A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
- Notices (initial, annual, revised, opt out, short-form, and simplified);
- Institutional privacy policies and procedures, including those to:
- process requests for nonpublic personal information, including requests for aggregated data;
- deliver notices to consumers;
- manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
- prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
- prevent the unlawful disclosure of account numbers;
- Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;
- Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);
- Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);
- Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and
- Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.
- Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.
- Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).
B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree" (Attachment A). Identify which module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:
- Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
- Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
- Frequency and effectiveness of monitoring procedures;
- Adequacy and regularity of the institution's training program;
- Suitability of the compliance audit program for ensuring that:
- the procedures address all regulatory provisions as applicable;
- the work is accurate and comprehensive with respect to the institution's information sharing practices;
- the frequency is appropriate;
- conclusions are appropriately reached and presented to responsible parties;
- steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
- Knowledge level of management and personnel.
E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
H. Formulate conclusions.
- Summarize all findings.
- For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
- Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.
- Discuss findings with management and obtain a commitment for corrective action.