information with them, has joint marketing agreements, and discloses information outside of the opt-out exceptions This sample privacy policy notice presented below is based on the following assumptions: 1) Your institution collects information from its affiliates; 2) Your institution shares nonexperience information, such as application information or from a credit report, with its affiliates and, thus, is required to provide an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act; 3) Your institution discloses nonpublic personal information for marketing purposes to service providers or to other financial institutions with whom it has joint marketing arrangements; 5 and 4) Your institution discloses nonpublic personal information to affiliates and nonaffiliated third parties outside of the opt-out exceptions. The following two subsections provide language to modify your policies. Following these subsections, an example of a complete policy that takes these modifications into account is provided. Subsection 1: For Service Providers/Joint Marketing Exception If your institution discloses nonpublic personal information for marketing purposes to service providers or to other financial institutions with which it has joint marketing arrangements, you are required (in order to avoid offering an opt out) to include in your privacy policy notice an accurate description of the: categories of nonpublic personal information your institution discloses to such entities; and categories of third parties under contract with your institution. To meet this obligation, one of the two following alternatives, as applicable, should be included in your privacy policy notice. Alternative 1 would be used to list the specific categories of information that you disclose; Alternative 2 would be used if you disclose all of the information that you collect. 5 Under Section 502(b)(2) of the GLB Act, as implemented by Section 332.13 of the federal regulatory agencies final privacy regulations. 10

TOOL 3 Alternative 1 We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing arrangements: Information we receive from you on applications or other forms, such as your name, address, social security number, assets and income; Information about transactions with us, [our affiliates] or others, such as your account balance, payment history, parties to transactions and credit card usage; and Information we receive from credit bureaus, such as your creditworthiness and your payment history. Alternative 2 We may disclose all of the information we collect, as described [describe location in the notice, such as above or below ] to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements. It is important that the alternative you use is consistent with your institution s information disclosure practices. 11

TOOL 3 Subsection 2: For Institutions that Disclose Nonpublic Personal Information Outside the Opt-Out Exceptions If your institution discloses nonpublic personal information outside of the Section 502(e) opt-out exceptions, you need to include in your privacy policy notice information regarding: Categories of nonpublic personal information your institution discloses; Categories of parties to whom your institution discloses nonpublic personal information; and An explanation of the consumer s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. Categories of Nonpublic Personal Information With respect to the categories of nonpublic personal information that your institution discloses, the final privacy regulations provide that an institution may meet this obligation by including one of the following alternatives, as applicable, in its privacy policy notice. Alternative 1 would be used to list the specific categories information that you disclose; Alternative 2 would be used if you disclose all of the information that you collect. Alternative 1 We may disclose the following kinds of nonpublic personal information about you: Information we receive from you on applications or other loan and account forms, such as your name, address, social security number, assets and income; Information about your transactions with us, [our affiliates] or others, such as your account balance, payment history, parties to transactions, and credit card usage; Information we receive from credit bureaus, such as your creditworthiness and your payment history. Alternative 2 We may disclose all of the information that we collect, as described above [or below]. Again, it is important that the examples included in each of these paragraphs are consistent with the information disclosed to such entities by your institution. 12

TOOL 3 Categories of Parties to Whom the Institution Discloses Nonpublic Personal Information With respect to the categories of parties to whom the institution discloses nonpublic personal information and the explanation of the opt-out methods, the final privacy regulations provide that an institution may meet these obligations by including the following sample language, as applicable, in its privacy policy notice. 6 We may disclose nonpublic personal information about you to the following types of third parties: Financial service providers, such as [provide illustrative examples, such as mortgage bankers, securities broker-dealers and insurance agents ]; Non-financial companies, such as [provide illustrative examples, such as retailers, direct marketers, airlines and publishers ]; and Others, such as [provide illustrative examples, such as non-profit organizations ]. We also may disclose nonpublic personal information about you to nonaffiliated third parties (i.e., third parties that are not members of our corporate family) as permitted by law. Before using this sample privacy policy notice, you should ensure that the information contained in it is consistent with your institution s actual privacy policies and practices. Explanation of the Consumer s Right to Opt Out The following example is one way to provide an explanation of the consumer s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties. Note that you should add a description of the way(s) which must be reasonable that consumers may exercise their opt-out right. If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties [with respect to this loan or account], you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as call the following toll-free number: (insert number) ].6 An example of such a privacy policy notice, selecting certain of the alternatives shown above, is contained on the following page. 6 It should also be noted that the regulations permit several additional opt out methods to the use of toll-free numbers. For example, you may offer: a designated check-off box in a prominent position on the form with the opt out notice; a reply form together with the opt out notice; and an electronic means to opt out if the consumer agrees to the electronic delivery of information. 13

TOOL 3 Sample 3 Sample Privacy Policy Notice Protecting your privacy is important to [institution name]. We want you to understand what information we collect and how we use it. In order to provide our customers with a broad range of financial products and services as effectively and conveniently as possible, we use technology to manage and maintain customer information. What Information We Collect We may collect nonpublic personal information about you from the following sources: Information we receive from you on applications or other loan and account forms; Information about your transactions with us, our affiliates or others; and Information we receive from third parties such as credit bureaus. Nonpublic personal information is nonpublic information about you that we obtain in connection with providing a financial product or service to you. For example, nonpublic personal information includes information regarding your account balance, payment history, and overdraft history. What Information We Disclose A. We may disclose the following kinds of nonpublic personal information about you: Information we receive from you on applications or other loan and account forms, such as your name, address, social security number, assets and income; Information about your transactions with us, our affiliates or others, such as your account balance, payment history, parties to transactions, and credit card usage; and Information we receive from credit bureaus, such as your creditworthiness and your payment history. B. We may disclose nonpublic personal information about you to the following types of affiliates (i.e., companies related to us by common control or ownership) and nonaffiliated third parties (i.e., third parties that are not members of our corporate family). Financial service providers, such as mortgage bankers, securities broker-dealers and insurance agents; Non-financial companies, such as retailers, direct marketers, airlines and publishers; and Others, such as non-profit organizations. If you prefer that we not disclose nonpublic personal information about you to such nonaffiliated third parties [with respect to this loan or account], you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may call the following toll-free number: 1-800-xxx-xxxx. CONTINUED 14

TOOL 3 Sample 3 - CONTINUED Sample Privacy Policy Notice C. In addition, we may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing arrangements: Information we receive from you on applications or other forms, such as your name, address, social security number, assets and income; Information about transactions with us, our affiliates or others, such as your account balance, payment history, parties to transactions and credit card usage; and Information we receive from credit bureaus, such as your creditworthiness and your payment history. D. We also are permitted under law to share information about our experiences or transactions with you or your account (such as your account balance and your payment history with us) with our affiliates. We also may share additional information about you or your account (such as information we receive from you in applications and information from credit reporting agencies) with our affiliates. You may direct us not to disclose to our affiliates information that does not relate solely to our or our affiliates experiences or transactions with you or your account (such as the application information and credit bureau information) by calling us at 1-800-xxx-xxxx. E. We also are permitted under law to disclose nonpublic personal information about you to nonaffiliated third parties in certain other circumstances. For example, we may disclose nonpublic personal information about you to third parties to assist us in servicing your loan or account with us, to government entities in response to subpoenas, and to credit bureaus. F. If you decide to close your account(s) or become an inactive customer, we will continue to adhere to the privacy policies and practices described in this notice. Our Security Procedures We also take steps to safeguard customer information. We restrict access to your personal and account information to those employees who need to know that information to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information. 15

TOOL 3 Some Considerations in Preparing Your Privacy Notice Consider Making a Timeline Privacy notices must be sent to your customers no later than July 1, 2001. A timeline will help you meet that deadline. There is a lot to do, including a self-assessment of your information practices, drafting your privacy notice that conforms with your practices, involving your board and senior management, training your staff, mailing notices, and establishing procedures to answer customer questions. Consider Public Versus Nonpublic Information The law requires protection of personally identifiable financial information, defined as nonpublic personal information if the information is not publicly available information. In general, publicly available information does not have the same protections as nonpublic personal information. The final rule states that information will be deemed to be publicly available if a financial institution has a reasonable basis to believe that the information is lawfully available to the general public. An institution will have a reasonable basis for believing that information is lawfully made available if the financial institution has taken steps to determine that the information is of the type that is available to the general public and, if an individual could direct that the information not be made available to the general public, whether the individual has done so. Consider The Following Examples of What Constitutes Nonpublic Personal Information Information a consumer provides on an application to obtain a loan, credit card, other financial product or service; Account balance information, payment history, overdraft history, and credit or debit card purchase information; The fact that an individual is or has been a customer or has obtained a financial product or service from your institution; Information about your customer that, if disclosed, would indicate that the individual is or has been your customer; Any information that a customer provides to you or that you or your agent otherwise obtain in connection with collection on a loan or servicing a loan; Any information you collect through an Internet cookie ; and Information from a credit report. Note: Aggregate data that do not contain personal identifiers are not considered nonpublic personal information. Consider Customer Versus Consumer The final rule makes a distinction between a consumer and a customer. A consumer is an individual who obtains or has obtained a financial product or service from you that is used primarily for personal, family or household purposes. A customer is defined as a consumer with whom you have a continuing relationship. It is important to note that a consumer is not considered a customer when obtaining a product or service in isolated transactions, such as an ATM transaction or cashing checks for a non-account holder. The distinction is important. You do not have to provide consumers notices unless you disclose that consumer s nonpublic personal information, while you must provide customers an initial notice of your privacy policy and a notice annually thereafter throughout the duration of the customer relationship. 16

TOOL 3 Consider Inactive Accounts Institutions do not have to provide annual notices to former customers. The final rule offers examples of such terminations, including a consecutive 12-month period without communications other than annual privacy notices and promotional material. The term inactive replaced the term dormant in the final rule. The characterizations of an account as inactive should eliminate any potential confusion with various state law interpretations of what constitutes dormant status and is consistent with the industry position that an institution s policy should control when an account becomes inactive. Consider Reviewing the Exceptions For Third-party Arrangements to Make Sure You Have Acceptable Outsourcing Arrangements Most community institutions meet the exceptions for third-party arrangements, so they do not have to provide opt out notices. It s a good idea to review each outsourcing arrangement so that you can show the regulators that you meet the exceptions. Consider Adding Your Privacy Notice to Your Website The final rule permits use of an institution s Website, with customer consent, for delivering the privacy and opt-out notices, but the notices must be clearly and conspicuously posted. This is different from an Internet policy that covers only what an institution may capture from Internet users. Check with your information security personnel before posting on the web. 17

TOOL 3 Sample Privacy Language for Third-Party Contractors 7 As part of the Gramm-Leach-Bliley Act, Congress enacted a limit on the reuse and redisclosure of information covered by the rule. The agencies also contemplated, but rejected, a requirement that institutions monitor third-party use of nonpublic personal information provided by the institutions. In keeping with the industry mission of advancing the cause of maintaining the trust of our customers, ABA urges institutions to require third parties to keep information confidential. The following are sample paragraphs that you can use in third-party agreements. Sample 1 Confidential Information. Contractor agrees that all information received by Contractor from [Institution Name] or from any other source on [Institution Name] s behalf is Confidential Information and shall be maintained in confidence and not disclosed, used or duplicated, except as described in this paragraph. Confidential Information includes, without limitation, all lists of customers, former customers, applicants and prospective customers and all information relating to and identified with such persons; business volumes or usage; financial information; pricing information; software, software documentation; and information concerning business plans or business strategy. Contractor may use Confidential Information only in connection with performance under this Agreement, and Contractor shall not copy Confidential Information or disclose Confidential Information to any third person, including employees of Contractor who do not need Confidential Information in order to perform under this Agreement. Confidential Information shall be returned to [Institution Name] or destroyed upon request of [Institution Name] once the services contemplated by this Agreement have been completed. Contractor shall not advertise, market or otherwise make known to others any information relating to the subject matter of this Agreement, including mentioning or implying the name of [Institution Name]. If Contractor proposes to disclose Confidential Information to a third party in order to perform under this Agreement, Contractor must first obtain the consent of [Institution Name] to make such disclosure and Contractor must enter into a confidentiality agreement with such third party under which that third party would be restricted from disclosing, using or duplicating such Confidential Information, except as consistent with this paragraph. If requested by [Institution Name], any employee, representative, agent or subcontractor of Contractor s shall enter into a non-disclosure agreement with [Institution Name] to protect the Confidential Information of Institution satisfactory to [Institution Name]. A breach by Contractor of its confidentiality obligations or the use by Contractor of [Institution Name] s name without prior consent may cause [Institution Name] to suffer irreparable harm in an amount not easily ascertained. Contractor agrees that any breach resulting from gross negligence, whether threatened or actual, will give [Institution Name] the right to terminate this Agreement immediately, obtain equitable relief, i.e., obtain an injunction to restrain such disclosure or use, and pursue all other remedies [Institution Name] may have at law or in equity. The provisions of this section shall survive the termination of this Agreement. 7 It is important that your legal counsel review the language to assure that it is consistent with your specific institution s circumstances. 18

TOOL 3 Sample 2 Contractor acknowledges that all information and documents disclosed by [Institution Name] to Contractor, or which come to Contractor s attention during the course of its performance of Services under this Agreement, constitute valuable assets of and are proprietary to [Institution Name], and also acknowledges that [Institution Name] has a responsibility to its customers and employees to keep [Institution Name] records and information confidential and proprietary. Sample 3 Contractor shall establish and maintain policies and procedures designed to insure the confidentiality of the customer information (non-public personal information). Among other things, the Contractor acknowledges that it is against federal law to disclose non-public personal information received from a financial institution under certain circumstances. Therefore, Contractor agrees not to disclose, either directly or indirectly, to any person, firm or corporation information of any kind, nature or description concerning matters affecting or relating to the business of [Institution Name] unless the information is already in the public domain. This provision shall survive termination of this Agreement. 19

TOOL 3 Exceptions to the Opt-Out Provisions in Gramm-Leach-Bliley The provisions in the GLB Act that address the sharing of information with third parties are perhaps the most important ones contained in the Act. Community financial institutions, in order to remain competitive, must sometimes share information outside their family of companies for a variety of purposes, including the need to offer a broad range of products and services. The American Bankers Association worked extremely hard to ensure that most smaller institutions would not be required to provide opt-out notices. The following opt out exceptions taken directly from Regulation P permit financial institutions to share nonpublic information with third parties without providing privacy opt out notices. Subpart C Exceptions 216.13 Exception to opt out requirements for service providers and joint marketing. (a) General rule. (1) The opt out requirements in 216.7 and 216.10 do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you: (i) Provide the initial notice in accordance with 216.4; and (ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in 216.14 or 216.15 in the ordinary course of business to carry out those purposes. (2) Example. If you disclose nonpublic personal information under this section to a financial institution with which you perform joint marketing, your contractual agreement with that institution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in 216.14 or 216.15 in the ordinary course of business to carry out that joint marketing. (b) Service may include joint marketing. The services a nonaffiliated third party performs for you under paragraph (a) of this section may include marketing of your own products or services or marketing of financial products or services offered pursuant to joint agreements between you and one or more financial institutions. (c) Definition of joint agreement. For purposes of this section, joint agreement means a written contract pursuant to which you and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service. 216.14 Exceptions to notice and opt out requirements for processing and servicing transactions. (a) Exceptions for processing transactions at consumer s request. The requirements for initial notice in 216.4(a)(2), for the opt out in 216.7 and 216.10, and for service providers and joint marketing in 216.13 do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with: (1) Servicing or processing a financial product or service that a consumer requests or authorizes; (2) Maintaining or servicing the consumer s account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or (3) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer. (b) Necessary to effect, administer, or enforce a transaction means that the disclosure is: 20

TOOL 3 (1) Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or (2) Required, or is a usual, appropriate or acceptable method: (i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer s account in the ordinary course of providing the financial service or financial product; (ii) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part; (iii) To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer s agent or broker; (iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by you or any other party; (v) To underwrite insurance at the consumer s request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer s insurance: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; or (vi) In connection with: (A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means; (B) The transfer of receivables, accounts, or interests therein; or (C) The audit of debit, credit, or other payment information. 216.15 Other exceptions to notice and opt out requirements. (a) Exceptions to opt out requirements. The requirements for initial notice in 216.4(a)(2), for the opt out in 216.7 and 216.10, and for service providers and joint marketing in 216.13 do not apply when you disclose nonpublic personal information: (1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; (2)(i) To protect the confidentiality or security of your records pertaining to the consumer, service, product, or transaction; (ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (iii) For required institutional risk control or for resolving consumer disputes or inquiries; (iv) To persons holding a legal or beneficial interest relating to the consumer; or (v) To persons acting in a fiduciary or representative capacity on behalf of the consumer; (3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants, and auditors; (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority s State that is 21

TOOL 3 engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety; (5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), or (ii) From a consumer report reported by a consumer reporting agency; (6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or (7)(i) To comply with Federal, State, or local laws, rules and other applicable legal requirements; (ii) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or (iii) To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorized by law. (b) Examples of consent and revocation of consent. (1) A consumer may specifically consent to your disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to you for a mortgage so that the insurance company can offer homeowner s insurance to the consumer. (2) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under 216.7(f). 22

TOOL 3 Notes 23

TOOL 3 1-800-BANKERS www.aba.com 24