Effective Date: 09/01/2021
The Gramm-Leach-Bliley Act of 1999 (“GLBA”) was enacted to enhance competition for financial products and services. Title V of the act governs a financial institution’s treatment of non-public personal information about consumers and requires that an institution, under certain circumstances, notify consumers about its privacy policies and practices. With certain exceptions, GLBA prohibits a financial institution from disclosing a consumer’s nonpublic personal information to a non-affiliated third party unless the institution satisfies various notice requirements and the consumer does not elect to prevent, or “opt out of” the sharing of that information. GLBA also imposes specific requirements regarding the disclosure of customer account numbers and the reuse and redisclosure of information a financial institution provides to a third party.
The California Consumer Privacy Act (“CCPA”), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
The Right to Financial Privacy Act was enacted in 1978 to provide customers of financial institutions a reasonable amount of privacy from federal government scrutiny. The act establishes specific procedures that government authorities must follow when requesting a customer’s financial records from a bank or other financial institution. It also imposes limitations on financial institutions prior to the release of information sought by government agencies.
Pursuant to its Information Security Policy, Felix classifies information into four distinct categories and uses a risk-weighted approach to give each category of information appropriate protection: restricted, confidential, unrestricted within Felix, and public.
Felix customer data is always classified as restricted data and receives Felix’s strictest level of data protection.
Consumer-A consumer is an individual who obtains or has obtained a financial product or service that is to be used primarily for personal, family or household purposes and includes such an individual’s legal representative. An individual who has not previously engaged in a transaction becomes a consumer when he or she obtains a financial product or service in an isolated transaction. A consumer includes an individual who provides nonpublic personal information in order to obtain a determination about whether he or she qualifies for a financial product or service.
Customer-A customer is a consumer with a “customer relationship.” A customer relationship is a continuing relationship between Felix and a consumer under one or more financial products or services is provided to the consumer that are to be used for personal, family or household purposes. For example, a consumer establishes a customer relationship with a financial institution when the consumer:
Opens and maintains a deposit or investment account;
Obtains a loan;
Enters into a lease of personal property; or
Obtains financial, investment or economic advisory services for a fee.
The definition of customer under The Right to Financial Privacy Act is somewhat broader to include any person who uses or has used any service of a financial institution.
Categories of Information-GLBA identifies three categories of information: personally identifiable financial information, publicly available information and nonpublic personal information.
Personally identifiable financial information. Any information collected about a consumer in connection with providing a financial product or service to that consumer, including:
Information a consumer provides to obtain a financial product or service (e.g. the consumer’s name, phone number, address and income);
Information about a consumer resulting from any transaction involving a financial product of service (e.g., payment history, loan or deposit balance and credit card purchases); and
Information that is otherwise obtained about a consumer in connection with providing a financial product or service to that consumer (e.g. information from a consumer credit report).
Personally identifiable financial information also includes the very fact, as well as any information disclosed in a manner that indicates an individual is or has been a consumer of a financial institution.
Publicly available information-Any information that is lawfully made available to the general public from federal, state or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state or local law. One has a “reasonable basis” to believe the information is publicly available to the general public if steps are taken to determine (1) that the information is of the type that is available to the general public, and (2) whether an individual can direct that information not to be made available to the general public and, if so, that the consumer has not made such a direction.
Any information that satisfies these two criteria is publicly available information, regardless of the source of that information.
Nonpublic personal information-Information protected under GLBA that consists of the following:
Personally identifiable financial information that is not publicly available information, and
Lists, descriptions or other groupings of consumers (including publicly available information contained therein) that are derived using personally identifiable financial information that is not publicly available.
When a list or other grouping of consumers is generated using customer relationships, deposit balances, account numbers or other personally identifiable financial information that is not publicly available, all information contained in that list-including any publicly available information about the consumers-is nonpublic personal information. By contrast, lists or other groupings of consumers that contain and are created using only publicly available information do not constitute nonpublic personal information.
It is Felix’s policy to protect its customers’ privacy and to transparently disclose to customers how their data will be used by adhering to the requirements of the GLBA, Dodd-Frank Act, CCPA, and relevant financial industry practices.
GOVERNANCE AND OVERSIGHT
Senior Management is responsible for oversight of Felix’s compliance with the requirements of this policy. This policy will be reviewed by the Compliance Officer on at least an annual basis as part of Felix’s Compliance Management Program.
The Board of Directors will remain informed of Felix’s compliance with this policy through periodic reporting on the effectiveness of the Compliance Program to the Compliance Committee, as well as through an annual independent compliance audit.
Privacy and Opt-Out Notices
GLBA requires a financial institution to notify consumers of its policies and practices regarding the treatment of nonpublic personal information. Disclosure of nonpublic personal information to any nonaffiliated third party is prohibited unless the consumer:
Is provided with an initial notice and an opt-out notice;
Is provided a reasonable opportunity to opt out; and
Does not exercise his or her right to opt out.
Felix provides privacy notices to its customers before it collects any NPPI from them. Felix’s privacy notices include the following disclosures:
the categories of information Felix collects;
the categories of information that Felix discloses to affiliates and non-affiliated third-parties
the types of affiliates and non-affiliated third-parties to which Felix may disclose customer data;
Felix’s policies and practices with respect to the treatment of former customers’ information;
categories of information disclosed to Felix’s third-party vendors;
an explanation of the customer’s opt-out right and methods for opting out;
any opt-out notices that Felix is required to provide under the FCRA with respect to affiliate information sharing;
Felix’s policies and practices for protecting the security and confidentiality of information; and
a statement that Felix makes disclosures to non-affiliated third parties for everyday business purposes or as permitted by law.
Website and Application Data Privacy Notices
Before Felix collects any customer data, it provides a data privacy notice on both its website and mobile application.
These notices inform Felix customers about what categories of personal information Felix will collect from them and the purposes for which Felix will use that customer data. It lists any of the following categories of personal information that Felix has collected in the 12 months prior, the source of that information, and the purpose for which Felix has used that information:
identifiers (such as contact information, government IDs, cookies, etc.)
information protected against security breaches (such as your name and financial account, driver’s license, social security number, username and password, health/medical information)
protected classification information (like race, gender, ethnicity, etc.)
commercial information (records of products/services purchased, consumer history)
Internet/electronic activity (browsing history, search history, etc.)
sensory data (audio/video data)
professional or employment related information
non-public education information
inferences from the foregoing
The privacy notice also lists any categories of personal information that it has sold or disclosed to a third-party for a business purpose within the prior 12 months.
Felix provides a notice to consumers that describes the consumer’s right to opt out of sharing information with nonaffiliated third parties. The notice provides instructions about how the consumer can exercise those rights before nonpublic personal information about the consumer is disclosed.
Felix provides an annual notice of its privacy policies and practices during the continuation of a customer relationship.
Collection from Third Parties
By using Felix products and services, Felix customers authorize Felix to collect information from third party financial institutions that the customer identifies to Felix. This information includes but is not limited to account numbers, transaction histories and account balances. The third-party financial institutions that customers identify are those with which they have a banking relationship, maintain an account, or engage in financial transactions.
Customer Data Sharing
Felix shares customer data within its organization for purposes of providing financial products and services, as well as for improving its financial products and services and analyzing relevant customer trends. As noted above, Felix classifies all customer data as restricted and makes it available to Felix employees and agents on an as-needed basis for business-related purposes.
In order to facilitate the provision of those financial products and services, Felix discloses customers’ nonpublic personal information to designated non-affiliated third-party vendors. This customer information may include account transaction history, account balance information.
Pursuant to Felix’s Vendor Management policy, all contracts with third-party vendors that access Felix’s customer data are required to contain data privacy assurances, including the vendor’s agreement to adhere to relevant data privacy regulations such as the GLBA. Third-party vendors with access to Felix customer data are prohibited from disclosing or using customer information for any reason other than the business purposes agreed upon and established in their contract with Felix.
Where appropriate, contracts with third-party vendors that access Felix customer data will require those vendors to maintain and share with Felix complaint logs related to data privacy concerns. The Compliance Officer will review the complaint logs of third-party vendors with access to Felix customer data on at least an annual basis to ascertain whether such vendors are adhering to the data privacy obligations in their contracts with Felix.
Sales of Customer Data
Felix does not currently sell customer data to any third party.
California Resident Information or Erasure Requests
Pursuant to the CCPA, Felix customers who are California residents may make a personal information or erasure request twice in a 12-month period. These personal information requests may ask Felix to disclose the categories of personal information that it collects, the sources from which it collects personal information, the business purposes for which it collects personal information, the categories of third parties with which it shares personal information, and the specific pieces of personal information that Felix holds about that customer. These erasure requests may ask Felix to delete any personal information that the customer provided to Felix.
Felix complies with and honors the personal information and erasure requests from California residents. Felix collects sufficient information from the customer to verify his/her identity and responds to such requests within 45 days of receipt.
Request for Erasure
California residents may submit personal information or erasure requests by emailing xxxxxx Felix chat, or by calling xxxxxxxx. When Felix receives these requests, they are handled according to the request by Customer Success and the Compliance Officer monitors oversight of the response and/or erasure process.
The Right to Financial Privacy Act
From time to time, Felix may be asked to provide customer financial information to government agencies conducting an investigation of a Felix customer. Felix may not release customer’s financial records until the agency requesting the information has certified that it has met the requirements of the Right to Financial Privacy Act, which requires the agency to first obtain one of the following:
An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customer’s rights under the act;
An administrative subpoena or summons;
A search warrant;
A judicial subpoena; or
A formal written request by a government agency (to be used only if no administrative summons or authority is available).
Upon receipt of a written certification from the government agency that they have complied with the requirements above, as well as receipt of a copy of the mechanism by which authority to release the information has been granted, Felix may release the customer financial records being requested.
Upon receipt of a subpoena, a search warrant or other mechanism by which the government is requesting access to customer records, the request should be forwarded immediately to the Legal Department for review and determination if all requirements have been met. The Legal Department will make a determination at that time as to the response to provide and/or whether outside counsel should be engaged to review or communicate with the government agency.
The Legal Department will log all requests for customer financial information, including the following:
Date of the request;
Agency requesting the information;
Name and account number of the customer;
Type of supporting documentation, allowing access to the customer’s financial information (subpoena, search warrant, customer authorization);
Identification of the financial records being requested/provided;
Date the records were provided;
Contact information for the requesting party; and
Notes relative to the request.
When providing customer financial information, any documentation must be provided via a secure means, either electronically through an encrypted or password protected method, or delivered physically with a delivery confirmation.
The Right to Financial Privacy Act protections do not include a request by a supervisory agency conducting an examination of Felix or any activity related to the investigation of a consumer complaint.
THIRD-PARTY SERVICE PROVIDERS
Felix handles third-party vendors in accordance with its Vendor Management Policy; pursuant to that policy, all third-party software vendors have contractual requirements that obligate them to maintain the same high level of data privacy standards that Felix employs.
In addition, Felix’s Compliance Officer must review and approve all third-party vendors considered to be medium- or high-risk under the Vendor Management Policy, which will include all vendors that access customer data.
Felix will contractually require third parties who access Felix customer information to provide equivalent or more extensive data privacy training to their employees.
Felix will provide annual training on data privacy issues, including employee compliance with the GLBA, to all Felix employees. New Felix employees will be required to take this training within 30 days of hire. As part of this training, Felix employees will be required to review this policy and certify their understanding of it.
The Compliance Officer is responsible for ensuring that appropriate written procedures and internal controls are adopted and that technology solutions are designed in a way as to ensure compliance with this policy.
Felix engages in effective and regular monitoring of its data privacy program and enhances its internal controls on a regular basis. The Compliance Officer will conduct an assessment of Felix’s data privacy program on an annual basis (or more frequently as circumstances require). Based on his/her assessment of the relevant risks, the Compliance Officer will develop plans for any required enhancements to the data privacy program. Any ad hoc modifications of or enhancements to internal controls impacting data privacy must be reviewed by the Compliance Officer prior to implementation.
The Compliance Officer will present the annual data privacy program assessment and his/her recommendations for planned enhancements to the Compliance Committee for its review and approval. At its discretion, the Compliance Committee may escalate data privacy concerns or plans for program enhancements to the Felix Board of Directors.
Felix takes all reasonable measures to prevent, detect, and remediate data privacy incidents. Felix handles all data privacy incidents in accordance with the policies and procedures outlined in the Felix Information Security Policy.
Should a system failure or security breach result in the compromise of customer data, Felix will notify law enforcement (the Federal Bureau of Investigations) and any impacted customers within 24 hours.
The Right to Financial Privacy Act has no defined retention schedule, however, Felix will maintain copies of all administrative and judicial subpoenas, search warrants or formal written requests given by federal government agencies or departments along with the written certification for the duration of the relationship with the customer plus five years.