OCC 2000-25 Subject: Privacy Laws and Regulations Description: Summary of Requirements Date: September 8, 2000 TO: Chief Executive Officers and Compliance Officers of All National Banks, Department and Division Heads, and All Examining Personnel The enclosed document, "Privacy Laws and Regulations," is designed to assist national banks and their subsidiaries in complying with federal laws and regulations relating to the disclosure of consumer financial information. "Privacy Laws and Regulations" focuses on the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act, including the interagency regulations with which financial institutions must comply by July 1, 2001, and the affiliate information-sharing provisions of the Fair Credit Reporting Act. These laws contain extensive federal requirements governing the disclosure of consumer information by banks and other private entities, and the differing requirements of these laws may be a source of confusion. Accordingly, the document seeks to compare and clarify these requirements, and to identify specific areas of compliance risk in which satisfying one set of requirements will not necessarily amount to compliance with the other. "Privacy Laws and Regulations" also summarizes relevant privacy provisions of the Electronic Fund Transfer Act, the Right to Financial Privacy Act, the Children's Online Privacy Protection Act, and other laws. Like the Fair Credit Reporting Act, all of these laws are fully in effect, and financial institutions must be in compliance with them currently. With respect to the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act, and the interagency regulations implementing those provisions, the document notes that senior management and the boards of directors of national banks and their subsidiaries are strongly encouraged to ensure that their institutions take all appropriate steps before the mandatory compliance date so that they are prepared to comply fully with the interagency regulations at that time. These steps should include, as appropriate for the institution: conducting an inventory of information collection and disclosure practices, evaluating agreements with third parties that involve the disclosure of consumer information, establishing mechanisms to handle opt-out elections by consumers, developing or revising existing privacy policies to reflect the new regulatory requirements, determining how to deliver privacy notices to consumers, establishing employee training and compliance programs, and setting target dates for all features of the implementation program. For further information about the matters discussed in "Privacy Laws and Regulations," please contact Amy Friend, Assistant Chief Counsel (202-874-5200), Michael S. Bylsma, Director, Community and Consumer Law Division (202-874-5750), or Stephen Van Meter, Senior Attorney, Community and Consumer Law Division (202-874-5750). _________________________________________________ Julie L. Williams First Senior Deputy Comptroller and Chief Counsel Attachment