Privacy Policy

EFFECTIVE DATE

All employees of GULF CAPITAL BANK must comply with the terms of this policy and procedures, immediately. Managers, employees and technical personnel must modify system configurations, forms, and procedures, if necessary, to comply with the terms of this procedure by December 16, 2019.


POLICY STATEMENT

The purpose of GLBA is to inform “consumers” of the Bank’s policies and practices of disclosing nonpublic personal information to nonaffiliated third parties and to provide them with the option of saying no. The rules apply only to information about individuals who obtain financial products or services to be used for personal, family or household purposes. Therefore, the rules do not apply to information about businesses, corporations, partnerships or similar entities or about individuals who obtain financial products or services for business purposes.


Description and Authority

This policy is a general statement of the Bank’s objectives and subsequent procedures to protect customer information and maintain privacy. Specifically, it addresses the following key components:

  1. Recognition and response of customer privacy expectations;
  2. Allowed practices of the collection, retention and use of customer information;
  3. Standards to maintain accurate customer information;
  4. Restrictions and limitations of employee access to customer information;
  5. Security procedures to protect customer information;
  6. Restrictions and limitations of disclosing customer information;
  7. Maintaining customer information privacy in business relationships with third party entities; and
  8. Customer disclosure requirements and compliance procedures.

Scope of Policy

This policy applies to:

  1. Bank employees;
  2. Any organization or individual with whom we have a contractual or fiduciary relationship;
  3. Information in all forms, including oral, written, image and electronic;
  4. Physical and logical (non-physical) protection;
  5. All modes of information processing, including, but not limited to, manual methods, hardware and software networks, other devices and information disposal techniques;
  6. Information used by the Bank which originates outside including, but not limited to, vendors, contractors, customers, regulators, other enterprises and the public domain; and
  7. The Bank’s information resources used by, shared by or in the custody of others.

NOTE: This statement of scope should not be interpreted to mean that all information resources must be protected equally.

The Bank expects that our third-party vendors will provide no less a level of customer privacy protection than that provided by the Bank. Conversely, the Bank will make every reasonable effort to apply the required level of customer privacy protection to partner information resources in our custodianship. These agreements should be concluded before accepting information resources from third parties.


Collection of Customer Information

The Bank collects customer information from many different sources, such as deposit accounts, loans, and other transactions. This includes such information as the customer’s name, address, tax identification number, telephone number, date of birth, mother’s maiden name, driver’s license number, credit report information and his or her signature when opening an account. In addition to the information the Bank collects for a deposit account, a customer requesting a loan is asked to provide additional information related to employment, income, assets, existing liabilities, dependents, financial history and any other relevant information.

The Bank collects transaction information about a customer such as balances, payee information, overdrafts and non-sufficient funds, payment history, address changes and changes in credit or financial standing while handling a deposit account or a loan.

The Bank collects information submitted from customers via e-mail correspondence.

The Bank’s Privacy Notice, described in detail within this policy, discloses to customers how the Bank manages customer information and under what circumstances such information may be released to third parties (if any).

This notice is disclosed to Bank customers at the time a new account is established or upon request. The Bank also re-discloses its Privacy Notice on an annual basis. (See exception noted below)

Maintenance of Customer Information

Customer information, whether on paper or electronic form, is maintained when the Bank transmits or stores information. Information is transmitted when it moves from one person or place to another. Examples of such include, but are not limited to:

  1. Business meetings;
  2. Telephone conversation;
  3. E-mail;
  4. Written correspondence, including handwritten notes;
  5. FAX transmissions;
  6. Voice mail;
  7. Presentations;
  8. Information posted or submitted on or through the Internet or our internal Intranet;
  9. Wires; or
  10. Automated Clearing House (ACH) transactions.

The Bank stores information maintained for reference and historical reference. Examples of such include, but are not limited to:

  1. DVD, CD-ROM, magnetic tapes, disks, databases and optical files;
  2. Computer and network hard drives;
  3. LAN (Local Area Network) or WAN (Wide Area Network);
  4. Signature Cards;
  5. Statements and checks;
  6. Loan Files;
  7. Hard copies of reports;
  8. Paper containing customer information; and
  9. Voicemail.

Enforcement

Changes to this policy require approval by the Board of Directors of the Bank. Changes in operating procedures, standards, guidelines and technologies, provided they are consistent with this policy, may be authorized by the COMPLIANCE OFFICER

The Board of Directors has the authority to approve this policy, and annually approves the merit thereafter. Senior Management is responsible for ensuring the directives are implemented and administered in compliance with the approved policy.

The primary responsibility for enforcement of this policy and its operating procedures rests with the COMPLIANCE OFFICER and our employees.

No part of this policy or its supporting operating procedures should be interpreted as contravening or superseding any other legal and regulatory requirements placed upon the Bank. Protective measures should not impede other legally mandated processes such as records retention or subpoenas. Any conflicts should be submitted immediately to the COMPLIANCE DEPARTMENT for further evaluation and/or subsequent submission to the Bank’s legal counsel.


Exceptions to Policy

Requests for exceptions to this policy must be very specific and may only be granted on specific items, rather than to entire sections. Bank personnel with exceptions are to communicate their requests by submitting an internal memorandum to the COMPLIANCE OFFICER for consideration by Senior Management.


RESPONSIBILITIES

All Bank personnel have specific responsibilities under Regulation P that are directly related to their job functions. Each employee also has the responsibility to be aware of how the way he or she performs his or her job can affect customer privacy, such as those outlined in this section.

Board of Directors

The Board of Directors has the ultimate responsibility to ensure the proper management of the Bank’s Privacy Program. To this end, the Board of Directors has charged Senior Management with the responsibility to determine the necessary course of action to ensure adherence to appropriate laws and regulations is managed in an effective and consistent manner for the entire organization.

Specifically, the Board of Directors is responsible for:

  1. Ensuring the quality of the Bank’s Privacy Program;
  2. Designating a qualified Bank Privacy Officer (the Compliance Officer);
  3. Maintaining a working knowledge of the Bank’s Privacy Program; and
  4. Reviewing for formal adoption the written policies and procedural guidelines necessary to ensure effective adherence with applicable compliance laws and regulations.
Senior Management/Bank Privacy Officer

Senior Management, in addition to a Bank Privacy Officer appointed by the Board of Directors, is responsible for the supervision and overall management of the Bank’s Privacy Program. On at least an annual basis, the Bank Privacy Officer is to make a written report to the Board of Directors regarding the status of the Bank’s compliance activities with respect to the Bank’s Privacy Program.

Specifically, Senior Management and/or the Bank Privacy Officer are responsible for:

  1. Supporting the directives of this policy and communicating accomplishments or privacy issues to the Board of Directors;
  2. Establishing clear lines of authority for the Bank’s privacy program;
  3. Supervising and managing compliance and skill levels of all Bank personnel;
  4. Recognizing identity fraud or information theft attempts;
  5. Holding all Bank personnel accountable for compliance with the Bank’s privacy program;
  6. Performing a privacy risk assessment for all areas of the Bank;
  7. Training Bank personnel on Privacy Program directives; and
  8. Supporting an independent Privacy Program audit program.
Compliance Committee

The Compliance Committee is to provide assistance and support to the Bank Privacy Officer in promoting effective management of the Bank’s Privacy Program.

Specifically, the Compliance Committee is responsible for:

  1. Assisting the Bank COMPLIANCE OFFICER in ensuring the compliance mandate established by this policy is an integral part of Bank operations;
  2. Ensuring the Board of Directors is informed of the Bank’s compliance efforts on a periodic basis;
  3. Providing guidance to the COMPLIANCE OFFICER in causing the Bank to adapt to changes mandated by the law.
  4. Reviewing and approving the Bank’s Program training program;
  5. Providing assistance to the COMPLIANCE OFFICER with the responses to audit exceptions and/or regulatory examination results; and
  6. Providing overall general guidance and expertise to ensure the successful implementation of the Bank’s Privacy Program.
Operations and Support Personnel

Operations and support personnel are required to conduct the following procedures in promoting effective management of the Bank’s Privacy Program.

  1. Know when and how to provide the Bank’s privacy notices to consumers and customers;
  2. Be able to explain the basics of the Bank’s compliance to customers and Bank personnel;
  3. Protect all customer information (clean desks, secure computer screens when absent, lock documents in branch vault at night etc.), including all documents containing transactions, signature cards, customer and employee lists and reports, logs, telephone messages, and files out of customer’s view;
  4. Do not discuss a customer’s business in the presence of another customer’s hearing distance;
  5. Supervise and manage compliance and skill levels of all branch personnel (applies to supervisors);
  6. Know whether the opt-out rule applies;
  7. Recognize identity fraud and information theft attempts;
  8. Be familiar with requirements for government access to customer information;
  9. Keep passwords private;
  10. Shred all documents containing customer information into the locked shred bins at night;
  11. Turn off fax machines and printers at night and instruct customers to send faxes only during banking hours;
  12. Finish each transaction before calling another customer to your desk or teller window; and
  13. Manage the Bank’s Privacy Program with vendors through contracts and monitoring (refer to the Bank’s VENDOR MANAGEMENT PROGRAM POLICY).
Lending and Loan Operations Personnel

Lending and Loan Operations personnel are required to conduct the following procedures in promoting effective management of the Bank’s Privacy Program.

  1. Know when and how to provide the Bank’s privacy notices to consumers and customers;
  2. Be able to explain the basics of the Bank’s compliance to customers and Bank personnel;
  3. Protect all customer information (clean desks, secure computer screens when absent, lock documents in branch vault at night etc.), including all documents containing transactions, signature cards, customer and employee lists and reports, logs, telephone messages, and files out of customer’s view;
  4. Do not discuss a customer’s business in the presence of another customer’s hearing distance;
  5. Supervise and manage compliance and skill levels of all lending personnel (applies to supervisors);
  6. Know whether the opt-out rule applies;
  7. Recognize identity fraud and information theft attempts;
  8. Be familiar with requirements for government access to customer information;
  9. Keep passwords private;
  10. Shred all documents containing customer information into the locked shred bins at night;
  11. Turn off fax machines and printers at night and instruct customers to send faxes only during banking hours;
  12. Do not leave loan files out while absent from your office or desk;
  13. Do not discuss pending loans or customer business in the hearing distance of others when conducting business outside of the office; and
  14. Do not take reports, customer’s financial information or loan files home.

INITIAL PRIVACY NOTICE

Clear and Conspicuous

The Bank is required to provide a “clear and conspicuous” initial privacy notice to consumers and customers that accurately reflect the Bank’s privacy policies and practices.

The rule defines the phrase “clear and conspicuous” to mean one that is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.

Examples of “reasonably understandable” – A notice is reasonably understandable if it:

  1. Presents information in clear, concise sentences, paragraphs and sections;
  2. Uses short explanatory sentences or bullet lists, whenever possible;
  3. Uses definite, concrete, everyday words and active voice, whenever possible;
  4. Avoids multiple negatives;
  5. Avoids legal and highly technical business terminology, whenever possible; and
  6. Avoids explanations that are imprecise and readily subject to different interpretations.

Examples of “designed to call attention” – A notice is designed to call attention to the nature and significance of the information in it when the Bank:

  1. Uses a plain-language heading, to call attention to the notice;
  2. Uses a typeface and type size that are easy to read;
  3. Provides wide margins and ample line spacing;
  4. Uses boldface or italics for key words; and
  5. In a form that combines the Bank’s notice with other information, uses distinctive type size, style, and graphic device, such as shading or sidebars.
Notices on Web Pages

Information provided in a notice on the Bank’s web page is designed to call attention to the nature and significance of the information if the Bank uses text or visual cues to encourage scrolling down the page, if necessary, to view the entire notice and ensures that other elements on the web site, such as text, graphics, hyper links or sound do not distract attention from the notice. In addition, the Bank is to place either a notice or a conspicuous link on a screen that consumers frequently access, such as a page on which transactions are conducted.

Requirements to Consumers

No initial notice is required to be given to consumers who are not customers if their nonpublic information will not be shared or will be shared only under the “processing and servicing” exceptions.

Requirements to Customers

An initial notice is required to be given to customers no later than when a customer relationship is establisheThe Bank can provide the initial notice at the same time it is required to give other notices, such as with deposit account disclosures required under Regulation DD when opening a deposit account or the Regulation Z disclosures at the time the extension of credit is consummateIn cases where the relationship is established in person, the notice should be given at a point when the consumer still has a meaningful choice about whether to proceed with the customer relationship.

Exceptions for Subsequent Delivery

The Bank is permitted to provide the initial notice within 5 business days after a customer relationship is established in the following circumstances:

  1. When the Bank assumes a customer’s deposit liability or the servicing rights to a customer’s loan from another financial institution and the customer does not have a choice in the action; or
  2. When providing the notice would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.

NOTE: The rule provides that providing a notice would not substantially delay the customer’s transaction when the relationship is initiated in person at the Bank or through a means in which the customer is able to view the notice, such as on a web site. Exceptions are discouraged.

Existing Customers

The initial notice requirements also apply when an existing customer obtains a new financial product or service that is covered under the regulation (i.e., for personal, family or household purposes) from the Bank. The requirement can be satisfied by:

  1. Providing a revised privacy notice that covers the customer’s new financial product or service; or
  2. If the initial, revised or annual that was recently provided to the customer was accurate with respect to the new financial product or service, then there is no need to provide another privacy notice.
How to Provide the Initial Privacy Notice

The Bank can provide the initial notice in writing or electronically if the consumer agrees to electronic delivery. Oral notices alone are not sufficient for meeting the requirements. The general rule with respect to providing the initial notice is the need for a reasonable expectation that the consumers will receive actual notice of the Bank’s privacy policies and practices.

Reasonable Expectation for Receipt

The Bank can reasonably expect that a consumer or a customer has received actual notice if the Bank:

  1. Hand-delivers a printed copy of the notice to the consumer;
  2. Mail a printed copy to the last known address of the consumer; or
  3. Send the notice by e-mail if the consumer has agreed to receive the financial product or service electronically.

Posting a notice in the lobby of the Bank’s offices is not sufficient to meet the reasonable expectation that the consumer has received actual notice. Likewise, sending a notice via electronic mail to a customer who does not obtain a financial product or service from the Bank electronically also does not meet the reasonable expectation requirement.

Retention Requirement – Customers

The Bank will meet the requirement of providing the initial notice to customers in a manner that can be retained or obtained at a later time, if the Bank:

  1. Hand-delivers a printed copy to the customer;
  2. Mails a printed copy to the last known address of the customer; or
  3. For customers who have obtained a product electronically and agreed to electronic delivery, makes the notice available on a web site or a link to another web site.

The agencies note that the requirement that the initial notice be given in a manner that permits access to the notice at a later time does not preclude the Bank from changing or revising its policy. Rather, the agencies believe that customers (and consumers) should be able to access the Bank’s most recently adopted policy.

Joint Relationships

If two or more consumers jointly obtain a financial product or service, the Bank can satisfy the initial notice requirements by providing one notice to those consumers jointly.


ANNUAL NOTICE TO CUSTOMERS

The Bank is required to notify customers annually during the continuation of the customer relationship of the Bank’s privacy policies and practices. The notice must be given to all customers. (See exception below)

The term “annually” means at least once in any period of 12 consecutive months during which the customer relationship exists. The Bank is permitted to define the 12 consecutive month perioHowever, the time period must be applied consistently.

Clear and Conspicuous Requirement

Just as with the initial notice, the annual notice must be clear and conspicuous and reflect the privacy policies and practices in effect at the time of the annual notice.

Terminated Customer Relationships

An annual notice need not be provided to former customers (i.e., when a continuing relationship no longer exists). The annual notice would not be required in the following examples:

  1. For deposit accounts that have become inactive under the Bank’s policies;
  2. For closed-end loans that have been paid in full, charged off by the Bank or sold servicing released;
  3. Where the Bank no longer provides statements or notices pertaining to the customer’s credit card or other open-end credit account, or the Bank has sold the credit card receivables without retaining servicing rights; or
  4. For other types of relationships, where the Bank has not communicated with the customer about that relationship for a period of 12 consecutive months, other than providing the annual privacy notices or promotional materials.
Delivery of Notice

The annual notice is to be provided in the same manner as described above for the initial notice to customers.

Exception
  1. Effective 12/16/2020, the Bank is not required to provide the annual notice if it meets the following two conditions.
  2. The Bank only shares information in ways that do not trigger any opt-out requirements. In other words, the Bank only shares information under exceptions in sections 1016.13, 1016.14 and 1016.15 of 12 CFR 1016; and
    The Bank has not changed its policies and practices under paragraphs 1016.6(a)(2)-(5) and (9) since its last notice. These paragraphs include disclosures of the categories of information disclosed to third parties, the categories of third parties disclosed to, the categories of information about former customers disclosed and to whom, the categories of information disclosed under joint marketing agreements and categories of the third parties involved, and broad categories of certain types of disclosures made under exceptions, for example “as permitted by law.” If the Bank makes a change to a policy or procedure that does not affect a disclosure under these specific paragraphs, it does not affect the Bank’s qualification for the exception.
Delivery of Annual Privacy Notice When the Bank No Longer Meets the Exception

If the Bank changes its policies and practices in such a way that it no longer meets the conditions as set forth above, it must comply with the following disclosure requirements.

  1. Changes preceded by a revised privacy notice. If the Bank changes its policies and practices in such a way that it is required to provide a revised privacy notice, it must deliver the revised privacy notice and treat the revised notice as the annual notice for the present 12-month perioThe Bank will resume providing annual notices at least once in each 12-month period as defined by the Bank going forward.
  2. Changes not preceded by a revised privacy notice. If a revised privacy notice not required, the Bank will send the annual privacy notice 100 days after the change. If, in the following year, there have not been any further changes and information is not shared in a manner that triggers an opt-out, the Bank may requalify for the exception and not send out annual notices again until another change occurs.

CONTENTS OF PRIVACY NOTICES

The initial and annual privacy notices have the same required content. The Bank is required to address only those items that apply to it. The notices must disclose:

  1. Collection. The categories of nonpublic personal information that the Bank collects. The Bank satisfies the requirement to categorize the nonpublic personal information that it collects if it lists the following categories, as applicable:
    1. Information from consumers;
    2. Information about the consumer’s transactions with the Bank or its affiliates;
    3. Information about the consumer’s transactions with nonaffiliated third parties; and
    4. Information from a consumer reporting agency. A statement “we collect everything” would not comply.
  2. Disclosure. The categories of nonpublic personal information about the consumers that the Bank discloses. The Bank satisfies the requirement to categorize the nonpublic personal information it discloses if it lists the categories described above, as applicable, and provides a few examples to illustrate the types of information in each category.
  3. To Whom. The categories of affiliates and nonaffiliated third parties to whom the Bank discloses nonpublic personal information, other than under the exceptions for processing and servicing and other uses discussed in the Exceptions section below.The Bank satisfies its requirement to categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information if it lists the following categories, as applicable, and a few examples to illustrate the types of third parties in each category:
    1. Financial service providers (i.e., mortgage-bankers, securities broker-dealers, and insurance agents);
    2. Non-financial companies (i.e., retailers, direct marketers, airlines and publishers); and
    3. Others (i.e., non-profit organizations).
  4. Former Customers. The categories of nonpublic personal information about the Bank’s former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the Bank discloses nonpublic personal information about its former customers, other than under the exemptions for processing and servicing and other exemptions.
  5. Opt-Out Disclosure. An explanation of the right to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer exercises that right. (The opt-out right is discussed below in the Right to Opt-out section.
  6. Confidentiality and Security. The Bank’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.The Bank describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it does both of the following:
    1. Describes in general terms who is authorized to have access to the information; and
    2. States whether the Bank has security practices and procedures in place to ensure the confidentiality of the information in accordance with its policy.

RIGHT TO OPT-OUT

The Bank is not permitted, either directly or indirectly through an affiliate, to disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless the Bank has:

  1. Given the consumer the initial privacy notice;
  2. Provided an opt-out notice to the consumer;
  3. Given the consumer a reasonable opportunity, before disclosing the information, to opt-out of disclosure; and
  4. The consumer does not opt-out.
Opt-Out Provision Applies to All Consumers

The opt-out provision applies regardless of whether a customer relationship has been establisheFurthermore, this right applies regardless of whether the Bank collected the nonpublic personal information before or after receiving the consumer’s direction. The opt-out rules also apply to information collected before the effective date of the regulation.

Form of Opt-Out Notice

In many cases, the opt-out notice will be a part of the initial or annual privacy notice, but it can be separate. The opt-out notice must be clear and conspicuous and must state the following:

  1. That the Bank discloses or reserves the right to disclose nonpublic personal information about consumers to nonaffiliated third parties;
  2. That the consumer has the right to opt-out of the disclosure; and
  3. A reasonable means by which the consumer can exercise the opt-out right.

The opt-out notice must identify the categories of nonpublic personal information that the Bank discloses or reserves the right to disclose and all the categories of nonaffiliated third parties to which the Bank discloses information and identify the financial products or services that the consumer obtains from the Bank, either alone or jointly, to which the opt-out direction would apply.

Providing the Notice

The opt-out notice must be given in a manner so that each consumer can reasonably be expected to receive the actual notice. The notice can be given in writing, or electronically if the consumer agrees. Providing only a verbal explanation of the consumer’s opt-out rights would not be sufficient.

The notice to the consumer must clearly and conspicuously explain the consumer’s right to opt-out, explain the steps the consumer must take to undertake the option, and provide a reasonable means by which a consumer may exercise their option. “Reasonable means” that the consumer may use to opt-out include:

  1. A check-off box on a form (i.e., an application);
  2. A detachable, pre-addressed form or self-addressed postcard together with the opt-out notice;
  3. Providing an electronic means, such as a form that can be sent via e-mail if the customer agrees to accept the notice in electronic form; or
  4. Proving a toll-free telephone number that consumers may call to opt-out.

The rule requires the opt-out notice and the reasonable means to be provided with or as part of the initial and each annual privacy notice. The opt-out notice can be given together with or on the same written or electronic form as the privacy notice. If the Bank gives the opt-out notice at a later time than required for the initial notice, the Bank also is required to include a copy of the initial notice with the opt-out notice.

The rule specifies that the consumer has not been given a reasonable means of opting out if the only way that the consumer can opt-out is by writing a letter to the Bank in order to exercise the opt-out right or if the only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the Bank provided with the initial notice but did not include with the subsequent notice.

How the Customer’s Opt-Out Direction can be Accomplished

The consumer must be provided a reasonable opportunity to opt-out of having their information discloseThe opt-out direction can be accomplished as follows:

  1. By Mail. Where the Bank mails the initial and opt-out notice to the consumer, the Bank must wait at least 30 days to permit the consumer to opt-out by mailing a form or calling a toll-free telephone number, or other reasonable means before it could share any protected information about the consumer.
  2. By Electronic Means. Where a consumer opens an online account and agrees to receive the initial and opt-out notices electronically, the Bank must allow the customer to opt-out by any reasonable means within 30 days after the date the customer acknowledges receipt of the notices provided in conjunction with opening the account.
  3. Isolated Transactions. In isolated transactions, such as the purchase of a cashier’s check, the Bank is deemed to have provided the consumer a reasonable opportunity to opt-out if the notice is given at the time the transaction is conducted and the consumer’s decision is requested as part of continuing and completing the transaction. (Of course, if no information will be shared regarding the consumer other than under the servicing and processing and other exemptions, no opt-out would need to be provided to this consumer.)
  4. Joint Relationships. For joint account or services, the Bank may provide a single opt-out notice and at its discretion, permit one of the joint consumers to opt-out for the whole relationship, or permit each joint consumer to opt-out separately. However, the Bank may not require all joint consumers to opt-out before implementing any of the opt-out instructions from the other joint consumers of that relationship.
Change in Policies or Practices

If the Bank decides to change it’s previously disclosed polices or practices regarding sharing of nonpublic personal information, it must provide the consumer with a revised privacy and opt-out notice. The Bank is required to include a new opt-out notice with the revised notice and give the consumer a reasonable opportunity to opt-out before disclosing any information not covered in the prior disclosure.

Continuing Right and Duration
  1. Continuing Right. A consumer may exercise his or her right to opt-out at any time, and the Bank receiving the direction must comply as soon as reasonably practicable.
  2. Duration. The opt-out is effective until revoked by the consumer in writing or, if the consumer agrees, in electronic form.
  3. Terminated Relationships. The final rules provide that when a customer relationship terminates, the customers opt-out direction continues to apply to the nonpublic personal information that the Bank collected during or related to that relationship.
  4. Reestablished Relationships. If the consumer later establishes a new customer relationship with the Bank, the old opt-out would not apply and the consumer would have to be provided with a new opportunity to opt-out for information related to that new account.

EXCEPTIONS TO OPT-OUT REQUIREMENTS

The regulations contain a number of exceptions to the requirement imposed by the privacy rules. The exceptions fall into three categories:

  1. Service Providers and Joint Marketing. The opt-out requirements do not apply when the Bank provides nonpublic personal information about a consumer to a nonaffiliated third party to perform services for the Bank or functions on the Bank’s behalf. This exception includes the marketing of the Bank’s own products or services or financial products or services offered under a joint agreement between two or more financial institutions. However, the initial, annual and revised disclosure requirements still apply.Under this exception, the opt-out requirements do not apply if the Bank:
    1. Provides the initial disclosure of the privacy policy as required; and
    2. Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information in any way except for the purpose for which the Bank provided it.
  2. Processing and Servicing Transactions. Under this exemption, the Bank does not to provide an opportunity to opt-out if the Bank discloses nonpublic personal information for any of the following reasons:
    1. As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer;
    2. To service or process a financial product or service requested or authorized by the consumer;
    3. To maintain or service the consumer’s account with the Bank, or with another entity as part of a private label credit card program or other extension of credit on behalf or such entity; or
    4. In connection with a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.However, this exception does not affect the Bank’s obligation to provide initial notices of its privacy policies and practices at the time of establishing a customer relationship and the annual notices after that.
  3. Other. Under these other exceptions, the Bank is exempt from the opt-out requirements:
    1. With the consent or at the direction of the consumer;
    2. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
    3. To comply with:
      • Federal, state, or local laws, rules, and other applicable legal requirements; or
      • A properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.
      • To respond to judicial process or government regulatory authorities having jurisdiction over the Bank for examination, compliance, or other purposes as authorized by law.

Again, these exceptions do not affect the Bank’s obligation to provide initial notices of its privacy policies and practices at the time of establishing a customer relationship and annual notices thereafter.


LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION

The regulations impose a separate set of rules on redisclosure or reuse of information obtained from other financial institutions listed in this section.

Information Received Under an Exception

If the Bank receives nonpublic personal information from a nonaffiliated financial institution under the processing/servicing or other exceptions, its disclosure and use of that information is limited as follows:

  1. The Bank can disclose the information to the affiliates of the financial institution from which it received the information;
  2. The Bank can disclose the information to its affiliates, but the Bank’s affiliates may, in turn, disclose and use the information only to the extent that the Bank is permitted to disclose and use the information; and
  3. The Bank can disclose and use the information pursuant to an exception (i.e., the processing/servicing or other exceptions) in the ordinary course of business to carry out the activity covered by the exception under which the Bank received the information.
Information the Bank Receives Outside an Exception

If the Bank receives nonpublic personal information from a nonaffiliated financial institution other than under a processing/servicing or other exception, the Bank is permitted to disclose the information only:

  1. To the affiliates of the financial institution from which it received the information;
  2. To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the Bank can disclose the information; and
  3. To any other person, if the disclosure would be lawful if made directly to that person by the Bank from which the Bank received the information.
Information the Bank Discloses Under an Exception

If the Bank discloses nonpublic personal information to a nonaffiliated third party under the processing/servicing or other exceptions, the third party may disclose and use that information only as follows:

  1. The third party may disclose the information to the institution’s affiliates;
  2. The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
  3. The third party may disclose and use the information pursuant to the processing/servicing or other exceptions in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
Information the Bank Discloses Outside of an Exception

If the Bank discloses nonpublic personal information to a nonaffiliated third party other than under the processing/servicing or other exceptions, the third party is permitted to disclose the information only:

  1. To the Bank’s affiliates;
  2. To the third party’s affiliates, but the third party’s affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
  3. To any other person, if the disclosure would be lawful if the Bank made it directly to that person.

THE SHARING OF ACCOUNT NUMBERS FOR MARKETING

The Bank is prohibited from, directly or through an affiliate, disclosing, other than to a consumer reporting agency, an account number of similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

Exception

An exception is provided to the general prohibition on sharing accounts numbers or similar form of access numbers or access codes when the Bank discloses such information to:

  1. The Bank’s agent or service provider solely in order to perform marketing for the Bank’s own products or services, if the agent or service provider is not authorized to directly initiate charges to the account; or
  2. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters the program.

Under this exception, an account number, or similar form of access number or access code, does not include a number or code in an encrypted form, if the Bank does not provide the recipient with a means to decode the number or code. Additionally, the final rule provides that a transaction account is an account other than a deposit account or a credit card account. A transaction account does not include an account to which third parties cannot initiate charges.


PRIVACY PROTECTION PRINCIPLES

The Bank recognizes that customer information is important, confidential, and personal. Protecting customer privacy, along with our customer’s financial assets, is at the core of our business. The Bank has adopted the following Privacy Protection Principals to ensure the privacy of customer information is safeguarded and protected with the highest levels of security and appropriate discretion. These Privacy Protection Principals apply to individuals and the Bank reserves the right to change them, along with related provisions, at any time:

  1. Recognition and response of customer privacy expectations: The Bank recognizes that our customers expect privacy and security of their personal and financial affairs. The need to safeguard sensitive information about our customers is critical; therefore, standards and procedures of daily operations are designed to prevent misuse of this information.
  2. Allowed practices of the collection, retention and use of customer information: During the normal scope of business the Bank collects, retains, and uses information about our customers only when there is a reasonably belief that it will help administer their business or provide products, services, and other opportunities to them. It is Bank policy to collect and retain information about our customers only for specific business purposes – and it is a requirement to disclose the reason(s) for collecting and retaining it upon customer request. The Bank uses this information to protect and administer customer records, accounts, and funds; to comply with certain laws and regulations; to help design or improve products and services; and to understand our customers’ financial needs so that we can provide them with quality products and superior service. The following section entitled “Information Use Disclosure” explains these concepts in greater detail.
  3. Standards to maintain accurate customer information. The Bank’s daily operating procedures help assure that customer financial information is accurate, current, and complete in accordance with commercial standards and practices. It is Bank policy to respond to customer requests to correct inaccurate information in a timely manner.While some of these procedures are required by federal or state law, the Bank has implemented additional procedures to maintain accurate, current, and complete financial information, including processes to update information and remove old information.
  4. Restrictions and limitations of employee access to customer information. All employees are required to follow the Bank’s CODE OF ETHICS POLICY, which states in part that all customer information is considered private and privileged and is to be used solely for the purpose of providing customers with the finest service available. In addition, the Bank has implemented procedures that limit employee access to personally identifiable customer information to those employees with a business reason to know such information. Bank employees and continually educated about the importance of confidentiality and customer privacy through standard operating procedures, special training programs, and policies on ethics. It is the policy of the Bank to take appropriate disciplinary measures to enforce employee privacy responsibilities.
  5. Security procedures to protect customer information. The Bank is committed to the security of customer financial and personal information. The entire Bank’s operational and data processing systems are maintained in a secure and redundant environment that protects customer account information from being accessed by third parties. It is the policy of the Bank to maintain internal security standards and procedures to help prevent unauthorized access to confidential customer information. These security mechanisms are periodically updated and tested to improve the protection of customer information to assure the data integrity.
  6. Restrictions and limitations of disclosing customer information. It is the policy of the Bank not to reveal specific information about customer accounts or other personally identifiable data to unaffiliated third parties for their independent use, except for the exchange of information with reputable information reporting agencies to maximize the accuracy and security of such information or in the performance of bona fide corporate due diligence or business matter, unless:
    1. A customer requests or authorizes it;
    2. The information is provided to help complete a transaction initiated by a customer;
    3. The disclosure is required by or allowed by law (e.g., subpoena, investigation of fraudulent activity, request by regulator, etc.); or
    4. The Bank informs a customer about the possibility of disclosure for marketing or similar purposes through a prior communication and given the opportunity to decline (i.e., “opt-out”).It is the policy of the Bank to not provide account or personal information to non-Bank companies for the purpose of independent telemarketing or direct mail marketing of any non-financial products or services of those companies. Please refer to the following section entitled “Information Use Disclosure” for more information regarding these concepts.
  7. Maintaining customer information privacy in business relationships with third party entities. Sometimes it is necessary for the Bank to provide personally identifiable customer information to a contractual third-party entity, such as a vendor or service company that is hired to prepare account statements or to provide support or services for one or more products. These vendors and service companies agree to safeguard confidential customer information regarding the products and services customers use by written agreement and must abide by applicable law in doing so.
  8. Customer disclosure requirements and compliance procedures. The Bank has established the following procedures to communicate and properly disclose to customers the Bank’s Privacy Policy and how the Bank gathers, protects, and uses information:
    1. Account opening disclosure. New accounts personnel are to provide the customer with the Bank’s “Privacy Practices and Policies Notice” which describes the provisions and directives of this policy. In addition, the Bank’s “Information Use Disclosure” is to be provided that describes how the Bank uses information about the customer.
    2. Lobby display. Lobby signs and notices that generally describe the Bank’s Privacy Policy and/or subsequent availability in detail are appropriately displayed in designated areas as required.
    3. Internet web site display. The Bank’s Internet web site is fully operational. It is the Bank’s policy to provide the Privacy Practices and Policies Notice and Information Use Disclosure for public display and disclosure as required.
    4. Annual disclosure. The Bank’s Privacy Practices and Policies Notice and Information Use Disclosure are set to customers on an annual basis to reaffirm customer awareness of this topic.

INFORMATION USE

The provisions and explanations in this section apply only to individuals and supersede all previous notices or statements with respect to the subject matter described herein. The Bank reserves the right to change the provisions and explanations in this section at any time.

Use and Sharing of Information – Internally

It is the responsibility of the Bank to inform customers of new product or business-related opportunities and general news from time to time. It is the policy of the Bank to originate these notifications directly from the Bank, and not from third party entities. Customers can choose not to receive notification about any offers made by mail, telephone or e-mail, and the Bank will honor their request. It is the policy of the Bank to not provide account or personal information to third party entities for the purpose of independent telemarketing or direct mail marketing of any non-financial products or services of those companies.

Under the federal Fair Credit Reporting Act and other applicable law, customers have the right to prevent the sharing of certain information about them for certain purposes. If customers wish to exercise this right, they must inform the Bank of their name and address, social security number or individual taxpayer identification number, primary accounts or services, and a direction to limit the sharing of information among affiliated banks and companies.

Customers may communicate this information to us by:

  1. Mail;
  2. Hand delivered at a branch office; or
  3. By telephone.
Use and Sharing of Information – Externally

It has always been the policy of the Bank to maintain procedures designed to protect confidential customer information and products and services they maintain with the Bank. Other than under the limited exceptions explained in this policy, it is the policy of the Bank to not to share confidential customer information with outside sources.

Assembly of Customer Information

One of the main reasons the Bank gathers information about customers is to protect them. The Bank must be able to properly identify a customer and his or her products and services to prevent access to personal and financial information by unauthorized persons.

The Bank also gathers information to help understand customer financial needs and to provide them with quality products and services. For example, if the Bank knows a customer owns his or her own home, it is realized that a home equity loan may be a better alternative than an installment loan to finance his or her next purchase – because of possible tax benefits.

In some cases, the Bank also gathers information to help design or improve products and services. For example, information obtained from customers can tell the Bank whether to develop a new type of home mortgage or a checking account. This type of information enables the Bank to identify the needs of customers and provide services to meet those needs.

Finally, the Bank gathers information to comply with laws and regulations that govern the financial services industry. For example, federal regulations require that the Bank obtain a social security number or tax identification number for many types of accounts, such as bank deposit accounts that pay interest.

Information to Third Party Entities

Occasionally it is necessary to provide certain amounts of confidential customer information to third party entities outside the Bank and may also provide certain information to third parties for other purposes as described below.

The Bank is required, for example, to share information about customers and their products and services with parties named in a lawsuit or administrative action when the Bank is served with a subpoena or court order. The Bank is also required to share this information with federal or state regulatory authorities, such as banking examiners or the Internal Revenue Service (IRS), as authorized by federal or state law. The Bank also shares information about customers and their products and services with reputable credit reporting agencies as authorized by federal law and with others who may receive certain information under particular circumstances – but only as lawfully permitted or requireThis practice is consistent with the practice of other banks and financial services companies.

From time to time, the Bank may contract with third-party entities in order to make available certain financial products. For example, the Bank may contract with payroll companies to make available various payroll products. Under these programs, a limited amount of information about customers or their accounts may be provided to the third party under an agreement requiring the third party to keep the information confidential and not use it for any other purpose. The Bank does not provide account or personal information to non-Bank companies for the purpose of independent telemarketing or direct mail marketing of any non-financial products or services of those companies.

The Bank may contract with outside agents or service providers to prepare account statements, enter or calculate transactions and balances, or provide other materials or services on the Bank’s behalf. These agents, service providers, and third-party product providers agree to safeguard confidential customer information, products and services used by customers, and must abide by applicable law.

The Bank may also occasionally decide to sell business assets or a business line, such as mortgage servicing rights. In these cases, the Bank may transfer to the purchaser the related customer information.

The Bank’s deposit account agreement informs when the bank will disclose account information to third parties.

Removal from Public Information Lists

Customers desiring to have their name removed from the lists created by outside agencies and companies in this business of compiling lists are to send a written request with their name, address and social security number (if issued) to the organizations listed below. These organizations are responsible for notifying the agencies and companies that are in this business of compiling lists to have the name removed from the lists they sell. Customers are to include all versions of their name that appear in mailings or in calls they receive. Customers must register their own name and address directly with each organization listed below since they cannot process any requests from the Bank.

For advertising received through the mail:

Mail Preference Service
c/o Direct Marketing Association
P.O. Box 9008
Farmingdale, NY 11735-9008

For advertising received via the telephone:

Telephone Preference Service
c/o Direct Marketing Association
P.O. Box 9014
Farmingdale, NY 11735-9014

Customers are to include complete information about each name, address and telephone number they would like excluded from these lists. Customers that have moved within the last year are also to include their old address and telephone number. The same is true for name changes and the addresses and telephone numbers associated with each name.

The Direct Marketing Association will include submitted names in its consumer exclusion files so that each name may be removed from lists compiled or maintained by the agencies and companies that are members of that organization. A customer’s name remains in the file for five years.

Customers who desire to have their name taken off all pre-approved credit solicitations (not just Bank solicitations), can write to the following credit reporting agencies, and are to include their name, current address and Social Security number.

Experian
Consumer Opt-Out
P.O. Box 919
Allen, TX 75013

Options
Equifax, Inc.
P.O. Box 740123
Atlanta, GA 30374-0123

Trans Union Corporation
Name Removal Option
P.O. Box 97328
Jackson, MS 39288-7328


RIGHT TO FINANCIAL PRIVACY ACT REFERENCE

The Right to Financial Privacy Act (“RFPA”) establishes procedures that federal government agencies must follow in order to obtain confidential customer information. The RFPA requires the Bank to make sure that these requirements are met prior to releasing customer information to a government agency.

No government agency may access or obtain any customer information maintained by the Bank unless the customer information that is being requested is reasonably described and at least one of the following is provided to the Bank:

  1. An administrative or judicial subpoena or summons;
  2. A search warrant;
  3. A formal written request; or
  4. A customer’s written authorization.
Legal Processes

A government agency may obtain customer records through an administrative or judicial subpoena or summons otherwise authorized by law only if the records sought are relevant to a legitimate law enforcement inquiry. Except where prohibited by law or a court order, the customer must be served a copy of the subpoena or one must be sent to the last known mailing address on or before the date the Bank received the subpoena or summons.

The customer must also be given a notice that states with reasonable preciseness the reason of the law enforcement inquiry. Federal law requires the Bank to wait 10 days after the customer has been served the notice or 14 days from the mailing date in order to give the customer a chance to challenge the subpoena or summons.

There are two situations when banks and their personnel are prohibited from notifying their customers of a subpoena or summons for their records. The first is when the government obtains a court order delaying notification by following the procedures set out in 12 U.S.§ 3409(a). This frequently occurs in the context of grand jury subpoena. See 12 U.S.3413(i). The subpoena is usually accompanied by a letter from the government making the request not to disclose to the customer.

The second situation is where the records are being subpoenaed to investigate crimes against a financial institution or supervisory agency; in those cases, 12 U.S.§ 3420(b) makes it a crime for the bank or its personnel to provide notice to the customer.

Search Warrants

A government agency may obtain customer information if it obtains a search warrant pursuant to the Federal Rules of Criminal Procedure. The government agency must mail a copy of the search warrant along with a notice to the customer’s last known address no later than 90 days after the government agency serves the search warrant. The notice must state the government agency that obtained the information, the date the information was obtained and the reason for obtaining the information.

Formal Written Requests

A government agency may request customer information pursuant to a formal written request only if:

  1. The request is authorized by regulations and signed by the head of the agency or COMPLIANCE DEPARTMENT;
  2. No administrative summons or subpoena reasonably appears to be available to that government agency to obtain customer information for the purpose in which they are sought;
  3. There is reason to believe that the records are sought relevant to a legitimate law enforcement inquiry;
  4. The customer has been served a copy of the request or one has been mailed to the last known address on or before the date the request was made to the Bank, together with a notice stating with reasonable specificity, the nature of the law enforcement inquiry; and
  5. Ten days have expired from the date of service or 14 days from the date of mailing and within such period the customer has not filed a sworn statement and application to enjoin the government agency in the appropriate court.
Customer Authorization

A customer may authorize the disclosure of information to a government agency by furnishing to both the Bank and the government agency, a signed and dated statement which:

  1. Authorizes such disclosure for a period not in excess of three months;
  2. States that the customer may revoke such authorization at any time before the information is disclosed;
  3. Identifies the specific information that is authorized to be disclosed;
  4. Specifies the purposes for which, and the government agency to which, such information may be disclosed; and
  5. States the customer’s rights under the RFPA.

The customer has the right, unless the government authority obtains a court order, to obtain a copy of the information disclosed to the government agency as well as the identity of the government agency that requested the information.

Delayed Notice to Customer

The customer notice may be delayed by order of an appropriate court if:

  1. The investigation being conducted is within the lawful jurisdiction of the government agency seeking the information;
  2. There is reason to believe that the information being sought is relevant to a legitimate law enforcement inquiry; and
  3. There is reason to believe that such notice will result in:
    1. Endangering the life or physical safety of any person;
    2. Flight from prosecution;
    3. Destruction of or tampering with evidence;
    4. Intimidation of a potential witness; or
    5. Otherwise seriously jeopardizing an investigation or official proceeding or unduly delaying a trial or ongoing official proceeding.
Bank Procedures

Bank employees are instructed to immediately contact COMPLIANCE DEPARTMENT at the time any request from a government agency seeking customer information is requested.

Under no circumstances shall Bank personnel provide any confidential information to a government agency without the express written consent of the COMPLIANCE DEPARTMENT and the Bank’s legal counsel.


IDENTITY THEFT AND SOCIAL ENGINEERING

Identity theft is the fraudulent use of an individual’s personal identifying information. An identity thief in most instances uses another individual’s personal information such as name, social security number, driver’s license number, mother’s maiden name, date of birth or account number, to fraudulently open new bank or credit card accounts, charge existing credit card accounts, write checks, or obtain new loans. Identity thieves use numerous techniques to steal the information, such as:

  1. Stealing mail, such as intercepting bank or other financial statements;
  2. Diverting mail from its intended addressee by submitting a forged change of address request;
  3. Impersonating victims in person in order to obtain information from banks and other businesses;
  4. Intercepting or otherwise obtaining information transmitted electronically;
  5. Rummaging through trash for personal data;
  6. Stealing wallets that contain personal identification information and credit cards; or
  7. Stealing personal identification information from workplace records.

A customer affected by identity theft may not realize that someone has stolen their identity for months or even years. The victim may only realize this has happened once they are denied credit or until a creditor attempts to collect on an unpaid bill.

Social Engineering and Other Identity Theft Methods

Social engineering is the attempt to manipulate or fool a person into providing confidential information to an individual that is not authorized to receive such information.

The following are common types of social engineering with respect to banking:

  1. Pretext Calling. Pretext calling is a fraudulent means of obtaining an individual’s personal information. Possessing limited information, such as a customer’s name, address and/or social security number, a pretext caller may pose as a customer or an employee attempting to convince a Bank employee to divulge confidential information. Information obtained through pretext calling may be sold to debt collection services, attorneys and private investigators for use in court proceedings. Identity thieves may also engage in pretext calling to obtain personal information for use in creating fraudulent accounts. In some instances, pretext callers may call an institution repeatedly until the caller finds an employee willing to provide the information.The following demonstrates possible pretext caller situations where extra care should be taken by Bank personnel to ensure the authenticity of the caller:
    1. A caller who tries to distract an employee by being overly friendly or engaging in unrelated conversation change the employee’s focus;
    2. A caller who cannot provide all relevant or requested information;
    3. A caller who tries to get an employee to circumvent Bank policy through some tactic that is intended to persuade the employee;
    4. A caller who is abusive and attempts to get information through intimidation;
    5. An employee caller whose Caller ID does not agree with that employee’s location; or
    6. An employee caller that cannot provide basic security information that is readily available to all employees.Pretext callers may call several times attempting to obtain bits of information until they build a complete customer profile, and in some situations obtain information about Bank employees.As such, each branch or COMPLIANCE DEPARTMENT customer contact area has implemented specific procedures to protect customer information from being inappropriately released to third parties. Each employee is responsible for understanding and complying with these procedures.
  2. Dumpster Diving. Dumpster diving is a common method for identity thieves to obtain confidential information that is carelessly thrown away. Dumpster diving involves rummaging through a company’s trash to collect customer information, such as office trash cans or large dumpsters.The Bank has implemented the following procedures to mitigate the risk of dumpster diving:
    1. Shred Bins. Bank employees are to place any documents that contain confidential company or customer information into designated shred bins located throughout the Bank. Items placed in shred bins are then to be transported to the Bank’s designated paper shredders for disposal daily.
    2. Paper Shredders. In the event shred bins are not available, Bank employees must utilize individual paper shredders to destroy confidential information.
  3. Shoulder Surfing. Shoulder surfing is used by criminals that acquire personal information through eavesdropping. Shoulder surfers may obtain information while standing in line at a branch or ATM. Others may use binoculars to spy on their victims, while some may stand outside branch windows and observe computer screens that contain confidential account information. In all instances, the objective is to obtain confidential information.The Bank has implemented the following procedures to mitigate the risk of shoulder surfing:
    1. Computer monitors are to be positioned in a manner that prevents individuals from observing confidential information. If this is not feasible then a protective screen is to be utilized on the monitor to prevent others from easily viewing the contents;
    2. Ensure that the sharing of confidential information is provided in writing when in a face-to-face situation with a customer. This method prevents someone from learning the information through eavesdropping. This same practice applies when an employee provides a customer with confidential information, and to properly dispose of such information after it has been provided; and
    3. Ensure that adequate space exists between customers conducting transactions and other customers standing in line. Proper spacing enhances customer privacy and deters criminals from acquiring confidential information such as PIN, account number, balance, etc.
  4. Identity Theft Methods. There are two basic identity theft methods used by criminals:
    1. Account Takeover. An account takeover occurs when an identity thief obtains existing account information from a victim and purchases products and services using the actual credit card, check, or the account number and expiration date.
    2. Application FrauIn the event of application fraud, the thief uses the victim’s social security number and other identifying information to open new deposit or loan accounts in the victim’s name, however the telephone and/or address information is changed in most instances to that which is controlled by the thief in order to prevent the victim from learning of the theft and to facilitate the receipt of fraudulent credit cards, etc.
Monitoring of Suspicious Activities

As a general rule all Bank personnel are responsible for routinely monitoring potential transactions that may be the sign of identity theft. This responsibility, however, is highly magnified on branch management and other operations personnel to mitigate the risk to the Bank and its customers.

The Bank has developed procedures for reporting suspicious activity, including (if warranted) the completion of a Suspicious Activity Report as required by the Bank Secrecy Act. Provided below are some examples of suspicious transactions that may dictate a possible case of identity theft:

  1. The use of altered identification (i.e., a tampered driver’s license which has been laminated with new photo, descriptive identifying information such as date of birth appears altered; etc.);
  2. Identification does not match the characteristics of customer (i.e., height, weight, hair or eye color does not match correctly, etc.);
  3. Social security number does not fit customer’s profile (i.e., place of birth or date SSN was issued does match customer’s age); or
  4. Customer is reluctant or refuses to remove identification card from purse, wallet, etc.

Refer to the Bank’s BANK SECRECY ACT POLICY for a detailed explanation of the completion of Suspicious Activity Reports (SARs).

Customer Fraud Hotline

The Bank offers a secure and confidential method for customers to report acts of frauIn addition to assisting customers, the Customer Fraud Hotline enhances the Bank’s overall risk management objectives and fraud protection efforts to help reduce losses.

Customers can contact the COMPLIANCE DEPARTMENT using any of the following methods:

  1. Toll free telephone 000-000-0000;
  2. Via the Internet at www.gulfcapitalbank.com; or
  3. By postal mail at 1 Riverway Suite 150 Houston, TX 77056.

A customer submitting an issue to the hotline is provided an initial guarantee of confidentiality in that reporting such suspected wrongdoing can be accomplished without fear of retribution or reprisal. Only in those instances where Bank personnel must first properly confirm a customer’s identity to assist in an identity theft investigation will a person be asked for their identity.

Hours of operation of the Customer Fraud Hotline are 9 AM – 5 PM Monday through Friday. The COMPLIANCE DEPARTMENT is responsible for handling only issues of customer identity theft or fraud by a known or unknown third party that is not affiliated with the Bank. An issue regarding customer identity theft or fraud where the customer believes a Bank employee is suspected to be involved is to be logged and the BANK SECURITY OFFICER is to be contacted by COMPLIANCE DEPARTMENT for further investigation and assistance. A secure tracking mechanism is in place to record reported issues, follow-up, investigation, disposition, and the final closure of reported issues. Regular status updates of each issue are reviewed by the COMPLIANCE DEPARTMENT MANAGER and reported to Senior Management on a periodic basis.

Customer Identity Verification Procedures

The Bank’s CUSTOMER IDENTIFICATION PROGRAM POLICY contains detailed procedures that Bank personnel are required to follow to reduce the risk of establishing fraudulent accounts or divulging confidential customer information to identity thieves. The Bank’s procedures involve a combination of positive, logical and negative verification procedures.

The following is a brief review of the Bank’s efforts with respect to customer identification methods:

  1. Positive Verification. Positive verification procedures involve the comparison of information provided to information maintained by third parties (for new accounts) or Bank systems (existing customers). As an example, an identity thief may provide the true name of an individual and a correct phone number, but an erroneous address. The Bank could detect this discrepancy by checking the address information contained on a credit report or in the Bank’s customer information file. Another example includes contacting an applicant’s employer. An identity thief may provide the name of a legitimate employer but may not provide the correct telephone number. The Bank should not rely on the number provided but instead should use the phone book or the Internet white/yellow pages directory to independently verify the telephone number.
  2. Logical Verification. Logical identification procedures assess the consistency of information provided on an application and may reveal inconsistencies provided by an applicant. For example, the Bank can verify if the telephone area code provided on the application corresponds to the address provided or whether a customer lives or works near the branch. Inconsistent information does not automatically indicate frauAs an example, a customer may use a cell phone that is assigned to a different area code than the customer’s home address. As such, the Bank should inquire regarding the inconsistency to determine if the information provided appears reasonable.
  3. Negative Verification. Negative verification procedures ensure that information provided on an application has not previously been associated with fraudulent activity. Reviewing credit reports for fraud indicators is a form of negative verification.

Please refer the Bank’s CUSTOMER IDENTIFICATION PROGRAM POLICY for a detailed explanation of policy and procedure.

Bank Personnel Identity Theft Procedures

Bank personnel are to conduct the following procedures in resolving a case of a customer’s identity theft:

  1. Provide the customer with the Bank’s IDENTITY THEFT AFFIDAVIT PACKET that includes:
    1. Cover Letter;
    2. Identity Theft Affidavit Instructions;
    3. Additional Identity Theft Procedures;
    4. Identity Theft Affidavit; and
    5. Fraudulent Account Statement.The Identity Theft Affidavit Instructions sheet will assist the customer in completing the required forms. The customer is requested to return the completed forms to the Bank in person or in the self-addressed envelope provided.NOTE: Any provisional credit previously granted by the Bank may be reversed from the customer’s account if completed forms are not received by the Bank within 10 business days.

      Once returned, the packet is to be forwarded to COMPLIANCE DEPARTMENT for investigation.

  2. Suggest the customer contact the Identity Theft Hotline of the Federal Trade Commission (FTC) on the Internet at http://www.consumer.gov/id.theft or call toll free (877) 438-433The FTC places information into a secure consumer fraud database and shares it with local, state and federal law enforcement agencies.
  3. Suggest the customer file a police report with local law enforcement agencies to document the crime.
  4. Suggest the customer contact fraud COMPLIANCE DEPARTMENTs of each of the three major credit bureaus and request that a “fraud alert” and a “victim’s statement” be placed in the customer’s credit file. This alert places creditors on notice that the customer has been the victim of fraud and the victim’s statement asks creditors not to open additional accounts without first contacting the customer.The following are the phone numbers of the three national credit bureaus:
    1. Equifax (800) 525-6285;
    2. Experian (888) 397-3742; and,
    3. Trans Union (800) 680-7289.
  5. Suggest the customer request a free credit report from the above listed credit bureaus. The credit bureaus must provide a free credit report if the customer believes the report is inaccurate due to fraud.
  6. Suggest the customer review the free credit reports in detail to determine if any fraudulent accounts have been establisheThe customer should also determine if any unknown inquiries have been made, as these may be indicators of someone attempting to establish a fraudulent account under the customer’s name.
  7. Suggest the customer contact all financial institutions and creditors where the customer has accounts. The customer should request that they restrict access to the customer’s account, change any password, or close the account altogether if there is evidence that an account has been the target of identity theft.

If the account in question is a deposit account, Bank personnel are instructed to close the account and open a new one for the customer. For bankcards, the customer is to be issued new cards and/or PINs for the new account. A teller alert is to be placed on the customer’s accounts to indicate that the account holder is a victim of identity theft. It is the responsibility of the COMPLIANCE DEPARTMENT to determine the course of action once the investigation is complete.

If the account in question is a credit facility, it is the responsibility of the COMPLIANCE DEPARTMENT to take appropriate steps to place a hold on the credit facility, thereby blocking the reporting of that loan for CRA purposes and place an alert on the credit facility to indicate that the customer is a victim of identity theft.

It is important that Bank personnel do not provide any information regarding the account to the customer. It is critical that the Bank initially verify the validity of the claim. The customer is to be informed that he or she will be contacted by the COMPLIANCE DEPARTMENT regarding the investigation.

Repollution Procedures

The term “repollution”, as defined by Under the Fair Credit Reporting Act, added by the FACT Act, is refurnishing information on an account that has been identified as information resulting from an alleged identity theft.

It is the responsibility of Bank personnel to conduct the procedures listed above, ensuring that the customer has completed an IDENTITY THEFT AFFIDAVIT PACKET and attach information concerning the repollution. The documentation is to be forwarded to the OPERATIONS DEPARTMENT. It is the responsibility of the COMPLIANCE DEPARTMENT; once the investigation is complete, to take the appropriate steps to block the information from being reported to any party within 45 days of receipt.


SAFEGUARDING CUSTOMER INFORMATION POLICY

The Bank, management and our employees recognize the importance to safeguard the financial records and personal information of the Bank’s customers. Our customer’s right to privacy is governed by various state and federal acts, laws, and regulations. Further, the failure to maintain our customer’s confidential information can result in civil lawsuits and/or loss of reputation. For these reasons, the Bank has established this Safeguarding Customer Information Policy.

The Bank has delegated the primary responsibility for compliance with this policy to the COMPLIANCE OFFICER, and to all full-time employees, part-time employees, temporary employees, contractual employees, and any person or entity performing any type of service for the Bank.

Acknowledgment of the Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) affects privacy and information security. Further, the GLBA requires various federal regulatory agencies to promulgate regulations to enforce the GLBIt is the intent of the Bank to comply with the GLBA and all resulting regulations.

Risk Management
  1. Perceived Risks. The Bank considers the following to be potential risks related to inadequate protection of confidential datWhere a risk is perceived, measures have been taken to mitigate the risk.
    1. Compliance risk is the risk to earnings or capital of not complying with appropriate regulations thus resulting in regulatory or legal repercussions. This risk will be mitigated by the establishment of this policy, the establishment of a data protection/privacy training program, and the establishment of a data protection/privacy audit program.
    2. Strategic risk is the risk to earnings (especially future earnings) and capital arising from poor business decisions regarding data protection/privacy and poor implementation of those decisions. This risk will be mitigated by the establishment of this policy, the establishment of a data protection/privacy training program, and the establishment of a data protection/privacy audit program. This risk will also be mitigated by analyzing customer complaints about privacy and privacy expectations. Further, senior management will keep abreast of data security/privacy issues by periodically reviewing industry and trade publications.
    3. Reputation risk is the risk to earnings and capital of not developing and retaining marketplace confidence in handling customer financial transactions in an appropriate manner. This risk will be mitigated by the establishment of this policy, the establishment of a data protection/privacy training program, and the establishment of a data protection/privacy audit program. This risk will also be mitigated by analyzing customer complaints about privacy and privacy expectations. Further, senior management will keep abreast of data security/privacy issues by periodically reviewing industry and trade publications. Lastly, the Bank will convey its data protection/privacy standards to the general public.
  2. Balancing of Implemented Controls. Proper risk management techniques require that controls be balanced against:
    1. The cost of the control;
    2. The ability of the Bank’s employees to provide appropriate levels of service;
    3. The ability of the Bank’s employees to provide services in reasonable timeframes;
    4. The feasibility of implementing the control; and
    5. The likelihood the control will be effective.
  3. Identified Risks. The Bank has specifically identified the following risks that may include, but are not limited to:
    1. Unauthorized access of information by someone other than the owner of a consumer account;
    2. System security compromised as a result of system access by a computer “hacker”;
    3. Interception of data transmission;
    4. Loss of data integrity;
    5. Physical loss of data in a natural disaster;
    6. Poor audit trails;
    7. Errors introduced into the system;
    8. Corruption of data or systems;
    9. Lack of transaction completeness and documentation;
    10. Unauthorized access of information by employees; and
    11. Unauthorized transfer of information through third parties.

The Bank recognizes that this list may not be all inclusive of the risks associated with the protection of customer information, and the Bank will continually monitor possible new threats to information security and act accordingly to mitigate these new identified risks. To document this effort, Bank personnel in each branch and COMPLIANCE DEPARTMENT are required to complete a SAFEGUARDING CUSTOMER INFORMATION RISK ASSESSMENT FORM and PRIVACY CHECKLIST FORM on an ANNUAL basis in coordination with and at the direction of COMPLIANCE DEPARTMENT.

Applicable Data (Confidential Data)

All financial and personal information about the Bank’s customers and employees are confidential datAdditionally, all information concerning the affairs of the Bank is also considered confidential datConfidential data includes, but is not limited to, the following:

  1. Name, address, and phone numbers.
  2. Social security number, tax identification number, driver’s license number, etc.
  3. Deposit account numbers, balances, transactions, etc.
  4. Loan information.
  5. Information regarding any other services used.
  6. Salary and earnings information.
  7. Health history and information.
  8. Work record and disciplinary history.
  9. Management and committee discussions and minutes.
  10. Other discussions where at least one employee is discussing the Bank, an employee, or a customer.
  11. Future plans such as marketing plans, strategic plans, new products, new services, etc.
  12. Pricing procedures for products and services.
  13. Vendors and relationships with those vendors.
Security Safeguards
  1. Check Information. An individual calling to see if a check will clear must be able to disclose the current check sequence used by the Bank’s customer. This can reasonably assure that the check number falls within the current sequence being used by the customer and can be a deterrent to those individuals calling to determine if a customer has an account with the Bank. The servicing employee if to say “there are (or are not) sufficient funds available at this time” after conducting the check sequence verification procedure.
  2. Deposit Information. Deposit verifications must be received in writing with account holder authorization in order that information may be released.
  3. Direct Customer Telephone Contact. Customers communicating via telephone must be able to identify themselves as authorized users of an account:
    1. Personal Customers – verification of at least three of the following:
      • Social Security number;
      • Mother’s maiden name;
      • Date and amount of last deposit;
      • Recent check number and amount;
      • Date and amount of a recent direct deposit and source of origination;
      • Date and amount of a recent debit card transaction;
      • Date and amount of ACH payment or withdrawal;
      • Address on file at the Bank;
      • Secret password, phrase or code; and/or
      • Date of birth.
    2. Business Customers – verification of at least three of the following:
      • Tax Identification Number;
      • Date and amount of last deposit;
      • Recent check number and amount;
      • Date and amount of a recent direct deposit and source of origination;
      • Date and amount of ACH payment or withdrawal;
      • Address on file at the Bank;
      • Secret password, phrase or code; and/or
      • Account open date.
  4. Loan Information. Loan verifications and payoffs must be received by the Bank in writing with borrower authorization in order that information may be released.
  5. Access Devices. Customers access account information via Automated Teller Machines (ATMs), debit cards, or the Bank’s automated telephone banking system are required to enter a Personal Identification Number (PIN) to access account information. Customers accessing account information over Internet or dedicated host channels are required to use a login ID and passworRefer to the Bank’s INTERNET BANKING POLICY for more information.
  6. Record Security and Disposal. Filing cabinets or other storage areas containing sensitive and/or confidential records must be locked when appropriate. Refer to the Bank’s BUSINESS CONTINUITY PLAN POLICY for more information.It is the policy of the Bank to ensure for the proper disposal of media to protect against reputational exposure and to ensure compliance with the Gramm-Leach-Bliley Act (GLBA) regarding the safeguarding of customer information. As such, the Bank maintains risk-based procedures for the destruction and disposal of media containing sensitive information. These procedures are relative to the sensitivity of the information and the type of media used to store the information. For example, prior to disposing of electronic media containing sensitive customer information, they are degaussed as a matter of standard procedure. Obsolete optical media, such as “write once, read many times” (WORM), is destroyed or defaced so that the data is unrecoverable. Printed material containing sensitive data is destroyed in a safe and systematic manner, such as shredding or burning. Furthermore, the Bank’s disposal procedures recognize that records stored on electronic media, including tapes, and disk drives present unique disposal problems in that residual data can remain on the media after erasure. Since that data can be recovered, additional disposal techniques are applied to remove sensitive information.
Former or Terminated Employees

Bank employees should be aware that a requirement of their current employment at the Bank includes the requirement that the restrictions of this policy will carry forward to any post-employment periods.

Employees should be aware that a requirement of their current employment at the Bank includes the requirement that all confidential data, either in written or magnetic (computerized) form, will be immediately returned to the Bank if their employment terminates.

Employees should be aware that a requirement of their current employment at the Bank includes the requirement that all Bank property (including keys) will be immediately returned to the Bank if their employment terminates.

Employees should be aware that a requirement of their current employment at the Bank includes the requirement that all combinations, security codes, access codes, user Ids, passwords, etwill be immediately put on paper and returned to the Bank if their employment terminates.

Safeguarding Confidential Data from Employees

Confidential data may be accessed only by employees with a legitimate business need for that datWhen appropriate and to meet industry standards, the Bank will strive to prevent inappropriate employee access to confidential data by utilizing physical controls, software controls, hardware controls, employee training, and employee screening.

  1. Physical Controls. When appropriate, employees are to lock doors, cabinets, filing cabinets, etwhich contain confidential datAlarm systems are to be set nightly. Breaches of physical controls are to be investigateDocuments with confidential data are to be shredded when no longer utilized.
  2. Software Controls (Logical Security). All the Bank’s computer systems that contain confidential data are to be safeguarded with software controls. All employees are to be assigned an appropriate level of access to the Bank’s computer systems. All employees will be required to use a unique User ID and secure password (which may include a third level of authentication) to access the Bank’s computer systems. Repeated failed attempts to gain access to information will result in an automatic timeout. Security exception reports generated by the software on the Bank’s computer systems will be reviewed by the IT SECURITY OFFICER. Breaches of software controls are to be investigated by IT SECURITY OFFICER Refer to the Bank’s INFORMATION SYSTEMS SECURITY POLICY for more information.
  3. Hardware Controls. Hardware controls such as routers/firewalls are to be utilized when appropriate. Modems are to be varied off when not being useBreaches of hardware controls will be investigated by IT SECURITY OFFICER.
  4. Employee Training. Employees are periodically trained to avoid discussing confidential data outside the purview of their job functions. Additionally, employees are trained to avoid removing confidential data (on paper or electronic media) from their workspace unless required for work purposes and only with appropriate safeguards for that data.
  5. Employee Screening. Potential new employees are to be screened by:
    1. The traditional interview process;
    2. Personality testing;
    3. Verifying past employment listed on applications through reference checks;
    4. Performing credit checks; and/or
    5. Performing other background checks.
Safeguarding Confidential Data from Non-Employees

When appropriate and to meet industry standards, the Bank strives to prevent inappropriate non-employee access to confidential data by utilizing physical controls, software controls, hardware controls, and employee training.

  1. Physical Controls. When appropriate employees are to lock doors, cabinets, filing cabinets, etc., which contain confidential datAlarm systems are to be set nightly. Perimeter (outside) doors are to be locked during non-business hours. Lighting is used in non-daylight hours. Breaches of physical controls are to be investigated by the BANK SECURITY OFFICER. Documents with confidential data are to be shredded when no longer utilized.
  2. Software Controls (Logical Security). All the Bank’s computer systems that contain confidential data are to be safeguarded with software controls. All data containing confidential or restricted information that does not reside on the secured network infrastructure (such as sending or receiving external e-mail as an example) must be encrypted by an encryption tool or system that has been approved by the IT SECURITY OFFICER The application or system must at a minimum, require the use of login IDs, passwords or a third level of authentication in order to unencrypt the information. Data must be contained in an encrypted manner when unattended by authorized personnel or when performing any function that may result in a possible intrusion. Common workstations requiring this additional security layer include laptop computers or off-site desktop workstations.All employees are assigned an appropriate level of access to the Bank’s computer systems. All employees are required to use a unique user ID and secure password to access the Bank’s computer systems, which may include a third level of authentication. Repeated failed attempts to gain access to information will result in an automatic timeout. Encryption techniques are used when data is transmitted from one physical location to another. Security exception reports generated by the software on the Bank’s computer systems are to be reviewed by the IT SECURITY OFFICER. Breaches of software controls are to be investigated by the IT SECURITY OFFICER.Sensitive, restricted or proprietary information is not sent over the Internet unless it has first been encrypted by approved methods. Credit card numbers, telephone calling card numbers, fixed login passwords and other authentication or financial information that can be used to gain access to goods or services is not to be sent over the Internet in readable form by Bank personnel. Usually a telephone call, FAX or paper letter delivery is an appropriate alternate delivery channel when the original delivery channel was via the Internet.

    Any proprietary information dissemination must be approved by the IT SECURITY OFFICER. Sensitive information is not sent without appropriate information security measures implemented.

  3. Hardware Controls. Hardware controls such as routers/firewalls are to be utilized when appropriate. Modems are to be varied off when not being useBreaches of hardware controls will be investigated by IT SECURITY OFFICER.
  4. Employee Training. Employees are periodically trained to avoid discussing confidential data outside the purview of their job functions. Additionally, employees are trained to avoid removing confidential data (on paper or electronic media) from their workspace unless required for work purposes and only with appropriate safeguards for that data.
Employee Use of Confidential Information

The daily operation of the Bank requires employees to regularly obtain and use confidential datEmployees should only use confidential data to perform their job functions. Employees should not distribute confidential data to anyone outside the employment of the Bank unless specifically required by law (i.e. subpoena, IRS, bank regulator, etc.). Supervisors should approve any instances where confidential data is distributed outside the Bank.

Third Party Vendors

The Bank has numerous third-party vendors which are provided with confidential datThese vendors are required to follow similar privacy and information security procedures to those of the Bank. If the contract with the vendor does not address privacy and information security adequately, the vendor is required to sign appropriate privacy and security acknowledgements.

Refer to the Bank’s VENDOR MANAGEMENT PROGRAM POLICY for detailed guidance.

Disclosures of Confidential Data to Nonaffiliated Third Parties

In general, it is the Bank’s policy not to disclose a consumer’s nonpublic personal information to a nonaffiliated third party.

Exceptions to Disclosures of Confidential Data to Nonaffiliated Third Parties

  1. To effect, administer, or enforce a transaction that a consumer requests or authorizes;
  2. To comply with a legal requirement such as a subpoena;
  3. To help administer the bona fide business of the Bank; or
  4. At the customer’s request.
Privacy and Information Security Principles

In addition to consumer disclosure notices, the Bank has established a set of privacy principles. These privacy principles compliment the disclosure notices and are used as needed to further clarify the Bank’s privacy and information security practices. The “Privacy and Information Security Principles” (Section 11 of this policy) are considered a part of this policy. All employees must comply with the content and spirit of the “Privacy and Information Security Principles.”

Public Access to Privacy and Information Security Principles

The “Privacy and Information Security Principles” are made available to all customers of the Bank in branch lobbies and by posting the principles in an area of the Bank’s web site.

Comments or Complaints by Customers

Any person may make a comment or complaint about this policy or any privacy related issue by contacting the COMPLIANCE OFFICER.

Incident Responses to Security Breaches

A “security breach” is considered to have occurred whenever it is confirmed or suspected that one or more consumers’ nonpublic personal information has been made available to the general publiA “potential security breach” is considered to have occurred whenever it is confirmed or suspected that the general public has a reasonable opportunity to obtain one or more consumers’ nonpublic personal information. A security breach or potential security breach will be considered to be a “security incident.”

Refer to the Incident Response and Preparedness topic of this policy for detailed guidance.

Reporting of Computer and Other Crimes

When appropriate, law enforcement agencies will be notified if there is a reasonable possibility of a crime involving confidential information, including, but not limited to the filing of a Suspicious Activity Report (SAR).

Dynamic Banking Environment

Changes to the Bank’s corporate environment can occur due to changes in the corporate structure (such as mergers or acquisitions), changes in existing products or services, changes in the regulatory environment, and/or changes in existing technologies. Whenever these changes occur, Senior Management will consider the impact of this policy, the GLBA, and related regulations on the change and give privacy and information security concerns the appropriate consideration. If new and revised policies or procedures are required, they will be provided.

Other Policies and Procedures

The Bank has numerous other formal and informal policies and procedures, such as the INTERNET BANKING POLICY, INFORMATION SYSTEMS SECURITY POLICY, BUSINESS CONTINUITY PLAN POLICY, etc., that directly impact information security and the accuracy of the Bank’s records. In as much as these other policies and procedures apply to privacy and information security, these policies and procedures are to be followed by Bank management and employees.

Training

At initial employment and annually thereafter, all Bank employees are to receive information and/or training of the issues discussed in this policy.

Non-Compliance with Policy

Non-compliance with this policy may result in immediate termination. If applicable, non-compliance may result in a criminal referral to federal and other authorities.

Enforcement of Policy

The primary responsibility for enforcement of this policy and its operating procedures rests with the COMPLIANCE OFFICER and our employees.

Audit

At least annually, the following audit will be performed to determine the Bank’s overall compliance with this policy. The auditor will report the results directly to the COMPLIANCE OFFICER and the audit results will be reported to the Audit Committee of the Board.

  1. Has the Bank approved a privacy and information security policy which provides guidance on the access to and disclosure of consumer, customer, and other confidential data?
  2. Does the approved privacy and information security policy reflect the actual practices of the Bank?
  3. Has the Bank provided privacy and information security policy training to employees?
  4. Have Bank employees been made aware of the content of the Bank’s privacy and information security policy?
  5. Has the Bank developed a reasonable set of privacy standards, principles, or disclosures available to the public?
  6. Have all privacy-related comments and complaints been addressed?
  7. Have security incidents been investigated, reported on, and presented to the COMPLIANCE OFFICER and/or Chief Information Officer?
  8. Does the Bank appear to be in compliance with the GLBA and regulations?

INCIDENT RESPONSE AND PREPAREDNESS

It is the policy of the Bank, and the responsibility of the HUMAN RESOURCES DEPARTMENT, to conduct background checks of employees prior to granting access to the Bank’s customer information resources and systems. This will ensure the Bank does not violate 12 U.S.1829, which prohibits the Bank from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.1818(e)(6).

Refer to the Bank’s HUMAN RESOURCES GENERAL POLICY for detailed guidance.

It is the Bank’s policy to expeditiously implement its proactive response program to address incidents of unauthorized access to, or use of, sensitive customer information from the Bank’s customer information systems. This definition consists of all the methods used to access, collect, store, use, transmit, protect, or dispose of sensitive customer information, including the systems maintained by the Bank’s third-party service providers. The Bank contractually requires its service providers to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. The Bank’s contract with each service provider requires the service provider to fully disclose to the Bank any breach in security resulting in an unauthorized intrusion into the Bank’s customer information systems maintained by the service provider. In view of these contractual obligations, the service provider would be required to take appropriate actions to address incidents of unauthorized access to or use of the Bank’s customer information to enable the Bank to expeditiously implement its Incident Response Program.

Refer to the Bank’s VENDOR MANAGEMENT PROGRAM POLICY for a detailed explanation.

The term “sensitive customer information” means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number (PIN) or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as username and password or password and account number.

The Bank’s ability to detect an incident occurring or one which has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats. As such, the Bank has implemented various technical solutions, such as intrusion detection systems, firewalls and other technical safeguards to help personnel quickly identify incidents of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as input for the monitoring process and for the Incident Response Program in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Refer to the Bank’s INFORMATION SYSTEMS SECURITY POLICY for detailed guidance.

This topic outlines the Bank’s response program so that designated personnel (internal and external Incident Response Teams) may take appropriate action and notify customers as required in the event an incident of unauthorized access to sensitive customer information. Such an incident is described as one that could result in substantial harm or inconvenience to affected customers and/or the Bank. As such, the Bank has defined, including but not limited to, the following types of incidents that would trigger the use of its Incident Response Program:

Types of Incidents that may occur:

  • ACH file intrusion compromising payroll data such as names and account number
  • Firewall intrusion compromising customer personal private information
  • Introduction of a software virus or malware
Incident Response Team

The Bank has established an Incident Response Team that is specifically responsible for responding to security incidents. The Incident Response Team includes individuals from various departments or functions of the Bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) which places the Bank in a better position to respond to any given incident. Team members are assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient.

For purposes of this policy, the Bank’s internal Incident Response Team consists of the following personnel:

  1. Senior Management;
  2. Technology Committee members;
  3. Chief Information Technology Officer
  4. Chief Financial Officer and Chief Operations Officer
  5. Compliance Officer; and
  6. Other members of management or employees as directed.

The Bank maintains a contact list that includes contact information for team members, employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts to serve as a valuable resource when responding to an incident.

Refer to the Bank’s BUSINESS CONTINUITY PLAN POLICY for detailed guidance.

Security Response Center

The Bank maintains a Security Response Center through a contractual third-party vendor. The Security Response Center serves as a central location for the analysis and investigation of potential security incidents, and considers, evaluates and responds to both external threats and internal vulnerabilities against the Bank.

Sources of external threat of information include industry information sharing and analysis centers (ISACs), Infraguard, mailing lists, and commercial reporting services. Internal vulnerability information is available from the Bank’s condition reporting and activity monitoring processes.

The Security Response Center accesses all relevant internal vulnerability information in a read only manner. This data resides in centralized log repositories, on the devices that perform the logging, and in results of self assessments and independent tests. In addition, various tools are used to analyze the logs and to perform ad hoc activity monitoring. Other additional and useful data sources are reports of anomalies in both network and host performance and the end user experience. The latter relates to both internal users and contractors and customers who use the Bank’s systems.

The Security Response Center uses a Security Information Management (SIM) tool to assist in the data collection, analysis, classification and reporting of activities related to security incidents to ensure effective monitoring and management to ensure:

  1. Continual and ad hoc monitoring of communications and the use of the results of monitoring in subsequent legal procedures is attaineThe responsibility and authority of security personnel and system administrators for monitoring is clearly established, and the tools used are reviewed and approved by the Technology Committee and Senior Management with appropriate conditions for use;
  2. Classification policies enable timely classification of incidents into different levels of severity. Response and reporting levels are commensurate with the severity levels;
  3. Escalation policies address which personnel within the Bank will be contacted regarding the incident, and the responsibility those personnel have in incident analysis and response;
  4. Reporting policies address internal and external reporting, including coordination with service providers and reporting to industry ISACs; and
  5. A member of Senior Management is empowered to declare an incident to be an intrusion.

The effectiveness of the Bank’s Security Response Center is also a function of the training and expertise of the security analysts. It is the responsibility of the Technology Committee to ensure that Security Response Center personnel are sufficiently trained to appropriately analyze network and host activity and to use the monitoring and analysis tools available to them.

When Customer Notice Should Be Provided

When the Bank becomes aware of an incident of unauthorized access to sensitive customer information, it is the policy of the Bank to conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misuseIf the Bank determines that misuse of customer information has occurred or is reasonably possible, it is required to notify affected customers as soon as possible and take appropriate steps to safeguard the interests of affected customers. However, there may be situations where the Bank determines that a group of files have been accessed improperly but is unable to identify which specific customers’ information has been accesseIf the circumstances of the unauthorized access lead the Bank to determine that misuse of the information is reasonably possible, it will notify all customers in the group.

The following are examples of occurrences when the Bank should notify customers of unauthorized access to sensitive customer information:

  1. An employee of the Bank has obtained unauthorized access to sensitive customer information maintained in either paper or electronic form;
  2. A cyber intruder has broken into the Bank’s unencrypted database that contains sensitive customer information;
  3. Computer equipment such as a laptop computer, floppy disk, CD-ROM, or other electronic media containing sensitive customer information has been lost or stolen;
  4. The Bank has not properly disposed of customer records containing sensitive customer information; or
  5. The Bank’s third-party service provider has experienced any of the incidents described above, in connection with the Bank’s sensitive customer information.

Customer notice by the Bank may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the Bank with a written request for the delay. However, the Bank is to notify its customers as soon as notification will no longer interfere with the investigation.

When Customer Notice is Not Required

The Bank will not provide notice when it becomes aware of an incident of unauthorized access to customer information, and the Bank, after an appropriate investigation, can reasonably conclude that misuse of the information is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers. For example, the Bank would not need to notify affected customers in connection with the following incidents:

  1. The Bank can retrieve sensitive customer information that has been stolen, and reasonably concludes, based upon its investigation, that it has done so before the information has been copied, misused or transferred to another person who could misuse it;
  2. The Bank determines that sensitive customer information was improperly disposed of, but can establish that the information was not retrieved or used before it was destroyed;
  3. A hacker accessed files that contain only customer names and addresses; or
  4. A laptop computer containing sensitive customer information is lost, but the data is encrypted and may only be accessed with a secure token or similarly secure access device.
Corrective Standards

In the event of a breach in security of sensitive customer information, Senior Management, with appropriate notification to the Bank’s Board of Directors, will:

  1. Assess the situation to determine the nature and scope of the incident and identify the information systems and types of sensitive customer information accessed or misuseIn addition, an assessment of how containment actions will affect business operations or systems to minimize undesirable business disruptions is to be conducted;
  2. Document details, conversations and actions regarding the incident, including the preservation of evidence. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations helThis information may be useful to external consultants and law enforcement for investigative and legal purposes, such as aiding in apprehension and prosecution activities. In addition, this information may be used to file potential insurance claims and for preparing an executive summary of the events for the Board of Directors or shareholders. It is the responsibility of the to be the focal point of incident IT Security Officer related documentation for organizational, security and quality control purposes.
  3. Notify the FDIC and Texas Department of Banking and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies.

    The FDIC requires any suspected loss of sensitive information be reported immediately by Senior Management to the FDIC’s Help Desk at (1-877-334-2999) which is staffed 24 hours a day, seven days a week. This action provides the FDIC time to gather critical information concerning the incident, notify the appropriate FDIC management and report the incident as required by the Office of Management and Budget (OMB). In addition, it is the responsibility of Senior Management to notify the Bank’s supervisor and/or oversight manager and the division and/or office Information Security Manager (ISM) at the earliest possible opportunity.

    The Office of Management and Budget (OMB) requires all federal agencies to report all incidents of a confirmed or suspected loss of Personally Identifiable Information (PII) within one hour of discovering the incident. PII includes any personal information maintained by an agency about an individual including, but not limited to, education, financial transactions, medical history, criminal or employment history, and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other information that is linked or linkable to the individual.

  4. Notify the Bank’s legal counsel to ensure that any state laws governing notification requirements for customer information security compromises are followeIn addition, legal guidance may also be warranted in properly documenting and handling the incident.
  5. Take measures to contain and control the incident to prevent further unauthorized access to, or use of, customer information while preserving records and other evidence. Depending upon the particular facts and circumstances in connection with computer intrusions, these measures include, but are not limited to:
    1. Shutting down applications or third-party connections;
    2. Reconfiguring firewalls in cases of unauthorized electronic intrusion;
    3. Ensuring that all known vulnerabilities in the Bank’s computer systems have been addressed;
    4. Changing computer access codes;
    5. Modifying physical access controls; and
    6. Placing additional controls on service provider arrangements.
  6. Address and mitigate harm to individual customers by taking the corrective measures listed below.
Corrective Procedures

At minimum, appropriate Bank personnel are to conduct the following procedures in the event an incident of unauthorized access to customer information is experienced to mitigate substantial harm or inconvenience to affected customers:

  1. Flag Affected Accounts. Accounts of customers whose information may have been compromised are to be identified by the appropriate area where the breach has occurred, and a warning placed on the Bank’s mainframe computer system. These affected accounts are to be monitored for unusual activity, and appropriate controls are to be initiated to prevent an unauthorized withdrawal or transfer of funds from customer accounts;
  2. Secure Affected Accounts. All identified accounts, in addition to affected Bank services used to access such accounts, associated with the breach of customer information are to be secured by physical, technical, or other means to prevent further unauthorized access or use until such time as the Bank and the customer agree on a course of action;
  3. Notify Affected Personnel and Customers and Provide Assistance. It is the responsibility of the IT SECURITY OFFICER to notify affected personnel and customers through appropriate means (i.e., letter, telephone, e-mail, etc.) when the Bank becomes aware that sensitive customer information is the subject of unauthorized access, unless the Bank, after an appropriate investigation, reasonably concludes that misuse of the information is unlikely to occur, and takes appropriate steps to safeguard the interests of affected customers, including monitoring affected customers’ accounts for unusual or suspicious activity. The notification is to contain at minimum in a clear and conspicuous manner:
    1. A general description of the incident and the type of customer information that was the subject of unauthorized access or use;
    2. A general description of what the Bank has accomplished to protect the customers’ information from further unauthorized access;
    3. A designated customer service number at the Bank, staffed by properly trained personnel that can adequately respond to customer inquiries and requests for assistance, that customers can call for further information and assistance;
    4. A reminder that customers need to remain vigilant, over the next 12 to 24 months, and to promptly report incidents of suspected identity theft to the Bank, credit reporting agencies, etc.;
    5. A recommendation that the customer review account statements and immediately report any suspicious activity to the Bank;
    6. Steps customers can take to obtain and review their credit reports and to file fraud alerts with nationwide credit reporting agencies, and other sources of information designed to assist individuals in protection against identity theft:
      • Notify each nationwide credit reporting agency to place a fraud alert in the customer’s consumer reports;
      • Periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted; and
      • Inform the customer of the right to obtain a credit report free of charge, if the customer has reason to believe that the file at the consumer reporting agency contains inaccurate information due to fraud, together with contact information regarding the nationwide credit reporting agencies.
    7. Inform each affected customer about the availability of the Federal Trade Commission’s (FTC) online guidance regarding measures to protect against identity theft and encourage the customer to report any suspected incidents of identity theft to the FTThe FTC’s website address is http://www.ftc.gov/idtheft, and the toll-free number for the identity theft hotline is 1–877–IDTHEFT.

      The Bank, as a general procedure, will notify nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

  4. Notify Appropriate Regulatory and Law Enforcement Agencies. The FDIC and Texas Department of Banking and appropriate law enforcement agencies are to be notified by IT SECURITY OFFICER of the incident, in addition to the completion and submission of a Suspicious Activity Report (SAR).

    Refer to the Bank’s BANK SECRECY ACT POLICY for a detailed explanation.

At the discretion of Senior Management, and if circumstances warrant, the Bank may provide customers with the following additional assistance:

  1. A toll-free telephone number that customers can call for assistance;
  2. Offer customers assistance in notifying nationwide credit reporting agencies of the incident and placing a fraud alert in customer consumer reports;
  3. Inform customers about subscription services that provide notification anytime there is a request for a customer’s credit report or offer to subscribe a customer to this service, free of charge, for one year; and
  4. Include with the notice a brochure regarding steps a customer can take to protect against identity theft, such as one downloaded from the Internet.
Internal Security Violation Procedures

For insider security violations, the IT SECURITY OFFICER is to take at minimum the following procedures:

  1. For minor offenses, issue a verbal warning to employee(s) violating Bank policy.
  2. Warn in writing and/or reassign or demote employee(s) who repeatedly violate Bank policy.
  3. Counsel, terminate or take legal action against employee(s) who repeatedly violate Bank security directives or who commit a serious offense.
News Media Communications

The MARKETING OFFICER is responsible for all public statements regarding the Bank, including breaches of sensitive customer information. All other employees are instructed not to give statements to the media.

Bank management is to assess the event and its impact on public and media relations. Following this assessment, the MARKETING OFFICER is to work with Senior Management to determine the most appropriate method of communication. This could include a press release, a press conference or other types of radio, newspaper or television communication. Information provided to the media is to be on a need to know basis and may include the following:

  1. Description of the event.
  2. Immediate and long-term effect on customers and Bank staff.
  3. Approximate time frame in which affected operations or services will be secured and returned to normal operation or access.
  4. Assurance that customer assets are secure and protected and the event is being addressed and is under control.

The MARKETING OFFICER is to be prepared to address the following questions for the media during a personal contact interview or press conference:

  1. What caused the event?
  2. Are customer funds safe and available?
  3. Will the Bank suffer any irreparable financial damage as a result of the event?

A record of media contacts/interviews is to be maintained to provide documentation of questions asked and responses given in the event of errors in the reporting of the event by the mediThe MARKETING OFFICER is to monitor both print and broadcast coverage of the event. If there are any factual errors reported, the MARKETING OFFICER is to contact the media at once.

Recovery and Risk Mitigation Analysis

It is the responsibility of Senior Management to:

  1. Determine whether configurations or processes should be changeIn the event of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimizeA key component of this process is determining whether system configurations or other processes should be changeAN example is in the case of a technical compromise (such as a successful network intrusion), system configurations are to be updated or modified to help prevent further incidents. In terms of non-technical compromises, a review of the Bank’s operational procedures or processes is to be made and changes implemented that are designed to prevent a repeat incident;
  2. Test affected systems or procedures prior to implementation (via walk through or tabletop exercises) to ensure that reconfigured systems, updated procedures, or new technologies implemented in response to an incident are fully effective and performing as expecteTesting can also identify whether any adjustments are necessary prior to implementing the updated system, process, or procedure. This follow up process also provides an opportunity for Bank personnel to regroup after the incident and strengthen its control structure by learning from the incident;
  3. Conduct a “lessons-learned” meeting to use the incident and build from the experience by:
    1. Discussing whether affected controls or procedures need to be strengthened beyond what was implemented during the recovery phase;
    2. Discussing whether significant problems were encountered during the incident response process and how they can be addressed;
    3. Determining if updated written policies or procedures are needed for the customer information security risk assessment and information security program;
    4. Determining if updated training is necessary regarding any new procedures or updated policies that have been implemented; and
    5. Determining if the Bank needs additional personnel or technical resources to be better prepared in the future.
  4. Ensure that affected systems and/or processes are returned to a known and correct functional state of operation.

STAFF TRAINING

It is the responsibility of the Bank’s COMPLIANCE OFFICER and IT SECURITY OFFICER to ensure that all Bank personnel receive appropriate training on Regulation P and the directives of this policy on an annual basis. The Bank’s general program for compliance consists of the following measures:

  1. Staff training is provided via ABA Online Training. This training program provides employees with current Regulation P training information (through regular updates), and a testing mechanism to ensure staff comprehension of training information and directives.
  2. All employees are required to complete training and testing on the ABA Online Training on an annual basis. It is the responsibility of the COMPLIANCE OFFICER to communicate to branch and COMPLIANCE DEPARTMENT management personnel via internal memorandum of when training is to take place and when it is to be completed.

    NOTE: It is the responsibility of branch and senior management personnel to ensure their employees complete training and testing as directed by the COMPLIANCE OFFICER and IT SECURITY OFFICER.

  3. It is the responsibility of the COMPLIANCE OFFICER to extract testing results from the ABA Online Training system. Each test is to be reviewed to ensure satisfactory completion of the training course. Inadequate test results are to be communicated to the employee’s immediate supervisor for additional training and guidance. Satisfactory results are to be filed in the Bank’s Regulation P File.

All COMPLIANCE OFFICERs of the Bank are responsible for the complete comprehension of this policy and verifying their employees understand their responsibilities. The COMPLIANCE OFFICER and IT SEURITY OFFICER will periodically attend educational programs related to Regulation P.

NOTE: If at any time an employee has difficulty with a customer or is uncertain about the proper method of handling a situation or transaction, he or she should refer the issue with their immediate supervisor or contact the COMPLIANCE OFFICER for further clarification.

DEFINITIONS
  1. Consumer. A “consumer” is an individual who obtains or has obtained financial products or services from the Bank that is used primarily for personal, family or household purposes. Customers are also consumers. However, a consumer will not always be a customer. Individuals that would be considered consumers for the purposes of the rules are:
    1. An individual that applied for consumer credit, even if credit was never extendeAdditionally, an individual who provides nonpublic personal information in order to determine whether he or she qualifies for a consumer loan regardless of whether the loan is extended.
    2. An individual that provided nonpublic information to the Bank in connection with obtaining or seeking to obtain financial, investment or economic advisory services even if the Bank does not establish a continuing advisory relationship.
    3. An individual is considered a consumer of an institution that holds ownership or servicing rights to an individual’s consumer loan.

      Exceptions – An individual would not be considered a consumer of the Bank under the following examples:

    4. Where the individual has designated the Bank as trustee for a trust.
    5. Where the individual is a participant or a beneficiary of an employee benefit plan that the Bank sponsors or for which the Bank acts as a trustee or fiduciary.
    6. Where the individual is a consumer of another financial institution and the Bank acts as agent for or provides processing or other services to that financial institution.
  2. Customer. A customer is defined as any consumer who has a customer relationship with the Bank. A customer relationship is defined as a continuing relationship between a consumer and the Bank where the Bank provides one or more financial products or services to that consumer to be used for personal, family or household purposes.

    Examples of a Continuing Relationship – A consumer may have a continuing relationship if the consumer:

    1. Has a deposit or investment account with the Bank.
    2. Holds an investment product through the Bank.
    3. Purchases an insurance product from the Bank.
    4. Enters into an agreement or understanding whereby the Bank undertakes to arrange or broker a home mortgage loan for the consumer.
    5. Enters a lease of personal property with the Bank.
    6. Obtains financial, investment or economic advisory services from the Bank for a fee.
    7. Obtains a loan from the Bank.
    8. Has a loan for which the Bank owns the servicing rights.
      1. Isolated Transactions Do Not Constitute Continuing Relationship – The establishment of a customer relationship should involve more than isolated instances. For example, if the consumer withdraws cash at the Bank’s ATM or purchases a cashier’s check but is not a depositor of the Bank and transacts no other business at the Bank, conceivably the consumer would not have a continuing customer relationship with the Bank. However, the agencies note that the distinction between the definitions of consumer and customer should not be based solely on whether the transaction is an isolated event. Rather, it should be used as a factor in determining whether a relationship is of a continuing nature.
      2. When Is a Customer Relationship Established: A customer relationship is established at the time the Bank and the consumer enter a continuing banking relationship. If the relationship is contractual in nature, such as deposit accounts or loans, the customer relationship is established when the consumer executes the contract that is needed to conduct the transaction. Such as:

        A. When the signature card is executed; or
        B. When the Bank originates the consumer loan.

      3. If the servicing rights to the loan are subsequently transferred to another financial institution, the customer relationship transfers with the servicing rights. Thus, if the Bank purchases the servicing rights to a consumer’s loan, then the Bank has established a customer relationship with that consumer.

        The definition of a customer relationship is not based solely on the execution of a written contact. For transactions that do not involve a contract, for example advisory services, a customer relationship is established if the consumer pays or agrees to pay a fee or commission for the service.

  3. Nonpublic Personal Information. Under GLBA, nonpublic personal information means:
    1. Personal identifiable financial information; and
    2. Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personal identifiable information that is not publicly available.

      Personal Identifiable Financial Information – The rules define this to mean any information:

    3. A consumer provides to the Bank to obtain a financial product or service. This would include, for example, any information provided on a loan or deposit application.
    4. About a consumer resulting from any transaction involving a financial product or service between the Bank and a consumer. This would include payment or overdraft histories and purchase information with a debit or credit card; or
    5. The Bank obtains in connection with providing a financial product or service. This would include information obtained from a consumer report or verified by an employer or another bank.

      Publicly Available Information – Information will be deemed to be “publicly available,” and thus excluded from the definition of nonpublic personal information, if the Bank has a “reasonable basis to believe” (see below) that the information is lawfully made available to the general public from one of the following three categories:

    6. Federal, state or local government records (i.e.; real estate records or security interest filings);
    7. Widely distributed media (i.e.; telephone books, television or radio programs, newspapers or web sites that are available to the general public on an unrestricted basis); or
    8. Disclosures to the general public that is required to be made by federal, state or local law.

      The rules specify that a web site is not restricted merely because an operator requires a fee or a password, so long as access is available to the general public.

  4. Collect. Means to obtain information that the Bank organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying information assigned to the individual, irrespective of the source of the underlying information. According to the agencies, merely receiving information without maintaining it would not be collecting the information. To be collected, the information must be organized or retrievable.
  5. Nonpublic Personal Information. Various regulations refer to “nonpublic personal information.” Within this policy, “confidential data” is intended to have the same regulatory definition as “nonpublic personal information.” In general, “nonpublic personal information” is information that is not available to the publiSpecifically, regulations refer to “nonpublic personal information” as personally identifiable financial information that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer or is otherwise obtained by the financial institution. It also includes any list, description, or other grouping of consumers (and publicly available information about them) that is derived using any nonpublic personal information other than publicly available information.
  6. Personal Identifiable Information. “Personal identifiable information” is any information that is provided to a financial institution with regard to a financial product or service; that results from any transaction involving a financial product or service, or that is otherwise obtained about a company or person in connection with providing a financial product or service.
  7. Consumer vs. Customer. Various regulations distinguish between “consumer” and “customer.” In most situations, this distinction is irrelevant, and the Bank will consider a consumer to also be a customer. In the areas where differences between the “consumer” and “customer “are relevant (such as annual disclosures), it is the intent of the Bank to comply with the GLBA and promulgated regulations.
  8. Consumer vs. Non-consumer. Various regulations distinguish between “consumer” and “non-consumer” customers. In general, the Bank will not distinguish between the two. However, when the distinction is relevant to what activities are or are not allowed, the Bank might make a distinction as allowed by the GLBA and promulgated regulations.
  9. Affiliate and Nonaffiliated Third Party. An “affiliate” is any company that controls, is controlled by, or is under common control with another company. Conversely, a “nonaffiliated third party” is a company (or person) that is not an affiliate of another company.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * *