PRIVACY POLICY
OF
SECURITY STATE BANK
DRAWER S
PEARSALL, TX 78061
PRIVACY POLICY
POLICY
STATEMENT
All
employees of Security State Bank (the “Bank”) must comply with the terms of
this policy and procedures. Managers, employees and technical personnel must modify system
configurations, forms, and procedures, if necessary, to comply with the terms
of this policy.
The purpose of the Gramm-Leach-Bliley Act (GLBA) is to
inform "consumers" of the Bank's policies and practices of disclosing
nonpublic personal information to nonaffiliated third parties and to provide
them with the option of saying no. The
rules apply only to information about individuals who obtain financial products
or services to be used for personal, family or household purposes. Therefore, the rules do not apply to
information about businesses, corporations, partnerships or similar entities or
about individuals who obtain financial products or services for business
purposes.
This policy is a general statement of the Bank’s
objectives and subsequent procedures to protect customer information and
maintain privacy.
Scope of
Policy
This policy applies to:
NOTE: This statement
of scope should not be interpreted to mean that all information resources must
be protected equally.
The Bank expects that our processing partners will
provide no less a level of customer privacy protection than that provided by
the Bank. Conversely, the Bank will make
every reasonable effort to apply the required level of customer privacy
protection to partner information resources in our custodianship. These agreements should be concluded before
accepting information resources from third parties.
Collection of Customer
Information
The Bank collects customer information from many different sources, such as
deposit accounts, loans, and other transactions. This includes such information as the
customer’s name, address, tax identification number, telephone number, date of
birth, mother’s maiden name, driver’s license number, credit report information
and his or her signature when opening an account. In addition to the information the Bank
collects for a deposit account, a customer requesting a loan is asked to
provide additional information related to employment, income, assets, existing
liabilities, dependents, financial history and any
other relevant information.
The Bank collects transaction information about a customer such as
balances, payee information, overdrafts and non-sufficient funds, payment
history, address changes and changes in credit or financial standing during the course of handling a deposit account or a loan.
The Bank collects information submitted from customers via e-mail
correspondence.
The Bank’s Privacy Notice, described in detail within this policy,
discloses to customers how the Bank manages customer information and under what
circumstances such information may be released to third parties (if any).
This written notice is disclosed to Bank customers at the time a new
account is established or upon request.
Maintenance of Customer
Information
Customer information, whether on paper or electronic form, is maintained
when the Bank transmits or stores information.
Information is transmitted when it moves from one person or place to
another. The Bank stores information
maintained for reference and historical reference.
Enforcement
Changes to this policy require approval by the Board
of Directors of the Bank. Changes in
operating procedures, standards, guidelines and
technologies, provided they are consistent with this policy, may be authorized
by Senior Management.
The Board of Directors has the authority to approve
this policy, and annually approves the merit thereafter. Senior Management is responsible for ensuring
the directives are implemented and administered in compliance with the approved
policy.
The primary responsibility for enforcement of this
policy and its operating procedures rests with Senior Management and our
employees.
No part of this policy or its supporting operating
procedures should be interpreted as contravening or superseding any other legal
and regulatory requirements placed upon the Bank. Protective measures should not impede other
legally mandated processes such as records retention
or subpoenas. Any conflicts should be
submitted immediately to Senior Management for further evaluation and/or
subsequent submission to the Bank’s legal counsel.
Exceptions to Policy
Requests for exceptions to this policy must be very
specific and may only be granted on specific items, rather than to entire
sections. Bank personnel with exceptions
are to communicate their requests by submitting an internal memorandum to the Bank’s CFO or
President/CEO for consideration.
RESPONSIBILITIES
All Bank personnel have specific responsibilities
under Regulation P that are directly related to their job functions. Each employee also has the responsibility to
be aware of how the way he or she performs his or her job can affect customer
privacy, such as those outlined in this section.
Senior
Management is responsible for the supervision and overall management of the
Bank’s Privacy Program.
Operations,
Lending, Note Department and Support Personnel
Operations, Lending, Note Department
and support personnel are required to conduct the following procedures in
promoting effective management of the Bank’s Privacy Program.
1. Know when and how to provide the Bank’s privacy
notices to consumers and customers;
2. Be able to explain the basics of the Bank’s compliance
to customers and Bank personnel;
3. Protect all customer information (clean desks, secure
computer screens when absent, lock documents in branch vault at night etc.),
including all documents containing transactions, signature cards, customer and
employee lists and reports, logs, telephone messages, and files out of
customer’s view;
4. Do not discuss a customer’s business in the presence
of another customer’s hearing distance;
5. Supervise and manage compliance and skill levels of
all branch personnel (applies to supervisors);
6. Recognize identity fraud and information theft attempts;
7. Be familiar with requirements for government access to
customer information;
8. Keep passwords private;
9. Shred all documents containing customer information
into the locked shred bins at night;
10. Finish each transaction before calling another
customer to your desk or teller window;
11. Do not discuss pending loans or customer business in
the hearing distances of others when conducting business outside of the Bank;
12. Do not take reports, customer’s financial information
or files home; and
13. Manage the Bank’s Privacy Program with vendors through
contracts and monitoring (refer to the Bank’s Vendor Management Policy).
BANK’S INITIAL
PRIVACY NOTICE
The Bank is required to provide a "clear and
conspicuous" initial written privacy notice to consumers and customers
that accurately reflect the Bank's privacy policies
and practices.
The rule defines the phrase "clear and
conspicuous" to mean one that is reasonably understandable and designed to
call attention to the nature and significance of the information contained in
the notice.
No initial notice is required to be given to consumers who are not customers if their
nonpublic information will not be shared or will be
shared only under the "processing and servicing" exceptions.
An initial notice is required to be given to customers
no later than when a customer relationship is established. The Bank can provide the initial notice at
the same time it is required to give other notices, such as with deposit
account disclosures required under Regulation DD when opening a deposit account
or the Regulation Z disclosures at the time the extension of credit is
consummated. In cases where the
relationship is established in person, the notice should be given at a point
when the consumer still has a meaningful choice about whether to enter into the customer relationship.
The initial notice requirements also apply when an
existing customer obtains a new financial product or service that is covered
under the regulation (i.e., for personal, family or household purposes) from
the Bank.
If two or more consumers jointly obtain a financial
product or service, the Bank can satisfy the initial notice requirements by
providing one notice to those consumers jointly.
ANNUAL
NOTICE TO CUSTOMERS
The Bank is required to notify customers annually
during the continuation of the customer relationship of the Bank's privacy
policies and practices. The notice must
be given to all customers.
The term "annually" means at least once in
any period of 12 consecutive months during which the customer relationship
exists. The Bank is permitted to define
the 12 consecutive month period.
However, the time period must be applied consistently.
Effective 2016, the Bank is not required to provide
the annual notice, since it meets the following two conditions.
1.
The Bank only
shares information in ways that do not trigger any opt-out requirements. In
other words, the Bank only shares information under exceptions in sections
1016.13, 1016.14 and 1016.15 of 12 CFR 1016; and
2.
The Bank has not
changed its policies and practices under paragraphs 1016.6(a)(2)-(5) and (9)
since its last notice. These paragraphs include disclosures of the categories
of information disclosed to third parties, the categories of third parties
disclosed to, the categories of information about former customers disclosed
and to whom, the categories of information disclosed under joint marketing
agreements and categories of the third parties involved, and broad categories
of certain types of disclosures made under exceptions, for example “as
permitted by law.” If the Bank makes a change to a policy or procedure that
does not affect a disclosure under these specific paragraphs, it does not
affect the Bank’s qualification for the exception.
If the Bank changes its policies and practices in such
a way that it no longer meets the conditions as set forth above, it will comply
with the regulations then in effect for providing annual notices.
CONTENTS OF
PRIVACY NOTICES
The initial and annual privacy notices have the same
required content. The Bank is required
to address only those items that apply to it.
The notices must disclose:
1. Collection. The categories of nonpublic personal
information that the Bank collects. The
Bank satisfies the requirement to categorize the nonpublic personal information
that it collects if it lists the following categories, as applicable:
A.
Information from consumers;
B.
Information about
the consumer's transactions with the Bank or its affiliates;
C.
Information about
the consumer's transactions with nonaffiliated third parties; and
D.
Information from
a consumer reporting agency. A statement
"we collect everything" would not comply.
2. Disclosure. The categories of nonpublic personal
information about the consumers that the Bank discloses. The Bank satisfies the requirement to
categorize the nonpublic personal information it discloses if it lists the
categories described above, as applicable, and provides a few examples to
illustrate the types of information in each category.
3. To Whom. The categories of affiliates and
nonaffiliated third parties to whom the Bank discloses nonpublic personal information,
other than under the exceptions for processing and servicing and other uses
discussed in the Exceptions section below.
The Bank satisfies its requirement to categorize the
affiliates and nonaffiliated third parties to whom it discloses nonpublic personal
information if it lists the following categories, as applicable, and a few
examples to illustrate the types of third parties in each category:
A.
Financial service
providers (i.e., mortgage-bankers, securities broker-dealers, and insurance
agents);
B.
Non-financial
companies (i.e., retailers, direct marketers, airlines
and publishers); and
C.
Others (i.e.,
non-profit organizations).
4. Former Customers. The categories of nonpublic
personal information about the Bank's former customers that it discloses and
the categories of affiliates and nonaffiliated third parties to whom the Bank
discloses nonpublic personal information about its former customers, other than
under the exemptions for processing and servicing and other exemptions.
5. Opt-Out Disclosure. An explanation of the right to
opt-out of the disclosure of nonpublic personal information to nonaffiliated
third parties, including the methods by which the consumer exercises that
right. (The opt-out right is
discussed below in the Right to Opt-out section.
6. Confidentiality and Security. The Bank's
policies and practices with respect to protecting the confidentiality and
security of nonpublic personal information.
The Bank describes its policies and practices with
respect to protecting the confidentiality and security of nonpublic personal
information if it does both of the following:
A.
Describes in
general terms who is authorized to have access to the information; and
B.
States whether
the Bank has security practices and procedures in place to ensure the
confidentiality of the information in accordance with its policy.
RIGHT TO OPT-OUT
Bank does not disclose any nonpublic personal
information to nonaffiliated third parties, other than those permitted by law;
consequently, the Bank is not required to provide an Opt-Out Notice.
If the Bank changes its previously disclosed polices
or practices regarding sharing of nonpublic personal information, it will
provide the consumer with a revised privacy and opt-out notice. The Bank is required to include a new opt-out
notice with the revised notice and give the consumer a reasonable opportunity
to opt-out before disclosing any information not covered in the prior
disclosure.
THE SHARING
OF ACCOUNT NUMBERS FOR MARKETING
The Bank is prohibited from, directly or through an
affiliate, disclosing, other than to a consumer reporting agency, account
numbers or similar form of access number or access code for a credit card
account, deposit account, loan account or transaction account of a consumer to
any nonaffiliated third party for use in telemarketing, direct mail marketing,
or other marketing through electronic mail to the consumer.
Exception
An exception is provided to the general prohibition on
sharing accounts numbers or similar form of access numbers or access codes when
the Bank discloses such information to:
1. The Bank's agent or service provider solely in order to perform marketing for the Bank's own products or
services, as long as the agent or service provider is not authorized to
directly initiate charges to the account; or
2. A participant in a private label credit card program
or an affinity or similar program where the participants in the program are
identified to the customer when the customer enters into the program.
Under this exception, an account number, or similar
form of access number or access code, does not include a number or code in an
encrypted form, as long as the Bank does not provide the recipient with a means
to decode the number or code.
Additionally, the final rule provides that a transaction account is an
account other than a deposit account or a credit card account. A transaction account does not include an
account to which third parties cannot initiate charges.
PRIVACY
PRINCIPLES
The Bank recognizes that customer information is
important, confidential, and personal.
Protecting customer privacy, along with our customer’s financial assets,
is at the core of our business. The Bank
has adopted procedures to try and ensure the privacy of customer information is
safeguarded and protected with the highest levels of security and appropriate
discretion.
The Bank’s daily operating procedures
help assure that customer financial information is accurate, current, and
complete in accordance with commercial
standards and practices. It is Bank
policy to respond to customer requests to
correct inaccurate information in a
timely manner.
The Bank is committed to the security of customer
financial and personal information. The
entire Bank’s operational and data processing systems are maintained in a
secure and redundant environment that protects customer account information
from being accessed by third parties. It
is the policy of the Bank to maintain internal security standards and procedures
to help prevent unauthorized access to confidential customer information. These security mechanisms are periodically
updated and tested to improve the protection of customer information to assure the data integrity.
Confidential data should be accessed only by employees
with a legitimate business need for that data.
When appropriate and to meet industry standards, the Bank will strive to
prevent inappropriate employee access to confidential data by utilizing physical
controls, software controls, hardware controls, employee training, and employee
screening.
Bank employees are made aware that a requirement of
their current employment at the Bank includes the requirement that the
restrictions of this privacy policy will carry forward to any post-employment
periods.
RIGHT TO
FINANCIAL PRIVACY ACT REFERENCE
The Right to Financial Privacy Act (“RFPA”) establishes procedures that
federal government agencies must follow in order to
obtain confidential customer information.
The RFPA requires the Bank to make sure that these requirements are met
prior to releasing customer information to a government agency.
No government agency may access or obtain any customer information
maintained by the Bank unless the customer information that is being requested
is reasonably described and at least one of the following is provided to the
Bank:
1. An administrative or judicial subpoena or summons;
2. A search warrant;
3. A formal written request; or
4. A customer’s written authorization.
Legal Processes
A government agency may obtain customer records through an administrative
or judicial subpoena or summons otherwise authorized by law only if the records
sought are relevant to a legitimate law enforcement inquiry. The customer must be served a copy of the subpoena or one must be sent to the last known mailing
address on or before the date the Bank received the subpoena or summons.
The customer must also be given a notice that states with reasonable
preciseness the reason of the law enforcement inquiry. Federal law requires the Bank to wait 10-days after the customer has been served the notice or 14
days from the mailing date in order to give the customer a chance to challenge
the subpoena or summons.
Search Warrants
A government agency may obtain customer information if it obtains a search
warrant pursuant to the Federal Rules of Criminal Procedure. The government agency must mail a copy of the
search warrant along with a notice to the customer’s last known address no
later than 90 days after the government agency serves the search warrant. The notice must state the government agency that
obtained the information, the date the information was obtained and the reason
for obtaining the information.
Formal Written Requests
A government agency may request customer information pursuant to a formal
written request only if:
1. The request is authorized by regulations and signed by the head of the
agency or department;
2. No administrative summons or subpoena reasonably appears to be available to
that government agency to obtain customer information for the purpose in which
they are sought;
3. There is reason to believe that the records are sought relevant to a
legitimate law enforcement inquiry;
4. The customer has been served a copy of the request or one has been mailed
to the last known address on or before the date the request was made to the Bank,
together with a notice stating with reasonable specificity, the nature of the
law enforcement inquiry; and
5. Ten days have expired from the date of service or 14 days from the date of
mailing and within such period the customer has not filed a sworn statement and
application to enjoin the government agency in the appropriate court.
Customer Authorization
A customer may authorize the disclosure of information to a government
agency by furnishing to both the Bank and the government agency, a signed and
dated statement which:
1. Authorizes such disclosure for a period not in excess of three months;
2. States that the customer may revoke such authorization at any time before
the information is disclosed;
3. Identifies the specific information that is authorized to be disclosed;
4. Specifies the purposes for which, and the government agency to which, such
information may be disclosed; and
5. States the customer’s rights under the RFPA.
The customer has the right, unless the government authority obtains a court
order, to obtain a copy of the information disclosed to the government agency
as well as the identity of the government agency that requested the
information.
Delayed Notice to
Customer
The customer notice may be delayed by order of an appropriate court if:
1. The investigation being conducted is within the lawful jurisdiction of the
government agency seeking the information;
2. There is reason to believe that the information being sought is relevant to
a legitimate law enforcement inquiry; and
3. There is reason to believe that such notice will result in:
A. Endangering the life or physical safety of any person;
B. Flight from prosecution;
C. Destruction of or tampering with evidence;
D. Intimidation of a potential witness; or
E. Otherwise seriously jeopardizing an investigation or official proceeding or
unduly delaying a trial or ongoing official proceeding.
Bank Procedures
Bank employees are instructed to immediately contact Bank’s Compliance
Officer, CFO and/or Internal Auditor at the time any request from a government
agency seeking customer information is requested.
Under no circumstances
shall Bank personnel provide any confidential information to a government
agency without the express written consent of Senior Management or the Bank’s
legal counsel.
REVIEW AND
APPROVAL
The Board of Directors will review and approve this
policy on an annual basis.
APPROVED and adopted by the Board of Directors on March
13, 2019.
_______________________________________________
Emily
M. Briscoe
Secretary
to the Board of Directors