*PRIVACY POLICY

Personal Information Privacy Protection Policy

The Gramm-Leach-Bliley Act was enacted on November 12, 1999. In addition to reforming the financial services industry, the Act addressed concerns relating to consumer financial privacy. The Gramm-Leach-Bliley Act required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement regulations to carry out the Act’s financial privacy provisions (GLBA). The regulations required all covered businesses to be in full compliance by July 1, 2001.

The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule (Privacy Rule). Anyone who uses this Guide should also review the Privacy Rule, found at 16 C.F.R. Part 313 (May 24, 2000).

The Privacy Rule applies to businesses that are “significantly engaged” in “financial activities” as described in section 4(k) of the Bank Holding Company Act.  According to the Bank Holding Company Act provision and regulations established by the Federal Reserve Board, “financial activities” include:

  • Lending, exchanging, transferring, investing for others, or safeguarding money or securities. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders.
  • Providing financial, investment or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors.
  • Brokering loans.
  • Servicing loans.
  • Debt collecting.
  • Providing real estate settlement services.
  • Career counseling (of individuals seeking employment in the financial services industry).

Customer vs Consumer

The Bank’s obligations depend on whether we have “customers” or “consumers.” In brief, the Privacy Rule requires the Bank to give notice to all of the Bank “customers” about the Bank privacy practices, and, if the Bank share their information in certain ways, to the Bank “consumers” as well.

Under the Rule, a “consumer” is someone who obtains or has obtained a financial product or service from the Bank that is to be used primarily for personal, family, or household purposes, or that person’s legal representative. The term “consumer” does not apply to commercial clients, like sole proprietorships. Therefore, where the Bank’s client is not an individual, or is an individual seeking the Bank product or service for a business purpose, the Privacy Rule does not apply.

Examples of “consumer” relationships:

  • cashing a check with a check-cashing company
  • making a wire transfer
  • applying for a loan, whether the Bank actually obtain the loan

“Customers” are a subclass of consumers who have a continuing relationship with the Bank. It’s the nature of the relationship – not how long it lasts – that defines our customers. Even if an individual repeatedly uses our services for unrelated transactions, she may not be our “customer.” For example, if an individual uses the ATM at the bank where she does not have an account, those isolated transactions, no matter how frequent, do not make her the bank’s customer. She would still be a “consumer” of the bank.

A former customer “has obtained” a financial product or service from the Bank but no longer has a continuing relationship with us. For purposes of our obligations under the Privacy Rule, a former customer is a consumer.

 

Examples of “customer” relationships:

  • Opening a credit card account with the Bank
  • Leasing an automobile from an auto dealer
  • Using the services of the Bank as a mortgage broker to secure financing
  • Obtaining the services of a tax preparer or investment adviser
  • Getting a loan from the Bank.
Customer Relationships and Loans

A special rule defines the customer relationship when several financial institutions participate in a loan transaction. The Bank establishes a customer relationship with an individual when it originates a loan. If the Bank sells the loan but maintains the servicing rights, it continues to have a customer relationship with the individual. If the Bank transfers the servicing rights but retains an ownership interest in the loan, the individual is a “consumer” of the Bank and a “customer” of the institution with the servicing rights. If other institutions hold an ownership interest in the loan (but not the servicing rights), the individual is their consumer, too.

What information is covered?

The Privacy Rule protects a consumer’s “nonpublic personal information” (NPI). NPI is any “personally identifiable financial information” that the Bank collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.”

NPI is:

  • Any information an individual gives the Bank to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
  • Any information the Bank gets about an individual from a transaction involving the Bank’s financial product(s) or service(s) (for example, the fact that an individual is our consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
  • Any information the Bank gets about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

NPI does not include information that the Bank has a reasonable basis to believe is lawfully made “publicly available.” In other words, information is not NPI when the Bank has taken steps to determine:

  • That the information is generally made lawfully available to the public; and
  • That the individual can direct that it not be made public and has not done so.

For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be “publicly available.”

 

Publicly Available Information Includes:

  • Federal, state, or local government records made available to the public, such as the fact that an individual has a mortgage with the Bank.
  • Information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.

Information in a list form may be NPI, depending on how the list is derived. For example, a list is not NPI if it is drawn entirely from publicly available information, such as a list of the Bank’s mortgage customers in a jurisdiction that requires that information to be publicly recorded. Also, it is not NPI if the list is taken from information that is not related to the Bank’s activities, for example, a list of individuals who respond to a newspaper ad promoting a non-financial product the Bank sells.

But a list derived even partially from NPI is still considered NPI. For example, the Bank’s list of its borrowers’ names and phone numbers is NPI even if the Bank has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the Bank is NPI.

 

Putting It All Together:

Examples of Nonpublic Personal Information (in list form)

  • List of the Bank’s credit card customers
  • List of the Bank’s consumer, residential home, or HELOC loans

Privacy Notices.

The Bank must give their customers – and in some cases their consumers – a “clear and conspicuous” written notice describing their privacy policies and practices. When the Bank provides the notice and what the Bank says depend on what the Bank does with the information.

Who Gets a Privacy Notice?

Customers

Whether or not the Bank shares customer NPI, the Bank must give all customers a privacy notice. The Bank must provide an “initial notice” by the time the customer relationship is established. If this would substantially delay the customer’s transaction, the Bank may provide the notice within a reasonable time after the customer relationship is established, but only if the customer agrees.

If the Bank share NPI with nonaffiliated third parties outside of the exceptions described within (see “Exceptions“), the Bank also must give the Bank customers:

  • An “opt-out” notice explaining the individual’s right to direct the Bank not to share her NPI with a nonaffiliated third party;
  • A reasonable way to opt out; and
  • A reasonable amount of time to opt out before the Bank disclose her NPI.

The Bank must also give the Bank customers an “annual notice” – a copy of our full privacy notice – for as long as the customer relationship lasts and if there have been changes within that year.

Consumers Who Are Not Customers

Before the Bank shares NPI with nonaffiliated third parties outside of the exceptions described within (see “Exceptions“), the Bank must give the Bank’s non-customer consumers a privacy notice, including an opt-out notice. If the Bank does not share information with nonaffiliated third parties, or if the Bank only share within the exceptions, the Bank does not have to give a privacy notice to the Bank consumers.

If the Bank is required to provide a privacy notice to the Bank’s consumers, the Bank may choose to give them a “short-form notice” instead of a full privacy notice. The short-form notice must:

  • Explain that the Bank’s full privacy notice is available on request;
  • Describe a reasonable way consumers may get the full privacy notice; and
  • Include an opt-out notice.

The Contents of the Privacy Notice

The Bank notice must accurately describe how the Bank collect, disclose, and protect NPI about consumers and customers, including former customers. The Bank notice must include, where it applies to the Bank, the following information:

  • Categories of information collected. For example, nonpublic personal information obtained from an application or a third party such as a consumer reporting agency.
  • Categories of information disclosed. For example, information from an application, such as name, address, and phone number; Social Security number; account information; and account balances.
  • Categories of affiliates and nonaffiliated third parties to whom the Bank discloses the information. For example, financial services providers, such as mortgage brokers and insurance companies; or non-financial companies, such as magazine publishers, retailers, direct marketers, and nonprofit organizations. The Bank also may describe categories of other nonaffiliated parties to whom the Bank may disclose NPI in the future.
  • Categories of information disclosed and to whom under the joint marketing/ service provider exception in section 313.13 of the Privacy Rule (see “Exceptions“).
  • If the Bank is disclosing NPI to nonaffiliated third parties under the exceptions in sections 313.14 (exceptions for processing or administering a financial transaction) and 313.15 (exceptions, including fraud prevention or complying with federal or state law and others) of the Privacy Rule  (see “Exceptions“), a statement that the disclosures are made “as permitted by law.”
  • If the Bank is disclosing NPI to nonaffiliated third parties, and that disclosure does not fall within any of the exceptions in sections 313.14 and 313.15, an explanation of consumers’ and customers’ right to opt out of these disclosures  (see “Opt-Out Notices“).
  • Any disclosures required by the Fair Credit Reporting Act (see “Fair Credit Reporting Act“).
  • The Bank policies and practices with respect to protecting the confidentiality and security of NPI (see “Safeguarding NPI“).

The Bank only needs to address those items listed above that apply to the Bank. For example, if the Bank doesn’t share NPI with affiliates or nonaffiliated third parties except as permitted under sections 313.14 and 313.15, the Bank can provide a simplified notice that: (1) describes the Bank collection of NPI; (2) states that the Bank only discloses NPI to nonaffiliated third parties “as permitted by law;” and (3) explains how the Bank protects the confidentiality and security of NPI.

The Appearance of the Privacy Notice

The privacy notice must be “clear and conspicuous,” whether it is on paper or on a website. It must be reasonably understandable, and designed to call attention to the nature and significance of the information. The notice should use plain language, be easy to read, and be distinctive in appearance. A notice on a website should be placed on a page that consumers use often, or it should be hyperlinked directly from a page where transactions are conducted.

Safeguarding NPI

The Privacy Rule requires that the Bank’s privacy notice provide an accurate description of the Bank’s current policies and practices with respect to protecting the confidentiality and security of NPI. For example, if the Bank restricts access to NPI to employees who need the information to provide products or services to the Bank’s consumers or customers.

 

Delivering Privacy Notices

The Bank must deliver the Bank’s privacy notices to each consumer or customer in writing, or, if the consumer or customer agrees, electronically. The Bank’s written notices may be delivered by mail or by hand. For individuals who conduct transactions with the Bank electronically, the Bank may post the Bank privacy notice on the Bank’s website and require them to acknowledge receiving the notice as a necessary part of obtaining a particular product or service. For annual notices, the Bank may reasonably expect that the Bank customers have received the Bank notice if they use the Bank website to access the Bank financial products or services and agree to receive notices at the Bank website, and the Bank post the Bank notice continuously in a clear and conspicuous manner on the Bank’s website.

Notices given orally or posted in the Bank office(s) don’t comply with the rule.

Opt-Out Notices

General Obligations

If the Bank shares their NPI with nonaffiliated third parties outside of three exceptions  (see “Exceptions“), the Bank must give the Bank’s consumers and customers an “opt-out notice” that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with a privacy notice, and it can be part of the privacy notice.

The opt-out notice must describe a “reasonable means” for consumers and customers to opt out. They must receive the notice and have a reasonable opportunity to opt out before the Bank can disclose their NPI to these nonaffiliated third parties. Acceptable “reasonable means” to opt out include a toll-free telephone number or a detachable form with a check-off box and mailing information. Requiring the consumer or customer to write a letter as the only option is not a “reasonable means” to opt out.

Note: While the GLB Act does not require the Bank to provide an opt-out notice if the Bank only discloses NPI to affiliates, if the Bank shares certain information with the Bank’s affiliates, the Bank may have an obligation to provide an opt-out notice under the Fair Credit Reporting Act. That opt-out notice must be included in the Bank’s GLB privacy notice (see “Fair Credit Reporting Act“).

Exercising the Opt-Out Right

The Bank must give consumers and customers a “reasonable opportunity” to exercise their right to opt out, for example, 30 days, after the Bank sends the initial notice either on- or off-line, before the Bank can share their information with nonaffiliated third parties outside the exceptions. For an isolated consumer transaction, like buying a money order, the Bank may require the Bank consumers to make their opt-out decision before completing the transaction.

Consumers and customers who have the right to opt out may do so at any time. Once the Bank receive an opt-out direction from the Bank existing consumers or customers, the Bank must comply with it as soon as is reasonably possible.

The Shelf Life of an Opt-Out Direction

An opt-out direction by a consumer or customer is effective – even after the customer relationship is terminated – until canceled in writing, or, if the consumer agrees, electronically. However, if a former customer establishes a new customer relationship with the Bank and the Bank are required to provide an opt-out notice, the customer must make a new opt-out direction that will apply only to the new relationship.

SUMMARY OF NOTICE REQUIREMENTS

Exceptions

Exceptions to the Notice and Opt-Out Requirements

There are several exceptions to the notice and opt-out requirements. These exceptions are in sections 313.14 (“section 14 exceptions”) and 313.15 (“section 15 exceptions”) of the Privacy Rule. If the Bank shares information only under these sets of exceptions, the Bank doesn’t need to give the Bank’s consumers a privacy notice, but the Bank will need to give the Bank’s customers a simplified initial and, if applicable, an annual privacy notice. Customers and consumers have no right to opt out of these disclosures of NPI.

The section 14 exceptions apply to various types of information-sharing that are necessary for processing or administering a financial transaction requested or authorized by a consumer. This includes, for example, disclosing NPI to service providers who help mail account statements and perform other administrative activities for a consumer’s account. It also includes disclosures to and by creditors listed by a consumer on a credit application to perform a credit check.

The section 15 exceptions apply to certain types of information-sharing, including disclosures for purposes of preventing fraud, responding to judicial process or a subpoena, or complying with federal, state, or local laws. Examples of appropriate information disclosures under this exception include those made to technical service providers who maintain the security of the Bank records; the Bank attorneys or auditors; a purchaser of a portfolio of consumer loans the Bank own; and a consumer reporting agency, consistent with the Fair Credit Reporting Act (see “Exceptions“).

Exception to the Opt-Out Requirement: Service Providers and Joint Marketing

Another exception can be found in section 313.13 (“section 13 exception”) of the Privacy Rule. If the Bank shares information under this exception, the Bank must give the Bank’s customers – and the Bank consumers if the Bank shares their information – a privacy notice that describes this disclosure. However, the Bank consumers and customers do not have a right to opt out of this information sharing.

The section 13 exception covers disclosures for certain service providers and for certain marketing activities. The section 13 exception covers disclosures to third party service providers whose services for the Bank does not fall within the section 14 exceptions. For example, if the Bank hires a nonaffiliated third party to provide services in connection with marketing the Bank products or to market financial products jointly for the Bank and another financial institution, or to do a general analysis of the Bank customer transactions, the Bank disclosure of NPI for these purposes does not fall under the section 14 exceptions. Therefore, the Bank can use the section 13 exception for these types of service providers.

The section 13 exception also applies to marketing financial products or services offered through a “joint agreement” with one or more other financial institutions. The “joint agreement” requirement means that the Bank has entered a written contract with one or more financial institutions about the Bank’s joint offering, endorsement, or sponsorship of a financial product or service. This does not apply to any kind of joint marketing the Bank does, but only joint marketing with other financial institutions and only the marketing of financial products or services.

To take advantage of the section 13 exception, the Bank must enter a contract with those nonaffiliated third parties with whom the Bank shares NPI. The agreement must guarantee the confidentiality of the information by prohibiting the third party or parties from using or disclosing the information for any purpose other than the one for which it was received. Contracts with nonaffiliated service providers that are effective before July 1, 2000 and do not have the required confidentiality agreement must be amended to include such a provision by July 1, 2002

 

 

 

LIMITS ON REUSE AND REDISCLOSURE OF NPI

General Obligations.

If the Bank receives NPI from a nonaffiliated financial institution, the Bank’s ability to reuse and redisclose that information is limited. The limits depend on how the information is disclosed to the Bank. It does not matter whether the Bank’s a financial institution.

Restrictions on Reuse and Redisclosure if NPI is Received Under the Section 14 or 15 Exceptions

The Bank may receive NPI from a nonaffiliated financial institution (“originating financial institution”) under the section 14 or 15 exceptions. In these situations, the Bank may only disclose and use the information in the ordinary course of business to carry out the purpose for which it was received. That purpose may include disclosures to other parties under the section 14 or 15 exceptions in order to carry out that activity, or as otherwise necessary, such as to respond to a subpoena. The Bank may also disclose the information to the Bank’s affiliates, who are limited in their reuse and redisclosure of the information in the same way as the Bank are, and to affiliates of the originating financial institution.

Restrictions on Reuse and Redisclosure if NPI is Received Outside the Section 14 or 15 Exceptions

Alternatively, the Bank may receive NPI from a nonaffiliated financial institution outside the section 14 or 15 exceptions. For example, the Bank may want to purchase a financial institution’s customer list in order to market the Bank’s own products to those individuals. In these cases, the originating financial institution may disclose NPI about those consumers or customers who were informed about this type of disclosure in the privacy notice, and who did not opt out after receiving notice and the opportunity to opt out.

In this situation, the Bank may use the information internally for the Bank’s own purposes. However, the Bank may only redisclose the information consistent with the privacy policy of the originating financial institution. In other words, the Bank step into the shoes of the originating financial institution and may disclose the same kinds of NPI to the same entities as the originating institution. For example, if the originating financial institution’s privacy notice informed its consumers and customers that it would only share their NPI with “nonfinancial institutions, such as charitable organizations,” the Bank may redisclose the NPI to charitable institutions as well. However, because the originating institution does not disclose NPI to another financial institution, such as an insurance provider, the Bank cannot because that type of company is not covered by the privacy policy.

The Bank may also disclose the information to the Bank’s affiliates, whose redisclosure is limited in the same way as the Bank, and to affiliates of the originating financial institution.

 

 

DISCLOSURE OF ACCOUNT NUMBERS IS PROHIBITED

The GLB Act prohibits the Ban from sharing account numbers or similar access numbers or codes for marketing purposes. This prohibition applies even when a consumer or customer has not opted-out of the disclosure of NPI concerning her account. The prohibition applies to disclosures of account numbers for an individual’s credit card account, deposit account, or “transaction account” to any nonaffiliated third party to use in telemarketing, direct mail marketing, or other marketing through electronic mail to any consumer. A “transaction account” is any account to which a third party may initiate a charge. This provision does not prohibit the sharing of an encrypted account number, if the third party receiving the information has no way to decode it.

This prohibition applies to the complete marketing transaction, including posting a charge to an account. However, it does not apply when the Bank discloses an account number to the Bank’s agent or service provider just to market the Bank’s own products or services, as long as the party receiving the information can’t directly initiate charges to the account.

The exceptions in sections 313.14 and 313.15 of the Privacy Rule do not apply to the disclosure of account numbers for marketing purposes. For example, the Bank may not obtain the Bank customer’s consent to disclose her account number for marketing purposes.

OTHER ISSUES

The Fair Credit Reporting Act

The Gramm-Leach-Bliley Act’s notice and opt out provisions are in addition to the obligations imposed by the Fair Credit Reporting Act (FCRA). If the FCRA currently requires that the Bank make clear and conspicuous disclosures to the Bank’s consumers regarding the Bank sharing of certain information (such as consumer report and application information) with the Bank’s affiliates, the Bank must continue to do so. The GLB Act requires these disclosures to be made as part of any privacy policy the Bank gives to the Bank’s consumers or customers

Router and Firewall

Secure forms must filter through a router and firewall before they are permitted to reach the server. A router, a piece of hardware, works in conjunction with the firewall, a piece of software, to block and direct traffic coming to the server. The configuration begins by disallowing ALL traffic and then opens holes only when necessary to process acceptable data requests, such as retrieving web pages or sending customer requests to the bank.

Using the above technologies, your check reorder transactions are secure.

Lost or Stolen Debit Card

If your Debit Card is lost or stolen, please call 715-423-6460 during working hours.

CEO MessageIcon for: Message

Image for: CEO

KeySavings Bank is a mutual bank....meaning that all of our clients are members. Members enjoy the benefits of reduced fees, lower interest rates on loans and more investment opportunities.