1. BACKGROUND:  In November of 1999, the Gramm-Leach-Bliley Act (GLBA) was enacted into law which, among other things, imposes specific duties on financial institutions (the Bank) to protect the financial information of its customers.  The final rules provided for an effective date of November 13, 2000, but compliance was not mandatory until July 1, 2001. 
  1. PURPOSE:  The rules accomplish three specific purposes:
  • They require the Bank to provide notice to consumers about that institution’s privacy policies and practices.
  • They describe the conditions under which the Bank may disclose non-public personal information about consumers to non-affiliates.
  • They provide a method for consumers to “opt-out” of the Bank’s disclosure of that information to non-affiliates.
  1. SCOPE:  The rules apply only to individual consumers who obtain financial products or services for personal, family or household purposes.  GLBA does not apply to information about companies or about individuals who obtain financial products or services for business purposes.

Additionally, the rules apply only to “non-public personal information”.

  1. STATEMENT:  The Board fully recognizes that mutual trust is of utmost importance in establishing and maintaining customer relationships in the financial industry and further, the Bank has realized a duty to protect the confidentiality of private, personal information that customers have chosen to share with us.   Therefore, First National Bank will not disclose, and does not wish to reserve the right to disclose, nonpublic personal information about our customers or former customers to affiliates or nonaffiliated third parties, except as permitted by law.
  1. APPOINTMENT OF PRIVACY OFFICER:  Compliance Committee will designate the Privacy Officer with overall and ultimate responsibility for the proper creation and maintenance of the Bank’s privacy program.
  1. DEFINITIONS:  Definitions used in this policy are consistent with terms used in the statutory definitions and regulatory issuances related to consumer privacy in the financial services industry.
  • A consumer means an individual who requests or obtains a financial product or service from the Bank that is to be used primarily for personal, family or household purposes, regardless of whether a customer relationship is established.  Any individual who requests a product or submits an application is deemed to be a “consumer” even if the product is not obtained or the application is denied. 
  • A customer means a consumer who has established a customer relationship.  A customer relationship is established when the consumer executes a contract that is necessary to conduct the transaction.  If the transaction does not involve a written contract, the customer relationship is established when the consumer pays, or agrees to pay, a fee for the product or service.
  • Personally identifiable financial information is defined to mean any information:
  • Provided by a consumer  to obtain a financial product or service
  • Resulting from any transaction with the Bank involving a financial product or service
  • The Bank otherwise obtains in connection with providing a financial product or service to the consumer.  Examples of “personally identifiable financial information” include:
  • information a consumer provides on an application to obtain a loan, credit card, etc.,
  • account balance information, payment history, overdraft history, credit card purchases, etc.
  • the fact that an individual is or has been one of the financial institution’s customers
  • information obtained in servicing or collecting a loan
  • information from a consumer report
  • Non-public personal information expressly excludes information that is publicly available.    Information is deemed publicly available if the Bank has a reasonable basis to believe that the information is available to the general public from government records (e.g., county mortgage records), widely distributed media (e.g. telephone books), or disclosures required by law (e.g., court cases).  The Bank cannot just assume that certain customer information is publicly available; rather, it must determine that the information is of the type that is generally available to the public and whether the consumer can direct such information to not be publicly available (e.g., an unlisted telephone number).  If a consumer can take steps to prevent such information from being made publicly available, the Bank must determine whether or not the consumer has actually taken such steps to prevent its public disclosure.
  1. NOTICES TO BE GIVEN TO CUSTOMERS:  The Bank will provide clear and conspicuous notices (attachment A) that are reasonably understandable and designed to call attention to the nature and significance of the information.  The notice should accurately reflect and summarize the Bank’s privacy policy and practices.   This notice should parallel the internal operational policies, procedures, and controls of the Bank.

Two types of privacy notices are applicable to our Bank:

  1.  The initial customer privacy notice will be provided at the time a customer applies for a customer relationship with the Bank.  The Bank, at that time, will provide the required notice such that the customer can reasonably be expected to receive the actual notice in writing and be able to retain it.

Initial notices, under certain circumstances, may be provided within a reasonable time frame after the Bank has established a customer relationship if 1) establishing a customer relationship is not at the customer’s election, or 2) providing the notice would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.

The rules do not discourage a Bank from providing notices at an earlier point in the relationship if the Bank desires to make it easier for the individual to compare policies and practices with those of other institutions in advance of conducting transactions.

Failure to acknowledge receipt of the notice may result in the Bank’s refusal to provide the customer’s requested banking product or service.

For consumers who do not become customers, the Bank will adhere to the privacy policies and practices described in the notice, regardless of the fact an account was not opened.

  • The annual customer privacy notice:  The GLBA requires financial institutions to provide customers with notice of the institution’s privacy policies and procedures annually.  However, the act was amended (December 2015) which eliminates this annual notice requirement for financial institutions that satisfy two criteria:
  • The financial institution does not share nonpublic personal information with nonaffiliated third parties except pursuant to certain GLBA exceptions permitting such disclosures; and
  • The financial institution has not changed its privacy policy and procedures since the most recent privacy notice delivered to consumers.

If the bank does not comply with either of  the above two exceptions we will  provide the annual notice to our customers.  Notices must be provided in a clear, conspicuous manner to each customer; however, it is acceptable to provide a single notice for joint accountholders.  The notice must be provided on an annual basis, no less than every 12 months. 

If changes or revisions have been made to the Privacy notice or procedures the alternative delivery method may be used to satisfy the annual notice delivery requirements:

  • The privacy notice will be continuously posted on our website home page,, with the ability for customers to view and print.  The notice will not contain other content than the Privacy Notice information and will be in the regulatory model privacy format.  No access requirements (user ID or password) will be needed to view the Privacy Notice.
  • The following information will be delivered to existing customers:
  • Web page address containing the link to the privacy notice
  • Telephone number for the bank that customers can call
  • Statement that the notice has not changed since the last delivery
  • A hard copy notice can be requested and will be mailed to the customer upon request
  • The information regarding our Privacy Policy will be provided to our existing customers through various methods as follows (not all inclusive):
  • Application statement and notice messages
  • Web site message
  • Mailers
  1. Delivery consists of the reasonable expectation by the Bank that the customer has received the privacy notice and can retain it if the privacy notice is 1) handed in printed format to the customer, 2) mailed to the customer’s last known address, 3) if the customer agrees, delivered electronically, or 4) able to be viewed and printed from the bank website. 

Oral description of the notice is not deemed adequate; therefore Bank staff may not provide the initial notice required by orally explaining the details of the notice, either in person or over the telephone. 

Posting of the Bank’s initial privacy notice or the annual customer data privacy notice in the Bank lobby is not sufficient delivery.

  1. Content of the initial and subsequent annual privacy notices will include the following information to the extent required by law in a clear, conspicuous manner:
  • Statement that the Bank does not disclose any nonpublic personal information about its customer to anyone, except, as permitted by law
  • Statements about what categories of nonpublic personal information the Bank collects
  • Statement that if a customer decides to close any account(s) or become an inactive customer, the Bank will adhere to the privacy policies and practices as described in this notice
  • Details regarding the Bank’s policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information.
  1. If the Bank changes the terms of the privacy policy and practices, the Bank may not disclose, either directly or through a future affiliation, any nonpublic personal information about a customer to an affiliate or a nonaffiliated third party unless:
  • The Bank has provided the customer with a revised notice that accurately summarizes the Bank’s revised policies and practices
  • The Bank has provided to the customer an opt-out notice with the revised privacy notice
  • The Bank has given the customer a reasonable opportunity, deemed to be 30 days after the notice has been mailed or hand-delivered, to opt out of the disclosure before the bank discloses the information to any affiliate or nonaffiliated third party


  • The customer does not opt out.
  1. If one or more customers jointly obtain a financial product or service from the Bank, we may satisfy the privacy notice requirements by providing one notice to those customers jointly.

The Bank is permitted by law to disclose certain information to affiliates and nonaffiliated third parties.  The Bank can disclose publicly available information, as defined by law.

The Bank can also disclose the following “exempt” nonpublic personal information under the circumstances and reasons described below.

  • As necessary to effect, administer or enforce a transaction requested or authorized by the customer, or in connection with:
  • Servicing or processing a financial product or service requested or authorized by the customer
  • Maintaining or servicing the customer’s account with the Bank or with another entity as part of a private label credit card program or other extension of credit on behalf of the entity


  • A proposed or actual securitization, secondary market sale (including sale of servicing rights), or similar transactions related to a transaction of the customer.
  • With the consent or at the direction of the customer, provided that the customer has not revoked the consent or direction.
  • To protect the confidentiality or security of the Bank’s records pertaining to the customer, service, product, or transaction.
  • To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
  • For required information risk control or for resolving customer disputes or inquiries.
  • To persons holding a legal or beneficial interest relating to the customer.
  • To persons acting in a fiduciary or representative capacity on behalf of the customer.
  • To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the Bank, persons who are assessing the Bank’s compliance with industry standards, and the Bank’s attorneys, accountants, and auditors.
  • To the extent specifically required or permitted under other provisions of law and in accordance with the Right to Financial Privacy Act to law enforcement agencies (as defined in the regulations), to self-regulatory organizations, or for an investigation on a matter related to public safety.
  • To consumer reporting agencies as permitted under the Fair Credit Reporting Act, or from a consumer report reported by a consumer reporting agency.
  • In connection with a proposed or actual sale, merger, transfer, or exchange of or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely customers of such business unit.
  • To comply with federal, state, or local laws, and other applicable legal requirements.
  • To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.
  • To respond to judicial process or government regulatory authorities having jurisdiction over a bank for examination, compliance, or other purposes as authorized by law.

The Bank may not directly disclose any nonpublic personal information, which it may receive about a customer from a nonaffiliated financial institution to any other person not affiliated with either the Bank or the other financial institution, unless the disclosure would be otherwise permitted by law.

The Bank may use nonpublic personal information about a consumer that it receives from a nonaffiliated institution as permitted by law.

Pursuant to the Bank’s policy of not disclosing nonpublic personal information, the Bank will not disclose this information to any vendor or joint marketers, except as otherwise permitted by law.


The Bank has established procedures to ensure that customer financial information is accurate, current and complete.  The Bank will respond promptly to requests to correct inaccurate information.


The Bank will restrict access to nonpublic information about its customers to those employees who need to know that information to provide products and services to the customer.  The Bank will maintain physical, electronic, and procedural safeguards that comply with federal standards to prevent unauthorized access to, or manipulation or destruction of, nonpublic, personal information. 

Customer information should also be protected from unauthorized access by individuals outside the Bank.  Paper records should be stored in a location that is secure at all times.  Computer records should be protected with an abundant use of applicable tools, such as; passwords, automatic time-outs, encryption, and restricted use of processing/informational software.  Additionally, the security administrator and the Bank’s systems administrator will be responsible for periodically, but not less than annually, assessing current controls of our computer records.

The Bank shall keep customer information only as long as it is useful to the administration of a customer’s relationship or the provision of particular products and services to a customer as required by law.  Aware of federal and state record retention periods, we shall retain information about persons who are no longer customers of the Bank for a reasonable period of time, at which time the record media will be destroyed and rendered useless to any other person.


Employees must understand the importance of customer privacy and the need, at all times, to comply with confidentiality of nonpublic personal information.  The Bank will take appropriate disciplinary measures to enforce employee privacy responsibilities.

All current employees will receive annual training regarding the privacy regulation and our Bank’s responsibility to preserve the integrity of customer information.  New employees will receive privacy training upon hire.


Periodic audits will help management assess risk and verify the effectiveness of the compliance program.  The Privacy Officer and Compliance Officer will meet at least semi-annually to discuss, at a minimum, the following items with respect to compliance with GLBA and this Privacy Policy:

  • Delivery of initial and annual notices to customers
  • Delivery of initial notices to consumers who are not customers
  • Accuracy of privacy notices
  • New or renewed vendor contracts
  • Evaluate long-standing or new operating procedures for compliance
  • Review policy for possible revisions
  • Training needs