This policy reaffirms Farmers National Bank’s realization of and respect for the privacy expectations and rights of our customers regarding financial information and other related information that the bank has or gathers in the normal course of business. It is intended to provide guidance to bank personnel as well assurance to our customers. We will also, of course, act in compliance with all applicable laws and regulations.
Farmers National Bank
EMPLOYEE: As used in this policy statement includes all directors, officers, and employees of the bank as well as any attorneys, agents, or outside vendors, who become privy to customer information.
CONSUMER: A natural person, firm, partnership, corporations or other form of for-profit or not-for-profit enterprise, or its legal representative, that obtains or has obtained a financial product of service from the bank, but that has not necessarily established a continuing relationship with the bank. An example of a consumer would be loan applicant. A Consumer is not necessarily a customer.
CUSTOMER: A natural person, firm, partnership, corporation or other form of for-profit or not-for-profit enterprise that has established a continuing relationship with our bank. An example of a customer would be an approved loan applicant who signs a note would become a customer.
NON PUBLIC PERSONAL INFORMATION: Nonpublic personal information or ‘financial records.’ For purposes of this policy, ‘nonpublic personal information’ and ‘financial records’ refer to personally identifiable information relating to a consumer or customer, except when there is a reasonable belief that the information is publicly available. For example, the fact of a customer relationship with the bank would presumably be nonpublic person information. Personally identifiable information relating to a consumer or customer is excluded from nonpublic personal information only if the information is publicly available and was not prepared or composed using information from bank records that are not publicly available.
PUBLICLY AVAILABLE INFORMATION: Any information that a bank has reasonable basis to believe is lawfully made available to the general public from federal, state or local government records: widely distributed media or disclosures to the general public that are required to be made by federal, state, or local law. (example telephone directory or the public record of real estate transactions.)
RESPONSIBILITY: The board of directors has the ultimate responsibility to appropriately establish and maintain this policy and assure that is being observed in the daily operations of the bank. The CEO is responsible for carrying out this policy and making recommendation to the board as necessary or desirable changes to the policy.
Customers of the bank are entitled to the absolute assurance that the information concerning their financial circumstances and personal lives, which the bank has obtained through various means, will be treated with the highest degree of confidentiality and respect. Certain expectations of privacy also contain legal rights of customers which are either granted or confirmed to them through various federal and state laws and regulations. All employees are directed by this policy to assure customers of the bank’s commitment to preserving the privacy of their information. The bank will post a notice in all our banking offices which contains an abbreviated version of this policy. That notice is included as part of this policy and is designed to be both a posted notice and a direct disclosure to customers under circumstance described later in this policy.
- Recognition of the customer’s expectation of privacy
- Use, Collection and retention of customer information
- Maintenance of accurate information
- Limiting employee access to information
- Protection of information via established security procedures
- Restriction on the disclosure of account information
- Maintaining customer privacy in business relationships with third parties
- Disclosure of privacy principles to customers
It is the policy and practice of the bank to collect, retain and use information about consumers and customers (both individual and corporate) only where the bank reasonably believes the gathering of such information would be useful and allowed by law to administer the bank’s business and/or to provide products, services or opportunities to its customers.
Executive management is directed to establish procedures to ensure that, to the extent practicable, all customer financial information is accurate, current and complete in accordance with reasonable commercial standards. The bank will respond promptly and affirmatively to any legitimate customer request to correct inaccurate information, including forwarding of corrected information to any third party that had received the inaccurate information. The bank will further undertake to record that such corrective action was requested by the customer and follow up with any third party to ensure that they have processed the correction.
Executive management will take all steps necessary to ensure that only employees with a legitimate business reason for knowing personally identifiable customer information shall have access to such information. To the extent practical, access will be limited by computer access codes and granting limited access to areas in which sensitive customer information is retained. Employees will be informed at the time of their initial employment of these standards and periodically reminded of these standards during training sessions at least once each year. Willful violation of this element of this policy will result in disciplinary action against the offending individual. Inadvertent violations will be dealt with in a manner to ensure that such violations are not repeated.
The bank will maintain appropriate security standards and procedures to prevent unauthorized access to customer information. Such procedures should prevent access by not only unauthorized employees, but others as well. Such others include but are not limited to all non-employees with otherwise legitimate reasons for being on bank premises, computer “hackers”, and all intruders on bank premises.
The bank will not, except in cases allowed under the law, reveal specific information about customer accounts or other nonpublic personal information to any nonaffiliated third parties unless the customer has been provided the required privacy disclosures and is given the opportunity to decline.
If the bank is requested to provide personally identifiable information to a third party and that request is in all respects consistent with other elements of this policy, the bank will accede to the request only if the third party agrees to adhere to similar privacy principles, no less stringent than set forth in this policy, that provide for keeping such information confidential.
Disclosure of the privacy notice (appended as a part of this policy) shall be provided to customers initially and then annually. The notice may be delivered by hand, by mail, or electronically. If the notice is provided electronically, the consumer must be required to acknowledge receipt as a necessary condition for obtaining financial product or service.
Exceptions to the Opt Out Requirements for Service Providers and Joint Marketing
The requirements relating to customer authorization and opt out rights do not apply if our bank provides nonpublic personal information about a consumer to a nonaffiliated third party to perform services for the bank or functions on the bank’s behalf, if the bank provides the initial notice as required and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of the information to at least the same extent that the bank must maintain that confidentiality and limits the third party’s use of the information solely to the purposes for which it is disclosed or otherwise permitted.
Exceptions to the Opt Out Requirements for Processing and Servicing Transactions
The requirements for initial notice, customer authorization, opt out rights, and for service providers and joint marketing do not apply if the bank discloses nonpublic personal information.
As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer.
To service or process a financial product or service requested or authorized by the consumer.
To maintain or service the consumer’s account with the bank, or other extension of credit on behalf of such entity.
In connection with a proposed or actual secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.
Other Exceptions to Notice, Customer Authorization and Opt Out Requirements
There are additional exceptions to the requirements relating to customer authorization and opt out rights. The requirements for the initial notice, customer authorization, opt out rights, and for service providers and joint marketing do not apply when the bank discloses nonpublic personal information in the following circumstances:
- With the consent or direction of the consumer, provided that the consumer has not revoked the consent or direction.
- For the following protective or legal situations:
- To protect the confidentiality or security of the bank’s records pertaining to the consumer, service, product, or transaction
- To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
- For required institutional risk control or for resolving consumer disputes or inquiries
- To persons holding a legal or beneficial interest relating to the consumer
- To persons acting in a fiduciary or representative capacity on behalf of the consumer
- To provide information to insurance rate advisory organizations, guaranty funds or agencies, that are rating the bank, persons that are assessing the bank’s compliance with industry standards, and the
- Bank’s attorneys, accountants, and auditors.
- To the extent specifically permitted or required under others provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 USC 3401), to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety
- To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15USC1681) or from a consumer report reported by a consumer reporting agency
- In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of that business or unit
- To comply with federal, state, or local laws, rules, and other applicable legal requirement-specifically:
- To comply with a property authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities
- To respond to judicial process or government regulatory authorities having jurisdiction over the bank for examination, compliance, or other purposes authorized by law
Employee Education and Training
Executive management is directed to provide a copy of this policy to all bank employees and keep a master copy which each employee will read and sign. At least once during each calendar year, the bank will conduct a meeting of all employees during which matters affecting customers’ rights to privacy will be discussed.
The board of directors will make a review of this policy at least once each year and make any revision and amendments it deems appropriate. The Chief Executive Officer will be responsible for suggesting more frequent revisions as situations or changes in laws or regulations dictate.