OCC BULLETIN 2000-25
Subject: Privacy Laws and Regulations
Date: September 8, 2000
To: Chief Executive Officers and Compliance Officers of All National Banks, Department and Division Heads, and All Examining Personnel
Description: Summary of Requirements
As of October 30, 2013, this guidance applies to federal savings associations in addition to national banks.*
The enclosed document, "Privacy Laws and Regulations," is designed to assist national banks and their subsidiaries in complying with federal laws and regulations relating to the disclosure of consumer financial information.
"Privacy Laws and Regulations" focuses on the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act, including the interagency regulations with which financial institutions must comply by July 1, 2001, and the affiliate information-sharing provisions of the Fair Credit Reporting Act. These laws contain extensive federal requirements governing the disclosure of consumer information by banks and other private entities, and the differing requirements of these laws may be a source of confusion. Accordingly, the document seeks to compare and clarify these requirements, and to identify specific areas of compliance risk in which satisfying one set of requirements will not necessarily amount to compliance with the other.
"Privacy Laws and Regulations" also summarizes relevant privacy provisions of the Electronic Fund Transfer Act, the Right to Financial Privacy Act, the Children’s Online Privacy Protection Act, and other laws. Like the Fair Credit Reporting Act, all of these laws are fully in effect, and financial institutions must be in compliance with them currently.
With respect to the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act, and the interagency regulations implementing those provisions, the document notes that senior management and the boards of directors of national banks and their subsidiaries are strongly encouraged to ensure that their institutions take all appropriate steps before the mandatory compliance date so that they are prepared to comply fully with the interagency regulations at that time. These steps should include, as appropriate for the institution: conducting an inventory of information collection and disclosure practices, evaluating agreements with third parties that involve the disclosure of consumer information, establishing mechanisms to handle opt-out elections by consumers, developing or revising existing privacy policies to reflect the new regulatory requirements, determining how to deliver privacy notices to consumers, establishing employee training and compliance programs, and setting target dates for all features of the implementation program.
For further information, contact Compliance Policy (202) 649-5470.
Julie L. Williams
* References in this guidance to national banks or banks generally should be read to include federal savings associations (FSA). If statutes, regulations, or other OCC guidance is referenced herein, please consult those sources to determine applicability to FSAs. If you have questions about how to apply this guidance, please contact your OCC supervisory office.