The Policy shall accomplish the following:
1) Protect the security and confidentiality of company and customer nonpublic personal information;
2) Protect against unauthorized access to or use of such information;
3) Provide for the proper disposition of company and customer information when disposal is appropriate; and
4) Require that the Company’s third party service providers with access to company and/or customer information take appropriate steps to adequately protect such information.
The standards set out in this Policy represent minimum requirements for compliance with federal consumer protection laws based on applicable legal and regulatory guidance.
Prior to July 21, 2011, eight Federal agencies, including the Federal Trade Commission (FTC) and the Federal Deposit Insurance Corporation (FDIC), shared rulemaking authority. Each of the agencies issued rules to implement the GLBA’s privacy provisions. Title X of the Dodd Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for most to the consumer privacy provisions to the Consumer Financial Protection Bureau (CFPB), effective July 21, 2011. The CFPB combined the Federal agencies existing rules, except for the FTC’s existing rules relating to certain motor vehicle dealers as set forth in the Dodd-Frank Act, in a new Regulation P. Regulation P (Privacy Rule) now governs the Company’s treatment of consumer’s nonpublic personal information.
A financial institution’s obligations under the Act, depends, in part, on whether its clients are “customers” or “consumers.” The Act defines a “consumer” as an individual (or that individual’s legal representative) who obtains or has obtained a financial product or service that is used primarily for personal, family, or household purposes from the institution. Examples of consumer relationships include making a wire transfer or applying for a loan (whether or not the individual actually obtains the loan). Meanwhile, “customers” are a subclass of consumers that maintain a continuing relationship with the institution whereby the institution provides them with one or more financial products or services, which are used primarily for personal, family, or household purposes. For example, a customer relationship may be established when a consumer maintains a deposit, investment or credit card account with the institution or obtains a loan from the institution. However, there is a special rule for with regard to loans; when a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. Any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer though.
In general, the Act prohibits “financial institutions” from disclosing NPI about their customers to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and the customer has not elected to opt-out of the disclosure. Consumers who are not customers are only entitled to an initial privacy and opt-out notice if their financial institution wants to share their NPI with nonaffiliated third parties outside of some outlined exceptions.
NPI consists of:
• any information an individual provides to us to obtain a financial product or service (i.e., name, address, income, Social Security number, or other information on an application);
• any information about an individual resulting from a transaction involving our financial products or services (i.e., the fact that an individual is our consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
• any information obtained about an individual in connection with providing a financial product or service (i.e., information from court records or from a consumer report).
NPI does not include information that is “publically available”. Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures in the public domain (i.e., information in a telephone book or a publicly recorded document, such as a mortgage or securities filing).
RECOGNITION OF A CUSTOMER’S EXPECTATION OF PRIVACY
Safeguarding our customer’s financial information and maintaining customer privacy is of utmost importance to our Company. Our policy is to recognize and respect our customers’ expectation that their personal and financial information will be kept confidential. Each customer has the right to expect that his or her information will be protected and only used in an appropriate business manner.
USE, COLLECTION, AND RETENTION OF CUSTOMER INFORMATION
We collect, retain, and use information about individual customers only when and to the extent we believe the information would be useful (and allowed by law) to administer our business and provide products, services, and other opportunities to our customers.
The Company collects NPI about its customers from the following sources:
• Information we receive on applications or other forms;
• Information about transactions with us or others; and
• Information we receive from a consumer reporting agency or other outside sources regarding verification of information provided by the consumer or from which the consumer has expressly given the Company permission to obtain information.
We only use the NPI collected to handle the customer’s request for specific services. We do not collect information about customers from third parties without a valid reason. In some cases, we gather information to comply with laws and regulations governing our industry.
We also use some of the data we collect to maintain the security of customer account(s) and to protect the privacy of the financial information. We must be able to positively identify our customers and prevent access by unauthorized individuals.
MAINTENANCE OF ACCURATE INFORMATION
The Company will attempt to keep customer files complete, up-to-date, and accurate in accordance with reasonable commercial standards. We will tell our customers how and where to conveniently access their account information (except when prohibited by law) and how to notify us about errors. We will quickly respond to any request that we correct inaccurate information. We will take prompt action to make the appropriate corrections and to notify anyone with whom we may have shared inaccurate information.
LIMITING EMPLOYEE ACCESS TO INFORMATION
When conducting business, employees may obtain access to confidential information about the Company and its customers. We limit employee access to personally identifiable information to those employees with a business reason for knowing the information. Employees who possess such confidential and/or proprietary information must understand that it has been given to them for an expressed, permissible business purpose, and may only be disclosed on a need-to-know basis and for that business purpose. Discretion must be used when disclosing confidential information – it must never be disseminated to unauthorized persons including employees that do not have a need-to-know basis for the information.
We regularly conduct training sessions and otherwise educate our employees so they understand the importance of confidentiality and customer privacy. We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information, including but not limited to, requiring all documents containing NPI to be secured in locked cabinets or file drawers when not in use, utilizing shredders and/or confidentiality bins for disposal of NPI when no longer needed, and conducting periodic sweeps of work areas to ensure compliance with the Policy.
Misuse of confidential information may result in civil or criminal liability, or in sanctions or penalties against both the Company and the individual responsible for the misuse of such information. The Company will take disciplinary measures to enforce our employees’ privacy responsibilities.
SHARING CUSTOMER INFORMATION
The Company does not disclose any NPI about customers or former customers to anyone, except as permitted by law. For example, we are required to share financial information with parties named in a lawsuit or administrative action when we are served with a subpoena or court order and with federal or state regulatory authorities, such as banking examiners or the Internal Revenue Service, as authorized by federal or state law. Consistent with the practice of other institutions, we also share information with reputable credit reporting agencies as authorized under federal law and with others who may receive certain information from us under particular circumstances, but only as lawfully permitted or required.
We require our third party service providers to disclose and detail their electronic security measures for review and as part of our vendor compliance procedures. The service providers acting on our behalf and with exposure to customers’ NPI are contractually obligated to keep the information we provide to them confidential, and only use such information to provide the services we request from them.
PROTECTION OF INFORMATION
The Company is committed to the security of its customers’ financial and personal information. All of our operational and data processing systems are in a secure environment that protects account information from being accessed by third parties. We maintain and grant access to customer information only in accordance with our internal security standards.
This is the Policy of Stock Financial, LLC. All employees must conduct themselves in compliance with this Policy and any guidance or procedures instituted to further this Policy. The Company requires its personnel to be vigilant to ensure that the law is complied with and that any suggestions of wrongdoing or improper disclosure of information be immediately reported to Management through the appropriate channels.