Purpose and Objectives
This Policy reaffirms and formalizes TransCapital Bank's realization of, and respect for, the privacy expectations and rights of our customers regarding financial information and other related information that the Bank has or gathers in the normal course of business. It is intended to provide guidance to the Bank’s personnel as well as assurance to its customers. TransCapital Bank policies are written with the intention to be in full compliance with all applicable laws and regulations.
Employee: For the purpose of this Policy, includes all directors, officers, and employees of the Bank as well as any attorneys, agents, or outside vendors, who become privy to customer information.
Consumer: An individual, or that individual’s legal representative, who obtains or has obtained a financial product or service from the Bank that is to be used primarily for personal, family, or household purposes. An example of a consumer would be a loan applicant. A consumer is not necessarily a customer.
Customer: A person who has established a “continuing relationship” with the Bank. (For example, an approved loan applicant who signs a note would become a customer).
Nonpublic personal information: Personally identifiable information relating to a consumer, except when there is a reasonable belief that the information is publically available. For example, customer relationships with the Bank presumably are nonpublic personal information. However, if personally identifiable information relating to a consumer is publically available, that information is excluded from nonpublic information.
Publicly available information: Any information that the Bank has a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records; widely distributed media; or disclosures to the general public that are required to be made by Federal, State, or local law. (For example, a published telephone directory, or the public record of real estate transactions.)
The Board of Directors has the ultimate responsibility to appropriately establish and maintain this Policy and assure that it is being observed in the daily operations of the Bank. The Chief Executive Officer is ultimately responsible for carrying out this Policy. The CEO will also inform the Board of necessary or desirable changes to the Policy.
1. Recognition of Privacy Expectations
2. Use, Collection and Retention of Private Information
3. Maintenance and Accuracy of Private Information
4. Appropriate Limitation of Employee Access to Private Information
5. Protection of Private Information via Established Security Procedures
6. Restrictions Regarding the Disclosure of Private Information
7. Maintaining Privacy in Business Relationships with Third Parties
8. Disclosure of Privacy Principles
Recognition of a Customer’s Expectation of Privacy
Customers of the Bank are entitled to the absolute assurance that the information, which the Bank has obtained through various means, concerning their financial circumstances and personal lives, will be treated with the highest degree of confidentiality and respect. Certain expectations of privacy also contain legal rights of customers that are either granted or confirmed to them through various federal and state laws and regulations. All employees are directed by this Policy to assure customers of the Bank's commitment to preserving the privacy of their information. A notice, which contains an abbreviated version of this Policy, will be available in all Banking offices and posted on its Web site, if any. This notice is included as part of this Policy, and is designed to be a direct disclosure to customers under the circumstances described later in this Policy.
Use, Collection and Retention of Consumer Information
In the normal course of business, the Bank collects, retains and uses information about consumers and customers (both individual and corporate). This data is only obtained when the Bank reasonably believes the gathering of such information would be useful and allowed by law to administer the Bank’s business and/or to provide products, services or opportunities to its customers.
Maintenance of Accurate Information
This Policy directs Executive Management to establish procedures to ensure that to the extent practicable, all customer financial information is accurate, current and complete, in accordance with commercial banking standards. The Bank will respond promptly and affirmatively to any legitimate customer request to correct inaccurate information, including forwarding of corrected information to any third party that had received the inaccurate information. In these instances, the Bank will record that the customer requested such corrective action, and will contact the third party to ensure that they are aware of the corrected information.
Limitation on Employee Access
Executive Management will take all steps necessary to ensure that only employees with a legitimate business reason for knowing specific personally identifiable customer information will have access to such information. To the extent practicable, access will be limited by computer access codes and granting limited access to areas in which sensitive customer information is retained. Employees will be informed at the time of their initial employment of these standards and periodically reminded of these standards during training sessions during each calendar year. Willful violation of this element of this Policy will result in disciplinary action against the offending individual, which may include termination. Inadvertent violations will be dealt with in a manner to ensure that such violations are not repeated.
Protection of Information
The Bank will maintain appropriate security standards and procedures to prevent unauthorized access to customer information. Such procedures are designed to prevent access by not only unauthorized employees, but others as well. Such others include, but are not limited to, non-employees with otherwise legitimate reasons for being on the premises and “computer hackers”.
General Restriction on the Disclosure of Customer Information
The Bank will not, except in cases allowed or required under the law, reveal specific information about customer accounts or other nonpublic personal information to any nonaffiliated third parties unless the customer has been provided the required privacy disclosures and is given the opportunity to decline or “opt out”.
Business Relationships with Third Parties
If the Bank is requested to provide personally identifiable information to a third party, from which the consumer has no right to “opt out”, and that request is in all respects consistent with other elements of this Policy, the Bank may accede to the request. However, this will only be done if the Bank believes that the party adheres to similar privacy principles, no less stringent than set forth in this Policy, that provide for keeping such information confidential.
The Bank will not enter into an agreement with any entity covered under the first category of exceptions that are found later in this Policy, unless that entity maintains at least the same extent of confidentiality of information as the Bank. In addition, it is required that the entity limits the use of such information solely to the purposes for which it is disclosed, or as otherwise permitted by law.
Disclosure of Privacy Principles to Customers
Disclosure of the Privacy Notice (appended as a part of this Policy) shall be provided to new or potential customers prior to first receiving private information, and, in accordance with regulations, annually thereafter. Unless the Bank shares nonpublic personal information as described in the three categories of exceptions listed below, a notice of the right to “opt out” will accompany each privacy notice. However, if the Bank does share nonpublic personal information as described within the three categories of exceptions listed below, a simplified privacy notice will be provided to customers. An “opt out” by any one party on an account (such as joint accounts) will “opt out” for each party on the account.
The notice may be delivered by hand, by mail, or electronically, as specified in the pertinent banking regulation. If the notice is provided electronically, the consumer must be required to acknowledge receipt as a necessary condition for obtaining a financial product or service.
Exceptions to the “Opt Out” Requirements for Service Providers and Joint Marketing
The “opt out” requirements do not apply if: (1) the Bank provides nonpublic personal information about a consumer to a nonaffiliated third party to perform services for the Bank, or to act on the Bank’s behalf; (2) if the Bank provides the appropriate initial required notice and subsequently enters into a contractual agreement with a third party that is required to maintain at least the same extent of confidentiality as the Bank; and, (3) limits the third party’s use of the information solely to the purposes for which it is disclosed or as otherwise permitted by law.
Exceptions to the “Opt Out” Requirements for Processing and Servicing Transactions
The requirements for initial and annual “opt out” disclosure do not apply if the Bank discloses nonpublic personal information:
§ As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer.
§ To service or process a financial product or service requested or authorized by the consumer.
§ To maintain or service the consumer’s account with the Bank, or with another entity, as part of a private label credit card program or another extension of credit on behalf of such entity.
§ In connection with a proposed or actual securitization, secondary market sale (including sales of servicing rights), or a similar transaction related to a transaction of the consumer.
Other Exceptions to Notice and “Opt Out” Requirements
There are additional exceptions to the “opt out” requirements. The requirements for initial and annual “opt out” disclosure do not apply when the Bank discloses nonpublic personal information in the following circumstances:
¨ With the consent or direction of the consumer, provided that the consumer has not revoked the consent or direction.
¨ For the following protective or legal situations:
· To protect the confidentiality or security of the Bank’s records pertaining to the consumer, service, product, or transaction.
· To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
· For required institutional risk control or for resolving consumer disputes or inquiries.
· To persons holding a legal or beneficial interest relating to the consumer.
· To persons acting in a fiduciary or representative capacity on behalf of the consumer.
¨ To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the Bank, persons that are assessing the Bank’s compliance with industry standards, and the Bank’s attorneys, accountants, and auditors.
¨ To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 USC 3401), to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety.
¨ To a consumer reporting agency, in accordance with the Fair Credit Reporting Act (15 USC1681), or from a report received from a consumer reporting agency.
¨ In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of that nonpublic personal information solely concerns consumers of that business or unit.
¨ To comply with federal, state, or local laws, rules, and other applicable legal requirements. Specifically:
· To comply with a properly authorized civil, criminal, or regulatory investigation, or a subpoena or summons by federal, state, or local authorities; or
· To respond to judicial process or government regulatory authorities having jurisdiction over the Bank for examination, compliance, or other purposes as authorized by law.
Employee Education and Training
Executive Management is directed to provide a copy of this Policy to all Bank employees and to obtain a receipt from each employee acknowledging that fact. After any amendments or modifications to this Policy have been duly adopted, a copy of the amended Policy will be given to each employee and again acknowledged by receipt. At least once during each calendar year, the Bank will conduct a meeting of all employees during which matters affecting customers’ rights to privacy will be discussed. Such meetings will include discussions on the following:
§ The proper use of customer information.
§ Procedures for maintaining security of information.
§ The importance of confidentiality and customer privacy.
§ Any incidents or patterns of behavior, which are covered under this policy.
Record Keeping and Reporting
Executive Management will maintain a separate file for the purpose of retaining any customer complaints that relate to this Policy. The information regarding any complaint should include the exact nature of the complaint, describe the corrective actions taken, and confirm that the corrective actions resolved the complaint. Executive Management will make a report annually to the Board concerning customer complaints regarding privacy issues. The report shall include the frequency and nature of such complaints and corrective actions taken. Complaints of a nature sufficient to present a risk of regulatory enforcement action and/or civil money penalties are required to be reported when they occur.
Development and Implementation of an Information Security Program
TransCapital has developed, implemented, and maintained a comprehensive information security program. This program, in order to accomplish the objectives stated above, consists of three elements:
· Assignment of responsibilities, including that of the Board of Directors.
· Assessment of risk, particularly transaction risks.
· Management and control of risk.
Assessment of Risk
The Bank has taken the following initial steps and will continue to perform them on an ongoing basis:
- Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. It is understood that connections with public networks and the Internet could expose the Bank to security challenges including, but not limited to, unauthorized users, system failures, access and data privacy issues, and computer viruses.
- Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
- Monitor and assess the sufficiency of policies, procedures, customer information systems, and other arrangements that are in place to control privacy risks.
Management and Control of Risk
The Bank has designed and implemented an information security program to control identified risks that are commensurate with the sensitivity of the information, as well as the complexity and scope of the Bank's activities. This end-to-end security program includes bank-wide implementation of physical and data security controls to protect critical information, human resources, and physical assets from internal or external intrusion or compromise. The following security measures were evaluated to determine if they were appropriate and to be adopted into the Bank’s Policy.
· Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals. This will assist in preventing employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
· Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
· Provide for proper disposal of trash, outdated back up tapes from the computer rooms, and other customer sensitive documents. This may include incineration, shredding, erasing of disks/tapes, etc.
- Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.
- Procedures designed to ensure that customer information system modifications are consistent with the Bank's information security program and the Bank’s hardware and system specifications.
- Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for, or access to, customer information.
- Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems. This includes monitoring tools to identify vulnerabilities and, in a real-time mode, detect possible intrusions from external and internal parties (e.g., hackers, improperly trained employees, etc).
- Response programs that specify actions to be taken when the Bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
- Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
Employee Education and Training
- Education and training of this Policy’s aspect of safeguarding customer information has been integrated into the Bank’s broader program regarding privacy issues.
· Executive management will provide a copy of this Policy to all Bank employees and obtain a receipt from each employee acknowledging that fact. After any amendments or modifications to this Policy have been duly adopted, a copy of the amended Policy will also be given to each employee, again acknowledged by receipt.
· At least once during each calendar year, the Bank will conduct a meeting of all employees during which matters affecting customers’ rights to privacy will be discussed. Such meetings will include discussions on the following:
- The proper use of customer information.
- Procedures for maintaining security of information.
- The importance of confidentiality and customer privacy.
- Any incidents or patterns of behavior, which are covered under this Policy.
- Training regarding the implement the Bank's information security program.
- Emergency procedures for protection of systems and information
Testing of the Program
The Bank will regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests will be determined by Management’s risk assessment. Tests will be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
Monitoring of Security Program
The Bank will continually attempt to identify vulnerabilities and to detect possible intrusions form external and internal parties. As provided in the Bank’s Security Policy, staff should report security breaches promptly to appropriate management and external officials. Management will ensure that monitoring is consistent with applicable laws and regulations governing access to, or use of, sensitive or confidential information.
If the Bank offers a PC banking system, Management will select several key performance indicators to determine whether the system is working as planned. Indicators may include such items as system response times, system availability, types of customer inquiries, problem resolution, traffic volume, and customer profiles. Performance monitoring reports will be used to identify system inefficiencies, address performance problems, and address any breaches in sensitive information.
Overseeing Service Provider Arrangements
The standards of the information security program will also be applied to outside service providers. The Bank’s Management will therefore:
- Exercise appropriate due diligence in selecting service providers.
- Require service providers, by contract, to implement appropriate measures designed to meet the objectives of this Policy.
- Monitor, where indicated by the Bank's risk assessment, that service providers confirm that they have satisfied these obligations. As part of this monitoring, the Bank will review audits, summaries of test results, or other equivalent evaluations of service providers.
Updating and Adjusting the Program
As appropriate, Management will monitor, evaluate, and adjust the Information Security Program. There will be an emphasis on any relevant changes in technology, internal or external threats to information, and the Bank's own changing business arrangements. Changes in business arrangements can include mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
The Board of Directors has the ultimate responsibility to:
- Approve the Bank's written information security program
- Oversee the development, implementation, and maintenance of the Bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from Management.
- Ensure technical expertise by providing special staffing and training needs for personnel involved in system development, operations, and customer support. This includes determining how resources will be allocated to hire and train employees to run and support the Bank’s operating systems, as well as periodic assessments of the competency of Bank staff.
The Chief Executive Officer is responsible for carrying out this Policy. In addition, the CEO will make recommendations to the Board of Directors regarding any changes deemed appropriate or necessary.
Review of Policy
The Board of Directors will include a review of this Policy, coordinated with its review of the overall Privacy of Information Policy, at least once each year. It will make any revisions and amendments it deems appropriate. In addition, the Chief Executive Officer will be responsible for suggesting more frequent revisions as situations or changes in laws or regulations dictate.
- EXAMPLE PRIVACY NOTICE -
NOTICE OF YOUR FINANCIAL PRIVACY RIGHTS
OUR PRIVACY PLEDGE TO YOU
As our customer you provide us with important information about yourself. We believe it is our responsibility to safeguard your personal and financial information. While some financial institutions share account owner information with other businesses, we are committed to keeping it confidential.
We, our, and us, when used in this notice, mean TransCapital Bank.
This is our privacy notice for our customers. When we use the words “you” and “your” we mean the following types of customers:
· Our consumer customers who have a continuing relationship by purchasing or
holding financial products or services such as a(n):
· Deposit account
· Loan account
· Credit card account
· Mortgage brokerage services
We will tell you the sources of the information we collect about you. We will tell you what measures we take to secure that information.
We first define some terms.
Nonpublic personal information means information about you that we collect in connection with providing a financial product or service to you. Nonpublic personal information does not include information that is available from public sources, such as telephone directories or government records. Hereafter, we will use the term “information” to mean nonpublic personal information as defined in this section.
An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control.
A nonaffiliated third party is a person we do not employ or a company that is not an affiliate of ours. This is also known as nonaffiliated third party, or simply, an “other party.”
THE INFORMATION WE COLLECT
We collect information about you from the following sources:
· Information you give us on applications or other forms
· Information about your transactions with us
· Information about your transactions with other parties
· Information from a consumer reporting agency
INFORMATION WE DISCLOSE ABOUT YOU
We do NOT disclose any information about you to anyone, except as permitted by law.
THE CONFIDENTIALITY, SECURITY,
AND INTEGRITY OF YOUR INFORMATION
We restrict access to information about you to those employees who need to know that information to provide products or services to you. We maintain physical, electronic, and procedural safeguards to protect this information.
We do not disclose information about former customers, except as permitted by law.