General Data Protection Regulation. California Consumer Privacy Act. Gramm-Leach-Bliley Act. The privacy and protection of consumer information is ever-changing and becoming more complicated. And, it’s a hot topic. How confident are you that your organization has the proper controls in place to protect your customers’ information to comply with GLBA and perhaps the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)?  Here are some checkpoints to review:

Does your program cover GLBA’s key concepts?

• Nonpublic personal information: Any information that is not publicly available and that:
  • A consumer provides to your financial institution to obtain a financial product or service;
  • Results from a transaction between the consumer and your financial institution involving a financial product or service; or
  • Your financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

    What is considered ‘publicly available’? Information your financial institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Information in a telephone book or a mortgage or security interest filing are examples.

    Keep in mind that special rules exist regarding lists: Information that is publicly available is treated as nonpublic if it is included on a list of consumers derived from nonpublic personal information. Yet, a list of mortgage customers from public mortgage records would be considered information that is publicly available.

• Non-affiliated third-parties: Your customers need to be given the right to opt-out of your financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless an exception to that right applies.
• Policies and procedures need to distinguish consumer from customer: Additional disclosure requirements exist for your financial institution regarding its customers. Remember, all customers are consumers, but not all consumers are customers. The key words tied to your customers are ‘continued customer relationship.’ Also, keep in mind the special rule for loans. When your financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. Yet, your financial institution is still responsible to protect any customer information that it retains.
• Requirements for notices: Based on your financial institution’s activities, does it comply with all notice requirements? Do procedures clearly document these processes?
• Limitations on disclosure of account numbers: Your financial institution procedures must address that it will not disclose an account number for a credit card, deposit, or transaction account to any nonaffiliated third party for telemarketing, direct mail marketing, or other marketing through electronic mail.
• Redisclosure and reuse limitations on nonpublic personal information received: Disclosure and use of nonpublic personal information is limited when your financial institution receives this information from a nonaffiliated financial institution. Do you know how your financial institution addresses this in policies and procedures?
• Connections the Fair Credit Reporting Act (FCRA): Remember that the GLBA doesn’t supersede the FCRA, and make sure that compliance is occurring with both laws’ requirements regarding information sharing with your financial institution’s affiliates.
• Information security program: Data breaches seems to be the norm rather than a rarity. The blows to reputation and the bottom line are hefty. Are you aware that the FTC, earlier this year, sought comments on proposed amendments to the safeguard rule and the privacy rule under GLBA that protect the privacy and security of customer information held by financial institutions? Expect to see more on this evolving issue.
• Do the GDPR and the CCPA impact your financial institution? Not sure? Review the following articles we’ve published earlier this year that are superb resources:
  • From our October issue: The California Consumer Protection Act: Knowing When to Comply with the CCPA is Half the Battle
  • Also, from our October issue: The New Age of Data Privacy and Security

Stay on top of this hot area in compliance and hone in your reading dedicated to learning more and then acting on this changing area!

On a different note, everyone at Mortgage Compliance Magazine, wishes you a Happy Thanksgiving – we are thankful for YOU!

“Gratitude is not only the greatest of virtues but the parent of all others.”— Cicero

Around the Industry:

Happening Now

The CFPB recently issued an interpretive rule clarifying screening and training requirements for state-licensed mortgage companies that employ loan originators with temporary authority. The interpretive rule clarifies that the employer is not required to conduct the screening and ensure the training of loan originators with temporary authority. The state will perform the screening and training as part of its review of the individual’s application for a state loan originator license. Remember, the rule is effective on November 24, 2019.

MCM Q&A

How collaborative and proactive is your organization regarding the three lines of defense? Listen to or read this article from our September issu to create a roadmap for creating buy-in.