Home Equity Calculator
  • Options Calculator
  • Liquidity Calculator
 Learn About
Connect
Options Calculator Liquidity Calculator Learn About Connect

GLBA Policy

EFFECTIVE DATE: March 30, 2020

1. EXECUTIVE SUMMARY

This Policy sets forth the guiding principles and standards for the purpose of effectively complying with federal requirements regarding the privacy, use, and sharing of Consumers’ Nonpublic Personal Information (“NPI”).  

Troy has an affirmative and continuing duty to respect the privacy of its Consumers and to protect the security and confidentiality of those Consumers’ NPI, in accordance with the privacy provisions of the Gramm-Leach Bliley Act (“GLBA”), as implemented by the Consumer Financial Protection Bureau’s Regulation P.  This Policy outlines the requirements for Troy to provide notice to Consumers about Troy’s privacy policies and practices. This Policy also describes the requirements and conditions which must be met before Troy may disclose Consumers’ NPI to Nonaffiliated Third Parties.

Note that a separate Written Information Security Policy sets forth the standards and guidelines for Troy’s Information Security Program. 

2. Purpose

This Policy was developed to ensure that Troy protects and respects the privacy of Consumers’ NPI and treats such NPI in accordance with the requirements of GLBA and Regulation P.   

3. Scope

This Policy applies to NPI about individuals who apply for or obtain a loan used primarily for personal, family, or household purposes (“Consumer Loan”) or who have applied for or obtained a Consumer Loan from Troy in the past.  

4. POLICY NOTICES

Troy’s Model Privacy Notice (the “Privacy Notice” or “Notice”) is included in Section 12 of this Policy.  Troy provides initial and annual Notices to its Customers in connection with any Consumer Loan products.  

Troy provides the initial Privacy Notice to Consumers and Customers and an annual Privacy Notice to Customers, as required under and in accordance with the timing requirements of Regulation P.  Privacy Notices provide Consumers and Customers with required information regarding Troy’s collection and disclosure of NPI. Where required under Regulation P, Troy provides Consumers or Customers with an opportunity to Opt Out of certain information sharing.  Consumer and Customer Opt Out choices are tracked and honored.

4.1. Initial Privacy Notice to Consumers and Customers

Troy provides a Clear and Conspicuous initial Privacy Notice that accurately reflects Troy’s privacy policies and practices to:

  • Customers, not later than when Troy establishes a Customer Relationship, unless an exception under Regulation P applies to allow delivery of the Notice within a reasonable time after the Customer Relationship is established.
  • Consumers, before Troy discloses any NPI about the Consumer to any Nonaffiliated Third Party, unless an exception under Regulation P applies. Troy is not required to provide an initial Notice to a Consumer if it does not disclose any NPI about the Consumer to any Nonaffiliated Third Party and does not have a Customer Relationship with the Consumer.

Note: Troy establishes a Customer Relationship when Troy and the Consumer enter into a continuing relationship. With respect to a Consumer Loan, Troy establishes a Customer Relationship with a Consumer when Troy originates a Consumer Loan to the Consumer. If Troy subsequently transfers the servicing rights to that Consumer Loan to another financial institution, the Customer Relationship transfers with the servicing rights.

If an existing Customer obtains a new consumer financial product or service loan from Troy that is to be used primarily for personal, family, or household purposes, Troy satisfies the initial Privacy Notice requirements by: (a) providing a revised Privacy Notice (discussed below) that covers the Customer’s product or service; or (b) if the initial, revised, or annual Notice that Troy most recently provided to that Customer was accurate with respect to the new product or service, Troy does not need to provide a new Privacy Notice.

4.2. Annual Privacy Notice to Customers

During the continuation of the Customer Relationship, Troy provides a Clear and Conspicuous annual Privacy Notice to each Customer, accurately reflecting Troy’s privacy policies and practices.

GLBA and Regulation P do not require Troy to provide an annual notice to a former Customer. For example, unless another basis for a Customer Relationship exists, a Customer becomes a former Customer if he or she pays the Consumer Loan in full, Troy charges off the Consumer Loan, or Troy sells the Consumer Loan without retaining servicing rights. Once the Customer becomes a former Customer, Troy is not required to provide an annual Privacy Notice to that former Customer.

4.3. Information to be Included in Privacy Notices

Troy’s initial, annual, and revised Privacy Notices must contain certain information that applies to Troy and to the Consumers to whom Troy sends its Notices. Such information includes:

  • The categories of NPI that Troy Collects;
  • The categories of NPI that Troy discloses; and
  • The categories of Affiliates and nonaffiliated third parties to whom Troy discloses NPI other than pursuant to certain exceptions in Regulation P.

The Notices must also include an explanation of the Consumer’s right to Opt Out of any disclosure of NPI to nonaffiliated third parties, Troy’s policies and practices with respect to protecting the confidentiality and security of NPI, and other information required under Regulation P.

If Troy discloses NPI to third parties as authorized under Regulation P’s exceptions for processing and servicing transactions and certain other purposes, it is not required to list those exceptions in the initial or annual Privacy Notice. Rather, when describing the categories with respect to those parties, it is sufficient to state that Troy makes disclosures to other nonaffiliated companies:

  • For Troy’s everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to Consumer Reporting Agencies; or
  • As permitted by law.

Use of the model privacy form provided in the appendix to Regulation P, consistent with the instructions in the appendix, constitutes compliance with the Notice content requirements of Regulation P, although use of the model privacy form is not required.

4.4. Opt Out Requirements

Unless an exception under Regulation P applies, Troy may not, directly or through any Affiliate, disclose any NPI about a Consumer to a Nonaffiliated Third Party unless all of the following conditions are satisfied:

  • Troy has provided an initial Privacy Notice to the Consumer;
  • Troy has provided an Opt Out notice to the Consumer;
  • Troy has given the Consumer a Reasonable Opportunity, before disclosing the information to the Nonaffiliated Third Party, to Opt Out of the disclosure; and
  • The Consumer does not Opt Out.

This restriction applies regardless of whether Troy has established a Customer Relationship with the Consumer.

In each of these instances, Troy provides a Clear and Conspicuous notice to each of its Consumers that accurately explains the right to Opt Out of the disclosure. The notice states:

  • That Troy discloses or reserves the right to disclose NPI about the Consumer to a Nonaffiliated Third Party;
  • That the Consumer has the right to Opt Out of that disclosure; and

A reasonable means by which the Consumer may exercise the Opt Out right.

4.5. Revised Privacy Notices

Troy must not, directly or through any Affiliate, disclose any NPI about a Consumer to a Nonaffiliated Third Party other than as described in the initial Privacy Notice that Troy provided to that Consumer unless Troy has provided to the Consumer a Clear and Conspicuous revised Notice that accurately describes Troy’s policies and practices. The revised Notice must provide the Consumer with the ability to Opt Out.

The Consumer must be given a Reasonable Opportunity, before Troy discloses the information to the Nonaffiliated Third Party, to Opt Out of the disclosure. The NPI may only be disclosed if the Consumer does not Opt Out.

A revised Notice must be provided whenever Troy:

  • Discloses a new category of NPI to any Nonaffiliated Third Party;
  • Discloses NPI to a new category of Nonaffiliated Third Party; or
  • Discloses NPI about a former Customer to a Nonaffiliated Third Party, if that former Customer has not had the opportunity to exercise an Opt Out right regarding that disclosure.

A revised Notice is not required if Troy discloses NPI to a new Nonaffiliated Third Party that Troy adequately described in its prior Notice.

4.6. Delivering Privacy and Opt Out Notices

Troy must provide any Privacy Notices and Opt Out notices (whether initial, annual, or revised) in writing or, if the Consumer agrees, electronically.

The notices may be delivered:

  • By hand;
  • Via U.S. mail to the last known address of the Consumer; or

For Consumers who conduct transactions and agree to receive the notices electronically, by e-mail.

5. PROHIBITION ON DISCLOSURE OF ACCOUNT NUMBERS

Troy must not, directly or through an Affiliate, disclose, other than to a Consumer Reporting Agency, an Account Number or similar form of access number or access code for a Consumer’s credit card account, deposit account, share account, or Transaction Account to any Nonaffiliated Third Party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the Consumer.

This restriction does not apply if Troy discloses an Account Number or similar form of access number or access code:

  • To its agent or service provider solely in order to perform marketing for Troy’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or

To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the Customer when the Customer enters into the program.

6. EXCEPTIONS TO CERTAIN INFORMATION SHARING

Regulation P provides exceptions to its Consumer Notice and Opt Out requirements in certain limited cases. Pursuant to such exceptions, Troy is allowed to share NPI:

  • With the consent or at the direction of the Consumer, provided that the Consumer has not revoked the consent or direction (and evidence of the Consumer’s consent or direction is retained by Troy);
  • To a Consumer Reporting Agency in accordance with the Fair Credit Reporting Act;
  • A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;
  • When it is necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with: (1) Servicing or processing a financial product or service that a consumer requests or authorizes; or (2) Maintaining or servicing the consumer's account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;
  • To protect the confidentiality or security of your records pertaining to the consumer, service, product, or transaction;
  • To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
  • For required institutional risk control or for resolving consumer disputes or inquiries;
  • To persons holding a legal or beneficial interest relating to the consumer;
  • To persons acting in a fiduciary or representative capacity on behalf of the consumer;
  • To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Bureau, a Federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, with respect to any person domiciled in that insurance authority's state that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;
  • To comply with Federal, state, or local laws, rules and other applicable legal requirements;
  • To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; or
  • To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorized by law.

Troy personnel must receive approval from Troy’s Chief Compliance Officer before making any disclosure of NPI based upon any of the exceptions listed in this Section, given that the ability to disclose such may require the satisfaction of other requirements.

7. REUSE AND REDISCLOSURE OF NPI

If Troy receives NPI from, or discloses NPI to, a Nonaffiliated Third Party (whether pursuant to an exception under Regulation P or otherwise), use and disclosure of such NPI is subject to the restrictions set forth below.

NPI Received Under an Exception

If Troy receives NPI from a Nonaffiliated Third Party under an exception provided by Regulation P, its disclosure and use of that NPI is limited as follows:

  • Troy may disclose the information to the Affiliate of the Nonaffiliated Third Party from which it received the NPI;
  • Troy may disclose the NPI to its Affiliates, but its Affiliates may, in turn, disclose and use the NPI only to the extent that Troy may disclose and use the NPI; and
  • Troy may disclose and use the NPI pursuant to an exception in the ordinary course of business to carry out the activity covered by the applicable exception.

For example, if Troy receives a customer list from a Nonaffiliated Third Party in order to provide account processing services, Troy may disclose that NPI under any exception in the ordinary course of business in order to provide those services. However, Troy could not disclose that NPI to a third party for marketing purposes or use that NPI for your own marketing purposes.

NPI Received Outside of an Exception

If Troy receives NPI from a Nonaffiliated Third Party other than under an exception provided by Regulation P, Troy may disclose the NPI only:

  • To the Affiliates of the Nonaffiliated Third Party from which it received the NPI;
  • To its Affiliates, but its Affiliates may, in turn, disclose the NPI only to the extent that Troy can disclose the NPI; and
  • To any other person, if the disclosure would be lawful if made directly to that person by the Nonaffiliated Third Party from which Troy received the NPI.

For example, if Troy obtains a customer list from a Nonaffiliated Third Party outside of an exception provided by Regulation P, Troy may: (i) use that list for its own purposes; and (ii) disclose that list to another Nonaffiliated Third Party only if the financial institution from which it purchased the list could have lawfully disclosed the list to that Nonaffiliated Third Party. In other words, Troy may disclose the list in accordance with the privacy policy of the financial institution from which it received the list, as limited by the opt out direction of each consumer whose NPI Troy intends to disclose, and Troy may disclose the list in accordance with an exception provided by Regulation P, such as to its attorneys or accountants.

NPI Troy Discloses Under an Exception

If Troy discloses NPI to a Nonaffiliated Third Party under an exception provided by Regulation P, the Nonaffiliated Third Party may disclose and use that information only as follows:

  • The Nonaffiliated Third Party may disclose the NPI to Troy’s Affiliates;
  • The Nonaffiliated Third Party may disclose the NPI to its Affiliates, but its Affiliates may, in turn, disclose and use the NPI only to the extent that the Nonaffiliated Third Party may disclose and use the NPI; and
  • The Nonaffiliated Third Party may disclose and use the NPI pursuant to an exception provided by Regulation P in the ordinary course of business to carry out the activity covered by the applicable exception.

NPI Troy Discloses Outside of an Exception

If Troy discloses NPI to a Nonaffiliated Third Party other than under an exception provided by Regulation P, the Nonaffiliated Third Party may disclose the NPI only:

  • To Troy’s Affiliates;
  • To its Affiliates, but its Affiliates, in turn, may disclose the NPI only to the extent the third party can disclose the information; and

To any other person, if the disclosure would be lawful if Troy made it directly to that person.

8. TRAINING

To facilitate compliance with this Policy, Troy will provide ongoing training to appropriate employees, including guidance on the standards, processes, and restrictions set forth within this Policy.

9. ASSESSMENT OF COMPLIANCE

Ongoing reviews of Troy’s level of compliance with the GLBA laws will be completed by Troy’s Chief Compliance Officer and/or when appropriate, third party compliance firms and law firms retained by Troy.

10. EMPLOYEE AND VENDOR RESPONSIBILITIES

Employees are expected to adhere to this Policy. The failure to do so may result in a range of disciplinary actions, up to and including termination of employment.

Vendors who receive NPI are expected to adhere to the applicable terms set forth in this Policy. The failure to do so may trigger the remedies afforded to Troy under the relevant agreement, which may include, among other things, termination of the vendor’s approved status. A suspected violation of the GLBA laws by a vendor in connection with Troy’s product and service offerings must be immediately escalated to Troy’s Compliance Officer.

11. POLICY ADMINISTRATION

This Policy shall be reviewed and, if applicable, updated at least annually under the direction of Troy’s Chief Compliance Officer.

12. DEFINED TERMS AND REFERENCES

Account Number: An Account Number, or similar form of access number or access code for an account, but does not include a number or code in an encrypted form, as long as Troy does not provide the recipient with a means to decode the number or code.

Affiliate: Any Company that controls, is controlled by, or is under common control with another Company. Control of a Company means: (1) Ownership, control, or power to vote 25 per-cent or more of the outstanding shares of any class of voting security of the Company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the Company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the Company as determined by the applicable prudential regulator (as defined in 12 U.S.C. 5481(24)), if any.

Clear and Conspicuous: A notice is Clear and Conspicuous if it is reasonably understandable and designed to call attention to the nature and significance of the information in the notice. If provided on a website, the notice must use text or visual cues to encourage scrolling down the page if necessary to view the entire notice. Other elements on the website (such as text, graphics, hyperlinks, or sound) must not distract attention from the notice. In addition, either the notice or a link to the notice must be placed on a screen that Consumers frequently access, such as a page on which transactions are conducted. If a link is used, the link must connect directly to the notice and be labeled appropriately to convey the importance, nature, and relevance of the notice.

Collect: To obtain information that Troy organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

Company: Any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

Consumer: An individual or trust that obtains or has obtained a loan or related financial product or service from Troy that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. There are other circumstances in which an individual or trust can be a Consumer of Troy. Below are some examples of an individual or trust that would qualify as a Consumer:

  • An individual/trust who applies to Troy for a Consumer Loan is a Consumer of a financial service, regardless of whether the credit is extended.
  • An individual/trust who provides NPI to Troy in order to obtain a determination about whether he or she may qualify for a Consumer Loan is a Consumer, regardless of whether the Consumer Loan is extended.
  • An individual/trust who provides NPI to Troy in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a Consumer regardless of whether Troy establishes a continuing advisory relationship.
  • If Troy holds ownership or servicing rights to an individual's Consumer Loan, the individual/trust is Troy’s Consumer, even if Troy holds those rights in conjunction with one or more other institutions.
  • An individual/trust who has a Consumer Loan in which Troy has ownership or servicing rights is a Consumer, even if Troy or another institution with those rights, hires an agent to Collect on the Consumer Loan.

However, an individual or trust is not Troy’s Consumer solely because he/she/it:

  • Has designated Troy as trustee for a trust;
  • Is a beneficiary of a trust for which Troy is a trustee; or
  • Is a participant or a beneficiary of an employee benefit plan that Troy sponsors or for which Troy acts as a trustee or fiduciary.

In addition, an individual or trust who is a Consumer of another financial institution is not a Troy Consumer solely because Troy acts as agent for, or provides processing or other services to, that financial institution.

Consumer Reporting Agency: Any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating Consumer credit information or other information on Consumers for the purpose of furnishing Consumer reports to third parties, and who uses any means or facility of interstate commerce for the purpose of preparing or furnishing Consumer reports.

Customer: A Consumer who has a Customer Relationship with Troy.

Customer Relationship: Customer Relationship means a continuing relationship between a Consumer and Troy under which Troy provides financial products or services to the Consumer that are to be used primarily for personal, family, or household purposes. A Consumer has a continuing relationship with Troy if, for example, the Consumer:

  • Obtains a Consumer Loan from Troy;
  • Has a deposit or investment account with Troy;
  • Has a Consumer Loan for which Troy owns the servicing rights;
  • Purchases an insurance product from Troy;
  • Holds an investment product through Troy, such as when Troy acts as a custodian for securities or for assets in an Individual Retirement Arrangement;
  • Enters into an agreement or understanding with Troy whereby Troy undertakes to arrange or broker a Consumer Loan for the Consumer;
  • Enters into a lease of personal property with Troy; or
  • Obtains financial, investment, or economic advisory services from Troy for a fee.

Note that a Consumer does not have a continuing relationship with Troy based on a lending relationship if Troy sells the Consumer’s Consumer Loan and does not retain the rights to service that Consumer Loan.

Nonaffiliated Third Party: Any person except:

  • An Affiliate of Troy; or
  • A person employed jointly by Troy and any Company that is not an Affiliate of Troy (but a Nonaffiliated Third Party includes the other Company that jointly employs the person).

A Nonaffiliated Third Party includes any Company that is an Affiliate solely by virtue of Troy’s or a Troy Affiliate’s direct or indirect ownership or control of the Company in conducting merchant banking or investment banking activities or insurance Company investment activities.

Nonpublic Personal Information (or NPI): NPI means Personally Identifiable Financial Information and any list, description, or other grouping of Consumers (and publicly available information pertaining to them) that is derived using any Personally Identifiable Financial Information that is not publicly available. NPI includes any list of individuals’ names and street addresses that is derived in whole or in part using Personally Identifiable Financial Information that is not publicly available, such as Account Numbers.

NPI does not include:

  • Publicly available information
  • Any list, description, or other grouping of Consumers (and publicly available information pertaining to them) that was derived from Publicly Available Personally Identifiable Financial Information.

Opt Out: A direction by the Consumer that Troy not disclose NPI about that Consumer to a Nonaffiliated Third Party, other than pursuant to an application exception under GLBA and Regulation P.

Personally Identifiable Financial Information: Any information:

  • A Consumer provides to Troy to obtain a Consumer Loan-related product or service;
  • About a Consumer resulting from any transaction involving a Consumer Loan-related product or service between Troy and a Consumer; or
  • Troy otherwise obtains about a Consumer in connection with providing a Consumer Loan-related product or service to that Consumer.

Personally Identifiable Financial Information includes:

  • Information a Consumer provides to Troy on an application to obtain a Consumer Loan, a credit card, or other financial product or service;
  • Account balance information, payment history, overdraft history, and credit or debit card purchase information;
  • The fact that an individual is or has been one of Troy’s Customers or has obtained a financial product or service from Troy;
  • Any information about Troy’s Consumer if it is disclosed in a manner that indicates that the individual is or has been Troy’s Consumer;
  • Any information that a Consumer provides to Troy or that Troy or its agent otherwise obtain in connection with collecting on, or servicing, a Consumer Loan or a credit account;
  • Any information Troy Collects through an internet “cookie” (an information Collecting device from a web server); and
  • Information from a Consumer report.

Personally Identifiable Financial Information does not include information that does not identify a Consumer, such as aggregate information or blind data that does not contain personal identifiers such as Account Numbers, names, or addresses. It also does not include a list of names and addresses of Customers of an entity that is not a financial institution.

Publicly Available Information: Publicly Available Information means any information that Troy has a Reasonable Basis to believe is lawfully made available to the general public from:

  • Federal, State, or local government records;
  • Widely distributed media (e.g., information from a telephone book, a television or radio program, a newspaper, or a website that is available to the general public on an unrestricted basis. A website is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public); or
  • Disclosures to the general public that are required to be made by Federal, State, or local law.

Reasonable Basis: Troy has a Reasonable Basis to believe that information is lawfully made available to the general public if Troy has taken steps to determine:

  • That the information is of the type that is available to the general public; and
  • Whether an individual can direct that the information not be made available to the general public and, if so, that Troy’s Consumer has not done so.

The following are some examples of situations where a Reasonable Basis exists:

  • There is Reasonable Basis to believe that an individual’s telephone number is lawfully made available to the general public if it has been located in the telephone book or the Consumer has informed Troy that the telephone number is not unlisted.
  • There is a Reasonable Basis to believe that consumer loan information is lawfully made available to the general public if the information is of the type included on the public record in the jurisdiction where the loan would be recorded.

Reasonable Opportunity (to Opt Out): The following are examples of a Reasonable Opportunity to Opt Out:

  • By mail. Troy mails the Privacy Notice and Opt Out notice to the Consumer and allows the Consumer to Opt Out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date Troy mailed the notices.
  • By electronic means. A Customer opens an online account with Troy and agrees to receive the Privacy Notice and Opt Out notice electronically, and Troy allows the Customer to Opt Out by any reasonable means within 30 days after the date that the Customer acknowledges receipt of the notices in conjunction with opening the account.
  • Isolated transaction with Consumer. For an isolated transaction, such as the purchase of a cashier’s check by a Consumer, Troy provides the Consumer with a Reasonable Opportunity to Opt Out if it provides the Privacy Notice and Opt Out notice at the time of the transaction and requests that the Consumer decide, as a necessary part of the transaction, whether to Opt Out before completing the transaction.

Retail Channel: A business platform made up of Consumer Loans that are originated solely by Troy.

Transaction Account: An account other than a deposit account, a share account, or a credit card account. A Transaction Account does not include an account to which third parties cannot initiate charges.

13. MODEL PRIVACY NOTICE

facts reasons questions definitions
logo-footer
[email protected] linkedin
Terms & Conditions Privacy Policy GLBA Policy

© 2021 Quid. All rights reserved.