Current Important Topics
Privacy Notices Under Gramm-Leach-Bliley Act and Regulation P
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice disclosing that a consumer’s nonpublic personal information (NPI) is shared with nonaffiliated third parties, describing the consumer’s ability to opt out of sharing practice in certain circumstances, and explaining how to exercise their right to opt out.
Reference: Gramm-Leach-Bliley Act, Publication 1, 106-102, 113 stat. 1338 (1999)
A financial institution must issue its GLBA privacy notice when it first establishes a customer relationship. This notice is provided annually thereafter, subject to an exception under the 2015 Fixing American’s Surface Transportation (FAST) Act.
Each of these notices must provide information about the NPI the institution collects and disclosed.
Cyber Incident Reporting Act S. 2875
09/28/21 – Introduced in the Senate by Gary Peters
10/06/21 – Passed the Senate Homeland Security and Governmental Affairs Committee
- Require companies to report cyber incidents within 72 hours and ransom payments within 24 hours.
- Require critical infrastructure owners and operator to report to the Cybersecurity and Infrastructure Security Agency (CISA) with 72 hours if they are expecting a substantial cyber-attack.
- Require other organizations, including businesses, nonprofit, and state and local government, to notify the federal government within 24 hours if they make a ransom payment.
- Would direct federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements.
- There are another 6 additional requirements associated with this bill. To review the entire bill, refer to Senate Bill 2875.
Questions & Answers
Question: Is a bank required to notify customer of a deposited check being returned?
Answer: Yes, regulation requires providing notice to a customer of a check being returned by midnight of the banking day following the banking day on which the bank received notice of the check either being returned or nonpayment.
Question: How often must bank management review the bank’s electronic banking policies and what criteria should be evaluated?
Answer: The Federal Financial Institutions Examination Council (FFIEC) Booklet addresses electronic banking. Under guidance, once an institution implements its e-banking strategy, the board and management should periodically evaluate the strategy’s effectiveness.
This review should include:
- Revenue Generated
- Website availability percentages
- Customer service volume
- Number of customers actively using e-banking services
- Percentage of accounts signed up for e-banking services
- The number and cost per item of bill payments generated
Reference: FFIEC IT Examination Manual (E-Banking): https://ithandbook.ffiec.gov/it-booklet/e banking/risk-managment-of-e-banking-activities/board-and-management-oversight/monitoring-and accountability.aspx.