OCC 2001-26 OCC Bulletin Subject: Privacy of Consumer Financial Information: 12 CFR 40 Date: May 25, 2001 TO: Chief Executive Officers and Compliance Officers of All National Banks, Department and Division Heads, and All Examining Personnel Title V of the Gramm-Leach-Bliley Act (GLBA) of 1999 sets forth provisions addressing the obligations of a financial institution with respect to the privacy of consumers' nonpublic personal information. The OCC's implementing regulation, 12 CFR 40, Privacy of Consumer Financial Information, as well as similar implementing regulations of the other federal banking agencies, provide for disclosures to consumers of a financial institution's privacy policy, and the rights of consumers to direct their financial institution not to share their nonpublic personal information with third parties (opt-out). The Federal Financial Institutions Examination Council has approved uniform examination procedures to verify compliance with the implementing regulations. A copy of the examination procedures is attached. OCC examiners will use the procedures during compliance examinations of all national banks, and federal branches and agencies of foreign banks. The examination procedures are risk-based and allow examiners to tailor the examination scope according to the reliability of the bank's compliance management system and the level of risk assumed by the institution. As the initial step, the procedures direct an examiner to gain an understanding of the institution's information-sharing practices and management controls and systems over privacy. Based on that information and using the decision trees provided, the examiner will select the examination modules and applicable procedures that reflect the types of information-sharing practices of the institution. For example, Module 1 is used in institutions with the most complex information-sharing practices, and Module 3 is used in institutions with the least complex information-sharing practices. In addition, examiners will complete modules 1, 5, or 6 depending upon whether the institution receives nonpublic personal information from financial institutions or shares account numbers for marketing purposes. Notwithstanding the risk-based approach outlined in the procedures, the first compliance examination for each institution conducted after July 1, 2001, will include some transactional testing. At a minimum, during these first privacy examinations, examiners will perform the Initial Procedures and the mandatory procedures listed below from each of the modules applicable to the bank. Examiners will sample transactions to complete the procedures. The amount of sampling will depend upon the reliability of the bank's compliance management system and the level of risk assumed by the institution. Module Mandatory Optional Module 1 A, B1, C1, C2c, C2d B2, C2a, C2b, Checklist Module 2 A, B1 B2, Checklist Module 3 A, B1 B2, Checklist Module 4 B A, Checklist Module 5 B A, Checklist Module 6 A, B C, Checklist This minimum scope process will be used in the first privacy examination of each institution, including those with reliable and fully implemented privacy programs. In situations where banks have not fully implemented their privacy controls and systems (e.g., completed a privacy audit) or have inadequate systems, examiners should determine, through completion of the Initial Procedures, which optional procedures should be performed in addition to the mandatory procedures. The OCC plans to incorporate these procedures in an update to the Comptroller's Handbook series. Until the revised handbook is issued, examiners will use the attached procedures. Questions about the privacy regulation or these procedures may be directed to your supervisory office or to the Community and Consumer Policy Division at (202) 874-4428. ______________________________ Ralph E. Sharpe Deputy Comptroller Community and Consumer Policy Attachment