Home > News & Events > Inactive Financial Institution Letters




Inactive Financial Institution Letters

Privacy of Consumer Financial Information

Back To FIL-46-2001 Attachments A - C Examination Checklist

Module 1

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information

  1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

    1. Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

    2. Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

  2. If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a))

B. Presentation, Content, and Delivery of Privacy Notices

  1. Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

    1. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

    2. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

    3. Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

  2. Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

    1. Timeliness of delivery (§§4(a), 7(c), 8(a)); and

    2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

    3. For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).

C. Opt Out Right

  1. Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

    1. Are clear and conspicuous (§§3(b) and 7(a)(1));

    2. Accurately explain the right to opt out (§7(a)(1));

    3. Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and

    4. Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).

  2. Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

    1. Timeliness of delivery (10(a)(1));

    2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

    3. Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and

    4. Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).

D. Checklist Cross References

    Regulation Section Subject Checklist Questions
    4(a); 6(a, b, c, e);
    and 9(a, b, g)
    Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 40
    4(a, c, d, e); 5;
    and 9(c, e)
    Customer notice delivery rules 1, 3-7, 37, 38
    13 Section 13 notice and contracting rules (as applicable) 12, 47
    6(d) Short form notice rules (optional for consumers only) 15-17
    7; 8; and 10 Opt out rules 19-34, 41-43
    14, 15 Exceptions 48, 49, 50

Module 2

Sharing nonpublic personal information with nonaffiliated third parties under
Sections 13, and 14 and/or 15 but not outside of these exceptions

A. Disclosure of Nonpublic Personal Information

  1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

    1. Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§13, 14, 15).

    2. Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

  2. Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (§13(a))

B. Presentation, Content, and Delivery of Privacy Notices

  1. Review the financial institution's initial and annual privacy notices. Determine whether or not they:

    1. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
    2. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

    3. Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

  2. Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

    1. Timeliness of delivery (§4(a)); and

    2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

    3. For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).

C. Checklist Cross References

    Regulation Section Subject Checklist Questions
    4(a); 6(a, b, c, e);
    and 9(a, b, g)
    Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 40
    13 Section 13 notice and contracting rules 12, 47
    4(a, c, d, e); 5;
    and 9(c, e)
    Customer notice delivery rules 1, 3-7, 37, 38
    14, 15 Exceptions 48, 49, 50

Module 3

Sharing nonpublic personal information with nonaffiliated third parties only
under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

  1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

    1. Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

B. Presentation, Content, and Delivery of Privacy Notices

  1. Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices:

    1. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

    2. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

    3. Include, and adequately describe, all required items of information (§6).

  2. Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

    1. Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

    2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).

C. Checklist Cross References

    Regulation Section Subject Checklist Questions
    6 Customer notice content and presentation 8-11, 14, 18
    6 (c)(5) Simplified notice content (optional) 13
    4 (a, d, e); 5; and 9 Customer notice delivery process 1, 3-7, 35-40
    14, 15 Exceptions 48, 49, 50

Module 4

Reuse & Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

  1. Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

  2. Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).

C. Checklist Cross References

    Regulation Section Subject Checklist Question
    11(a) Reuse and redisclosure 44

Module 5

Redisclosure of nonpublic personal information received from a nonaffiliated
financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)).

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

  1. Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

  2. If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

  3. Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).

C. Checklist Cross References

    Regulation Section Subject Checklist Question
    11(b) Reuse and redisclosure 45

Module 6

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).

D. Checklist Cross References

    Regulation Section Subject Checklist Question
    12 Account number sharing 46
Back To FIL-46-2001 Attachments A - C Examination Checklist

Last Updated 5/17/2001 communications@fdic.gov