Revision Date: 4/11/2022
Section 502-509 of title V of the Gramm-Leach-Bliley Act (GLBA), and its implementing Regulation P, (also known as the Privacy Rule) requires financial institutions to provide notice to customers about their privacy policies and practices; describe the conditions under which they may disclose nonpublic personal information about consumers to nonaffiliated third parties; and provide a method for consumers to prevent companies from disclosing that information to most nonaffiliated third parties by opting-out of that disclosure. Furthermore, the Fair Credit Reporting Act (FCRA) and the Right to Financial Privacy Act (RFPA) contain provisions to ensure protection of the financial information of consumers
The following definitions apply to this Policy:
Hub City Lending requires all employees, affiliates, and service providers to comply with all consumer protection regulations regarding the privacy and disclosure of consumer information. Hub City Lending also complies with all disclosure requirements regarding its privacy policies and practices by providing customers with a privacy notice that clearly describes Hub City Lending’s practice of collecting, protecting, and sharing customer’s nonpublic personal information (NPI) with affiliates and third parties at the time that a customer relationship is established. Wherever local privacy regulations are more stringent than the requirements set forth in this Policy, the more stringent requirement will be followed.
Hub City Lending will send a copy of the privacy notice to all new customers in the timeframes specified in the Privacy Rule. Hub City Lending will also provide a privacy notice annually during the continuation of the customer relationship, if applicable.
Hub City Lending complies with the following privacy notice requirements under the GLBA and, when applicable, the FCRA. Further, the GLBA provides that Hub City Lending will obtain a “safe harbor” and will satisfy the disclosure requirements for notices if it chooses to use the model form provided under the GLBA.
Hub City Lending is required to provide an initial privacy notice to customers when a customer establishes a relationship with Hub City Lending by providing any personally identifiable financial information in an effort to obtain a mortgage loan. Hub City Lending is also required to provide a consumer a privacy notice before sharing NPI with nonaffiliated third parties outside of the exceptions described below. If Hub City Lending doesn’t share information with nonaffiliated third parties, or if it only shares within the exceptions, Hub City Lending does not have to provide a privacy notice to consumers.
If Hub City Lending is required to provide a privacy notice to consumers, it may choose to give a “shortform notice” instead of a full privacy notice. The short-form notice must:
Hub City Lending also sends annual privacy notices to their customers during the continuation of the customer relationship, if applicable. The annual notice must accurately describe Hub City Lending’s privacy policies and practices in effect at the time the notice is sent. Annually means at least once in any period of 12 consecutive months during which that relationship exists. Hub City Lending does not send privacy notices after the relationship with the customer has ended.
The privacy notice includes:
Exceptions for processing transactions at consumer’s request – Exceptions to the initial privacy notice, opt-out and for service providers and joint marketing do not apply if Hub City Lending discloses NPI as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
Opt-out means a direction by the consumer that Hub City Lending may not disclose NPI about that consumer to a nonaffiliated third party, other than as permitted by law. The opt-out notice is a clear and conspicuous notice to all customers that accurately explains the right to opt-out under that section. The notice states:
The requirements for initial notice and for service providers and joint marketing do not apply when Hub City Lending discloses NPI:
The Privacy Rule is designed to enable consumers to make opt-out decisions based on an accurate description of a financial institution’s privacy policies and practices. Before disclosing NPI about a consumer to a nonaffiliated third party other than as described in Hub City Lending’s most recent privacy notice, Hub City Lending must provide the consumer a revised initial notice, a new opt-out notice, and reasonable opportunity to opt out.
A revised notice is not required in the instance where Hub City Lending makes a change to disclose NPI to
a new nonaffiliated third party that was adequately described in its prior notice.
Hub City Lending provides the required privacy and opt-out notices simultaneously. Hub City Lending provides privacy notices and opt-out notices so that each consumer can reasonably be expected to receive actual notice in writing. The notice can be hand-delivered, mailed, or, if the consumer consents, delivered electronically.
The Privacy Rule prohibits financial institutions from sharing account numbers or similar access numbers or codes for marketing purposes. This prohibition applies even when a consumer or customer has not opted-out of the disclosure of NPI concerning his or her account. Under no circumstances will Hub City Lending disclose, other than to consumer reporting agencies, access
codes or account numbers for use in marketing.
When a financial institution receives NPI from a nonaffiliated financial institution, its disclosure and use of the information is limited as follows:
The Fair Credit Reporting Act (FCRA), among other things, allows financial institutions to share information with others about its own transactions or experiences with a consumer. However, when a financial institution shares information about third-parties’ transactions with a consumer, such as sharing a list of its customers and information such as their credit scores with another financial institution to jointly market or sponsor other financial products or services, it could cause the financial institution to be considered a consumer reporting agency that is subject to strict guidelines under FCRA. Furthermore, civil or criminal penalties could apply if a financial institution fails to comply with any requirements of the FCRA.
Financial institutions can avoid additional requirements and penalties under FCRA by not providing others with information from credit reports or third-party transactions. Additionally, FCRA contains an exception that allows financial institutions to share information contained in consumer reports and other information, such as information on an application for credit, as long as that information is shared with an affiliate and before the information can be used for marketing and solicitation, the financial institution:
The GLBA notice is sufficient to meet FCRA notice requirements for sharing information with affiliates. Furthermore, the FCRA notice and opt-out requirements do not apply to a financial institution if it uses eligibility information that it receives from an affiliate to make a solicitation for marketing purposes to a consumer with whom the financial institution has a preexisting business relationship.
The Right to Financial Privacy Act (RFPA) protects a customer’s right to privacy with respect to information being disclosed to the federal government regarding the financial records maintained about the customer by financial institutions. The RFPA is intended to balance the federal government’s need for information when conducting a criminal investigation with the customer’s right to privacy. It establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer’s financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object.
Under the RFPA, the government must reasonably describe the records it wants and may use one of five
methods to obtain those records:
Under this method the customer must give a signed and dated authorization to both the government and the institution. Further, the authorization must state the customer’s rights under the RFPA. In this document, the customer must:
A government authority may obtain financial records using an administrative subpoena or summons if there is reason to believe the records are relevant to a legitimate law enforcement inquiry. A copy of the subpoena or summons must have been served to the customer, or mailed to the customer’s last known address, on or before the date on which it was served to the financial institution and it should include a notice regarding the nature of the law enforcement inquiry and notify the customer of his or her right, and procedures, to contest the inquiry.
Search warrants must be obtained according to the federal rules of criminal procedure. The customer must receive a copy of the search warrant no later than ninety days after it is issued and receive a notice of his or her rights under the RFPA.
A government authority can obtain financial records under a judicial subpoena only if there is a reason to believe the records are relevant to a legitimate law enforcement inquiry. When a judicial subpoena is issued, the subpoena must have been served to the customer, or mailed to the customer’s last known address, and it must state the nature of the law enforcement inquiry and notify the customer of his or her right, and procedures, to contest the inquiry.
A government agency may request financial records using a formal written request only if all of the following conditions are met:
When a formal written request is used, it must have been served to the customer, or mailed to the customer’s last known address, and it must state the nature of the law enforcement inquiry and notify the customer of his or her right, and procedures, to contest the inquiry.
The RFPA also contains exceptions for depository institutions under 12 US Code Section 3413, allowing these institutions to, among other things, disclose: