Download Self-Assessment Questionnaire

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Information security wikipedia , lookup

Information privacy law wikipedia , lookup

Medical privacy wikipedia , lookup

Do Not Track legislation wikipedia , lookup

Transcript
How to Use the Self-Assessment Questionnaire
This questionnaire has been structured for use by banks, savings institutions and holding companies of all sizes. As such, not all
questions or sections may apply to your organization. The questions should be posed to all of your business units to determine
information-sharing practices throughout your organization.
Completing the self-assessment will help you draft a privacy policy notice that is appropriate for your organization. Key questions are
noted with an “asterisk” [*]. If you answer “yes” to any of these questions, you may need to use Sample 2 or Sample 3 of the Sample
Privacy Policy Notices contained in Tool 3: Complying with Gramm-Leach-Bliley.
The questionnaire can be downloaded from ABA’s website, www.aba.com, streamlined to meet your specific needs and reformatted
to provide adequate space for your answers.
Definitions to Use During the Self-Assessment

The term “organization” refers to your entire bank, savings institution, or holding company.

The term “business unit” refers to an organizational unit — whether affiliate, subsidiary, or line of business — of your
organization.

The term “customer” refers to someone who has a continuing relationship with you in which you provide personal, family or
household services. (This is consistent with the definition of “customer” in the GLB Act.)

The term “third party” refers to non-bank entities to which you outsource certain business functions or those with which you
have affinity or co-branded arrangements, joint ventures, or marketing-related relationships. It is very important to
understand the types of third-party arrangements you have because the GLB Act regulations are different depending on
the type of third-party relationship.
[*] If you answer “yes” to any question marked with an asterisk, you may need to use Sample 2 or Sample 3 of the Sample Privacy
Policy Notices contained in Tool 3.
Self-Assessment Questionnaire
How Do You Collect Customer Information?
The vast majority of the information you collect from customers is categorized as “nonpublic personal information” under the GLB
Act. The term “nonpublic personal information” refers to personally identifiable financial information that is provided to you by a
customer, results from any transaction with a customer or service performed for a customer, or is otherwise obtained by you. The fact
that a person is your customer is also considered nonpublic personal information.
Under the new regulation, information will be deemed to be “publicly available” and thus excluded from the definition of nonpublic
personal information if you have a “reasonable basis to believe that the information is lawfully made available to the general
public.” You will have a “reasonable basis” for believing the information is available to the general public if your institution has
taken steps to determine its availability and, if an individual could direct that the information not be made available to the general
public, whether they have done so.
o What types of information do you collect from or maintain about your customers (e.g., application information, account
balance or transaction information)?
o By what means do you collect information from your customers (e.g., from applications, over the telephone or the Internet)?
o What information that you collect from customers can be obtained legally from public sources?
o Are certain customers provided (or do they need to be provided with) different levels of information protection, based upon
business needs or regulatory requirements?
o If you retain information on former customers or declined applicants, how do you use these data (e.g., for marketing purposes
such as reacquisition of the customer or to market a different product offering)? How long is information about former
customers retained?
o Do you purchase or collect information about your customers, or about potential customers, from outside sources (e.g.,
outside lists, marketing companies, external databases, consumer reporting agencies)?

If yes, please specify the names of these outside data sources.

Describe the type of information collected.
o Do you collect customer data or manage transactions through your organization’s website?

If yes, please describe the type of information collected.
o Do you collect customer data through a relationship with a “nonbank” or shared website (e.g., a third party provider of
internet banking services or a joint marketing effort with a strategic partner such as Excite or AOL)?
How Do You Share Customer Information Within Your Organization?
The sharing of customer information between business units within an organization is not restricted by the GLB Act (including
between operating subsidiaries and affiliates). Customers may, however, have told you directly that they do not want to receive
marketing solicitations. For instance, the Telephone Consumer Protection Act requires that you maintain a company “do not call”
list of persons who do not wish to receive telephone solicitations. Your customer’s names may also appear on the Direct Marketing
Association (DMA) “do not call” list.
If you have affiliates, the Fair Credit Reporting Act allows your customers to opt out of affiliate sharing of non-experience (other than
credit) information that you received from a credit bureau. Even if you do not have affiliates, these questions will help you understand
information flows between divisions or lines of business within your organization.
o Other than for a customer-initiated transaction, do you collect information about current, former, or declined customers from
other business units within the organization? Do you provide customer information to other units? [*]

Please specify the names of these business units.

Describe the type of information collected or provided.

What is this information used for (e.g., cross-marketing purposes, collections)?
o Do you maintain a list of customers who have told you they do not want to receive marketing solicitations?
o Is there an authorization process that other business units must go through in order to access and use your customer
information?
o Are formal agreements established with other organizational business units for customer data sharing? If so, please attach.
o Do requests for customer lists from within your business unit go through a single point of contact? If yes, please describe
where this list management function resides and who is the point of contact.
How Do You Share Customer Information with Third Parties?
The provisions in the GLB Act that address the sharing of information with third parties are perhaps the most important ones
contained in the Act. In general, nonpublic, personal information may not be shared with any third party that is not an affiliate unless
the customer is given notice and the right to opt out of the disclosure.
There are important exceptions to this general rule, such as if the third party is performing services or functions on your behalf,
including marketing your own products or services or products and services offered pursuant to a joint marketing agreement (see
Tool 3’s Exceptions to the Opt Out Provisions in Gramm-Leach-Bliley). The exceptions, however, only apply if the fact that
information is shared with third-party marketers is disclosed to the customer and the third party agrees to maintain the confidentiality
of the information. It is strongly recommended that you have agreements to protect the confidentiality of customer data used by third
parties in all situations.
o Is customer information being shared between your business unit and third parties? If yes [*] , please continue here. If not,
skip to the next section.
o Do you outsource certain business functions to third parties that have access to your customer data (e.g., data processing,
billing, and customer service)? If yes:

Identify each third party and type of data shared.

Describe any contract provisions that address the use of customer information? Do these contract provisions prohibit the
reuse of customer information and maintain the information’s confidentiality?

Describe any additional controls or practices (beyond the contract) to protect customer information.
o Do you use third parties to market your business unit’s products (e.g., mortgage brokers, online business partners)?
If yes [*]:

Describe any contract provisions that address the use of customer information.

Do these contract provisions prohibit the reuse of customer information and maintain the information’s confidentiality?

Describe any other controls or practices (beyond the contract) to protect customer information.
o Do you securitize any of your products or sell their servicing rights? If yes:

Describe any contract provisions that address the use of customer information. Do these contract provisions prohibit the
reuse of customer information and maintain the information’s confidentiality?

Describe any other controls or practices (beyond the contract) to protect customer information?
o Do you share customer information with other types of unaffiliated third parties (e.g., for marketing their products or joint
marketing of financial service products)? If yes [*]:

Identify each partner and type of data shared.

Describe any contract provisions that address the use of customer information. Do these contract provisions prohibit the
reuse of customer information and maintain the information’s confidentiality?

Describe any additional controls or practices (beyond the contract) to protect customer information.
o Does your bank have affinity or co-branding partners? How about loyalty programs? Do these programs involve the sharing
of personal information? [*]
o Do you receive income for customer information provided to unaffiliated third parties? If yes [*] :

What are the names of these third parties and what is the nature of the exchange?

What type of information is provided (e.g., name, address, transaction history, social security number)?

Describe any other controls or practices (beyond the contract) to protect customer information.
o Are you aware of any third parties that share your customer information with other third parties? If yes, please describe.
o Is there an authorization process to sign on additional third-party marketing partners? If yes, please describe.
o Are third-party marketing partners periodically audited or reviewed to validate their continued compliance with customer
privacy and security requirements? If yes, how?
o Do you acquire customers in bulk from other corporations (e.g., loan portfolio purchases, securitizations, mergers and
acquisitions)? If yes:

What are the names of these corporations and what is the nature of the exchange?

What type of information is provided (e.g., name, address, transaction history, social security number)?

Do you honor acquired customers’ existing choices regarding opt out (if any)? If yes, how?
o Do you provide these customers with a new opt-out opportunity? If yes, please describe.
o Do you report information to consumer reporting agencies?
How Do You Provide Customer Notice?
The GLB Act requires you to disclose your privacy policy to customers in a clear and conspicuous manner. Moreover, for
organizations with affiliated companies, the Fair Credit Reporting Act (FCRA) mandates that, before non-experience consumer
information is shared among affiliates, consumers must be clearly and conspicuously informed of the sharing and provided an
opportunity to opt out.
o Does your business unit inform customers about your information practices (e.g., how your business unit intends to use the
information collected and that their information may be shared with third parties)?

Do you accomplish this through an FCRA notice or a privacy policy? Please attach these notices and indicate when you
provide them to customers.

Is your privacy policy conspicuous and readily available to customers? Where does this notice appear?
o Do you educate customers about privacy or financial information issues in other ways than described above (e.g., providing
copies of frequently asked questions, hyper-links to external privacy resources)? If yes, how and where? Please attach any
communication or educational material.
How Do You Provide Customers the Right to Opt Out?
Most community banks will not be required to provide an opt-out notice to their customers. However, some organizations may still
wish to give customers the right to opt-out of marketing solicitations.
In general, nonpublic, personal information may not be shared with any third party that is not an affiliate unless the customer is given
notice and the right to opt out of the disclosure. There are important exceptions, however, when it is not necessary to provide your
customers with the right to opt out of information sharing. For instance, an opt out notice is not necessary if the third party is
performing services on your behalf, including marketing your own products or services or products and services offered pursuant to a
joint marketing agreement (see the portion of Tool 3 entitled “Exceptions to the Opt-Out Provisions in Gramm-Leach-Bliley”).
o Do you provide your customers the ability to opt out of the marketing of other products and services offered by your business
unit? If yes, where and when does this opt-out choice take place?
o Can customers opt out of information sharing across the organization for purposes other than a customer-initiated
transaction?

Can customers opt out of marketing based upon marketing method (i.e., email, phone, direct mail)? If yes, please
describe.

Are customers informed of the consequences of opting out of collection, use or marketing of personal information (e.g.,
that they will not receive notice of special offers or relationship pricing)?
o Are customers allowed to opt out of the sharing of their information with third-party marketing partners?

Are customers informed of the consequences (e.g., no special offers, reduced internet functionality) of opting out of
information sharing with third-party marketing partners?
How Do You Allow Customer Access and Correction?
Organizations make every effort to avoid inaccuracies. Nonetheless, having a procedure in place to correct any inaccuracies that
may occur is an important part of your overall information management system.
o Do you have written procedures for ensuring that customer records are regularly updated? If yes, please attach.
o Is there a simple method by which a customer may inquire about his or her record and make corrections if inaccuracies are
discovered?
o How quickly do you correct inaccurate or outdated information?
o Are customers informed that the corrections they requested have been made? If yes, how?
o Are changes communicated to other business units with which the customer has a relationship? If yes, describe.
o Do you allow customers access to data they have supplied to you (e.g., privacy preferences, email address)? If yes:

Describe how customers access this data.

Describe what type of data customers can view.
o Can customers submit changes to data they have supplied to you? If yes, how?
o Do you allow customers access to data you generate about them (e.g., customer segment, credit score)? If yes:

Describe how customers access this data.

Describe what type of data customers can view.

Can customers submit changes to information you’ve generated about them? If yes, how?
How Do You Provide Information Security?
The GLB Act requires the federal regulatory agencies to establish standards governing the administrative, technical and physical
safeguards of customer information.
o Do you have written policies and procedures to manage and control information security risks? If yes, please attach.
o Did your board approve these polices and procedures? Did the board oversee management’s implementation of the
information security program, and does it periodically evaluate its effectiveness?
o Do you have formal procedures for authenticating customers in person at a branch, through the mail, via the telephone, fax,
and the Internet? If yes, please describe.
o Do you have formal procedures to assist customers who have forgotten their password, PIN or other identification? If yes,
please describe.
o Do you use social security numbers to identify customers within your business unit?
o Do you have controls to protect customer social security numbers beyond those controls for other types of customer data? If
yes, please describe.
o Do you provide customer social security numbers to unaffiliated third parties? If yes, please describe.
o Do you have access restrictions at locations containing customer information, such as buildings, computer facilities, and
record storage facilities?
o Do you encrypt electronic customer information, including information while in transit or in storage on networks or systems
to which unauthorized individuals may have access?
o Do you have procedures to confirm that customer information system modifications are consistent with the institution’s
information security program?
o Do you have dual control procedures, segregation of duties, and employee background checks for employees with
responsibility for safeguarding or access to customer information?
o Do you have monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, customer
information systems?
o Do you have response programs that specify actions to be taken when unauthorized access to customer information systems
is suspected or detected?
o Do you have protection against and response programs to preserve the integrity and security of customer information due to
physical hazards or technological failures?
o Is there a single point of contact in your business unit responsible for addressing customer information practices? If so, please
indicate this person’s name and phone number.
How Are Questions and Concerns About Privacy Handled Within Your Organization?
As a portion of their forthcoming security regulations, the regulators must, under the provisions of the GLB Act, issue standards
governing who has access to customer information and the circumstances under which the information may be accessed.
o Do you inform customers how to contact your business unit or the corporation regarding privacy questions or concerns? If so,
please indicate how.
o Is there an escalation process to address customer privacy concerns that need to be resolved at a higher management level? If
yes, please explain.
o Are you aware of any loss of business due to your customers’ concerns over privacy? If yes, please describe.
o Do you measure or track customer privacy complaints or concerns? If yes, please describe.
o Are your customer information practices audited or reviewed?

If yes, is this review related to FCRA? If yes, please describe.

Are there other (non-FCRA) reviews performed? If yes, please describe.