I. Purpose
The purpose of this policy is ensuring compliance with Gramm-Leach-Bliley Act (GLBA) information-sharing practices set forth by 12 CFR Part 1016 – Privacy of Consumer Financial Information within Facebank. This
This part requires financial institutions to provide each consumer with a written privacy policy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information-sharing practices. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act. The unaffiliated parties receiving the Non-Public Personal Identifiable Information (NPPII) are held to the acceptance terms of the consumer under the original relationship agreement. Also, this act requires financial institutions to develop a written information security plan describing its processes and procedures for protecting clients’ Non-Public PII. GLBA Non-Public PII guidelines applies to any non-public information, which is defined as information a customer may provide to facilitate a transaction or which is otherwise obtained by the institution. As a covered entity, Facebank must ensure compliance with this Policy & Program in order to construct a thorough understanding of each department handling the nonpublic information, as well as develop and monitor the program to secure the information. If there are changes in how information is collected, stored, and used, the safeguards must be updated as well. The Federal government provides a set of standards for safeguarding customer information. Complying with this Part ensures the effective management of change while reducing risk. Changes include, but are not limited to: improvements, updates, and maintenances, among others. All changes must be evaluated, planned and monitored in order to minimize any adverse
impact to Facebank’ operations.
II. Scope
The objective of this policy is to establish the general guidelines to ensure that Facebank and their affiliates safeguard the confidentiality of personal identifiable information (PII) gathered from customer records in paper, electronic or other forms, in order to protect customers’ privacy and securely protect their sensitive personal information against unauthorized access. This policy applies to all Facebank personnel that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle NPPII. This policy establishes the general guidelines for handling NPPII, in order to prevent and limit noncompliance with GLBA on Facebank daily operations.
Non-Public PII include, but is not limited to, any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, Passport/VISA/Government identification number or other information on an application), any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases), or any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report). PII does not include information that you have a reasonable basis to believe is lawfully made «publicly available.» In other words, information is not NPPII when you have taken steps to determine that the information is generally made lawfully available to the public, and that the individual can direct that it not be made public and has not done so. Publicly Available information include, but not limited to, federal, state, or local government records made available to the public, such as information that is in widely distributed through media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.
part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes and is applicable to FACEBANK as a financial institutions for which the Bureau of Consumer Financial Protection (Bureau) has rulemaking authority
pursuant to section 504(a)(1)(A) of theGramm-Leach-Bliley Act(GLB Act).
2
III. Definitions
o Affiliate: In any company that controls, is controlled by, or is under common control with Facebank.
o Consumer: Is an individual or that individual’s legal representative, who obtains or has obtained a financial product or service from Facebank that is to be used primarily for personal, family, or household purposes.
o Customer: Is a consumer who has a continuing relationship between a consumer and Facebank under which Facebank provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
o Financial service: Includes, among other things, Facebank’s evaluation, assistance or brokerage of information that is collated in connection with a request or an application from a consumer for a financial product or service.
o Nonaffiliated third party: Is any person except Facebank’s affiliate or a person employed jointly by Facebank and a company that is not the bank’s affiliate.
o Non-Public Personal Identification Information (NPPII): Is any information that is not publicly available and that a consumer provided to Facebank to obtain a financial product or service from the institution and/or results from a transaction between the consumer and Facebank that involves a financial product or service obtained otherwise about a consumer in connection with providing a financial product or service.
o Opt Out: The right provided to customers and/or consumers to discontinue the sharing of his/her NPPII with a nonaffiliated third party.
3
IV. Policy
Safeguards Over Information |
– Facebank protects customer information to achieve confidentiality, integrity and availability. Confidentiality means that NPPII is not available or disclosed to unauthorized persons. Integrity means that NPPII is not altered / destroyed in an unauthorized manner. Availability means that NPPII is accessible and usable on demand by an authorized person. – Facebank attains administrative safeguards by implementing security measures that reduce risks/vulnerabilities to a reasonable and appropriate level. – Facebank achieves physical safeguards by limiting physical access to its facilities while ensuring that authorized access is allowed and follows the appropriate procedures established. – Facebank achieves technical safeguards by implementing technical policies and procedures that allow only authorized users to access electronic NPPII. Electronic measures must be put in place to confirm that NPPII has not been improperly altered or destroyed. – Facebank will achieve organizational safeguards by taking reasonable steps to cure any activity or practice that constitutes a material breach or violation. Violations include the failure to implement safeguards that reasonably and appropriately protect NPPII. – Facebank will adopt reasonable and appropriate procedures to comply with this Policy. Facebank must maintain written security procedures and written records of required actions, activities or assessments. – Facebank must perform a risk assessment if a breach occurs to evaluate probability of that the protected information has been compromised. |
Requirements for Notices |
– Privacy notices must be clear and conspicuous and must accurately reflect the institution privacy practices. – The privacy notice will be provided so that each recipient can reasonably be expected to receive actual notice in writing or electronically. – Privacy notices will be available in Facebank’ website. – The privacy notice includes the following information:
|
4
|
|
Notice Duties to Customers |
|
Information to be collected from Customers when Opening a New Account |
– Facebank will notify the customers of new account the requirement of the following information: his/her name, address, date of birth, profession, origin of income, and any other information that will allow the identification of the customer. This applies to both, deposits and credit accounts, and any other type of account offered by Facebank. – Facebank might also request the license ID, Passport or any other identification documents to the customer or representative, if applicable. – Facebank will notify that they will reserve the right of requesting additional documents to the accounts primary signature, authorized signatures, and/or origin of funds reflected on the account, and/or customers’ income. – Facebank will notify that the client is not required to accept the disclaimers when opening a new account. If clients are not in agreement with the disclaimers, Facebank will close the new account and return the available funds by Check or via wire transfer without any cost to the client. |
Opt Out Duties to – Facebank will send an initial notice of its privacy policies and practices via e- Consumers mail, providing this is the official method of communication, as all customers
5
must agree. consumer to opt out. information could be disclosed in the following scenarios:
|
|
Monitoring of Compliance |
|
Response Program for Unauthorized Access to Customer |
– Facebank has in place a risk-based response, including customer notification procedures, to address unauthorized access to or use of customer information maintained by a Facebank or its service provider that could |
6
Information and Customer Notice |
result in substantial harm or inconvenience to any customer, and require disclosure of a data security breach if the covered entity concludes that misuse of its information about a customer has occurred or is reasonably possible, pursuant to the guidance, substantial harm or inconvenience is most likely to result from improper access to “sensitive customer information”. – Facebank’s response program general procedures are:
– Facebank has an affirmative duty to protect their customers’ information against unauthorized access or use, and that customer notification of a security breach involving the customers’ information is a key part of that duty. |
Breach Notification Contents |
– The contents of a breach notification should contain the following elements:
|
7
customers affected by telephone or by electronic mail.
Suspicious Activity Report (“SAR”) |
|