AL 2001-2
OCC Advisory Letter
Subject:  Privacy Preparedness
Date: January 22, 2001

TO: Chief Executive Officers and Compliance Officers
of All National Banks, Department and Division Heads,
and All Examining Personnel


PURPOSE

This advisory is to help prepare you for the
implementation of the new Privacy of Consumer Financial
Information regulation, 12 CFR 40.  The regulation
becomes fully effective on July 1, 2001, and it affects
all national banks, large and small, including most of
their subsidiaries.  A questionnaire is attached to
assist you in your preparations and in performing a
self-assessment.  During the 2001 quarterly reviews
conducted with your bank, your examiner-in-charge or
bank portfolio manager will include a discussion of
this advisory, the results of your self-assessment,
and your progress toward full compliance with the
provisions of 12 CFR 40.  The extent of that discussion
will be determined by the size of the institution
involved, the nature of its information collection and
sharing practices, and any concerns the examiner may
 have regarding the state of the bank's preparedness.

BACKGROUND

Title V of the Gramm-Leach-Bliley Act (GLBA) of 1999
sets forth provisions addressing the obligations of a
financial institution with respect to the privacy of
consumers' nonpublic personal information.  The Office
of the Comptroller of the Currency's  (OCC's)
implementing regulation, 12 CFR 40, Privacy of Consumer
Financial Information, provides for disclosures to 
consumers of a financial institution's privacy policy
and the rights of consumers to direct their financial
institution not to share their nonpublic personal
information with third parties (opt out).   A copy of 
the regulation is included in OCC Bulletin 2000-21
("Privacy of Consumer Financial Information"), issued
June 20, 2000.  In addition, OCC Bulletin 2000-25
("Privacy Laws and Regulations"), issued September 8,
2000, provides information and guidance regarding the
various federal laws and regulations relating to the
disclosure of consumer financial information.

Many who commented on the proposed rule stated that
they needed more time than was provided in the statute
to comply with the regulation.  Commenters noted that
they needed extra time to assess existing information
practices, prepare new disclosures, develop software
to track opt outs, train employees, and create
management oversight, internal review, and auditing
systems to ensure compliance.  As a result of the
comments, the agencies exercised their authority under
section 510(1) of the GLBA and extended the mandatory
compliance date.  Financial institutions are expected
to be in full compliance with the regulation by July 1,
2001.  Full compliance means that an institution has
delivered a privacy notice to its customers and, where
applicable, has afforded its customers a reasonable
opportunity to opt out of information sharing before
July 1, 2001.  These institutions may continue to share
nonpublic personal information after that date for
customers who do not opt out.  
                                                               
PRIVACY PREPAREDNESS MEASURES

Senior management and the boards of directors of
national banks and their subsidiaries are strongly
encouraged to ensure that their institutions take
all appropriate steps before the mandatory compliance
date so that their institutions will comply fully with
the privacy regulation by the July 1, 2001, deadline.
The term "bank" in this advisory includes national
banks, federal branches and agencies of foreign banks,
and subsidiaries of a national bank or federal branch
or agency, except subsidiaries that are brokers,
dealers, persons providing insurance, investment
companies, investment advisers, and entities subject
to regulation by the Commodity Futures Trading
Commission. (Certain functionally regulated
subsidiaries, such as brokers, dealers, and investment
advisers will be subject to privacy regulations issued
by the Securities and Exchange Commission.  Insurance
entities may be subject to privacy regulations issued
by their respective state insurance authorities.) These
steps should include 

* Assessing existing information practices by
conducting an inventory of information collection,
disclosure, and security practices;

* Evaluating agreements with nonaffiliated third
parties that involve the disclosure of consumer
information;

* Where necessary, establishing mechanisms to permit
and process opt-out elections by consumers;

* Developing or revising existing privacy policies to
reflect the new regulatory requirements;

* Determining how to deliver privacy notices to
consumers; 

* Establishing employee training and compliance
programs; and 

* Developing an implementation plan.

Assessing Existing Information Practices. Banks are
encouraged to assess their existing  practices with
respect to nonpublic personal information in order to
(1) accurately represent them in their privacy policies;
(2) determine the extent to which disclosures to third
parties fall within the statutory exceptions;
(3) evaluate which information disclosures, if any,
would trigger opt-out rights for consumers; and
(4) determine whether any practices are prohibited,
e.g., impermissible sharing of account numbers with
third parties.  This exercise should also assist banks
in evaluating the desirability of continuing or altering
existing practices.  

Evaluating Agreements with Nonaffiliated Third Parties
that Involve Disclosure of Consumer Information.
Banks should determine whether their agreements with
nonaffiliated third parties that involve the disclosure
of nonpublic personal information meet the regulatory
requirements for maintaining the confidentiality of the
bank's consumer information.  For instance, if a bank
discloses customer lists to a nonaffiliated third-party
service provider to market the bank's own products or
services, or to a nonaffiliated financial institution
pursuant to a joint marketing agreement, section 40.13
of the regulation requires the bank to enter into a
contract limiting the third party's use or disclosure
of that information.  Additionally, banks should
consider how best to maintain the confidentiality of
the consumer information they disclose pursuant to other
nonaffiliated third-party arrangements, such as routine
service agreements.  Under the regulation, any
nonaffiliated third party that receives nonpublic
personal information from a bank is limited in its
ability to use or disclose the information.  Banks are
encouraged to inform their service providers to
familiarize themselves with these limitations.
Moreover, banks that obtain nonpublic personal
information from other nonaffiliated financial
institutions also face limits on their use or
disclosure of this information.     

Establishing Mechanisms to Handle Opt-Out Elections.
Banks that disclose information to nonaffiliated third
parties outside the statutory exceptions must provide
their consumers with a mechanism to opt out of that
information sharing.  Banks must ensure that they meet
the regulatory requirements for providing consumers
with a clear and conspicuous opt-out notice and a
reasonable means to do so (e.g., a convenient mechanism
for opting out and a reasonable period of time
(e.g., 30 days)).  In addition, banks must devise the
means to record, maintain, and effectuate opt-out 
elections by consumers. 

Developing a Privacy Policy. The regulation requires
that all banks, even those that do not share nonpublic
personal information, provide privacy notices to
customers.  Institutions must develop or revise 
existing privacy notices to conform them to the new
privacy requirements.  The notices must meet the clear
and conspicuous standards, and they must accurately
reflect the bank's privacy practices.  In developing
their privacy practices and notices, banks may want to
evaluate the competitive aspects of their policies and 
obtain consumer input (e.g., as to whether consumers 
understand and accept the policy). 

Delivering Privacy Notices.  Banks must determine the
mechanism to deliver initial, annual, and revised
privacy notices and opt-out notices to customers,
consumers, and joint account holders.  Methods of
delivery may include hand delivery, mail, and 
electronic delivery where the consumer is conducting
business with the bank electronically and agrees to
electronic disclosures.  Banks should deliver privacy
notices to customers, and where applicable, afford them
a reasonable opportunity to opt out of information
sharing before July 1, 2001.

Establishing Training Programs.  All bank employees
should have a general understanding of the bank's
privacy policies; however, certain employees require
more detailed knowledge.  Customer service personnel,
personnel who process requests for consumer information
or who provide such information to third parties,
and other employees in contact with consumers must have
a thorough understanding of the bank's privacy policies
and practices.  They should be prepared to answer
questions about the bank's privacy policies and
practices, address whether an individual consumer's
records are shared, direct consumers through the bank's
complaint process, and if applicable, provide notices
to consumers.  Bank training programs should be
customized for the audience, should be ongoing,
and should provide follow-up when problems are noted.

Establishing Compliance Programs. Banks should ensure
that their compliance personnel are involved in the
privacy preparations.  Compliance should evaluate the
bank's privacy practices and measures undertaken to
ensure regulatory conformance.  Internal controls,
policies, and audit procedures should be developed,
and audits/compliance reviews scheduled, in time for
the July 1, 2001, implementation date.  Implementation
problems and compliance deficiencies identified by the
compliance staff should receive immediate attention by
senior management. 

Developing an Implementation Plan. To ensure timely and
adequate compliance with the new privacy requirements,
banks should develop a privacy action plan that takes
into consideration the above measures, as appropriate.  The plan should be approved by senior management and the board, and should include target dates, goals, and responsible parties.  Also, it should call for testing and progress reports.

Attached to this advisory is a privacy preparedness
questionnaire that may be used to perform a privacy
self-assessment.  It sets forth measures for
implementation and compliance.  The questionnaire is
a general guide that addresses a broad scope of
application, and as a result, some questions may not be
applicable to your financial institution. During the
2001 quarterly reviews of your bank, examiners will
inquire about your privacy policies and preparations,
and the results of any self-assessment.  They will use
the attached questionnaire to ask applicable questions
about your privacy readiness and may also offer
suggestions to improve your compliance efforts.
Results of these reviews will allow the OCC to
determine which national banks may be at higher risk
for noncompliance requiring priority in examination
scheduling. 

Questions concerning this advisory may be directed
to your supervisory office or the Community and
Consumer Policy Division at  (202) 874-4428.




____________________________________
Ralph E. Sharpe, 
Deputy Comptroller for Community and 
Consumer Policy


Attachment