GLBA ID and Information Release Procedures

Overview

The Gramm-Leach-Bliley Act (GLBA) protects against the misuse of private, non-public personal information and requires financial institutions to explain their information-sharing practices and safeguard sensitive data. GLBA, also known as Regulation P, applies only to consumers and does not apply to companies or individuals that obtain financial products and services for business, commercial, or agricultural purposes. See the Regulation P article for an in depth look at GLBA.

 

 
 

Identity Verification Guidelines

BEFORE you can release information to an individual claiming to be a client, you must first verify their identity. You can always base identity upon your personal knowledge or if the caller provides you with the Inquiry Identification (ID) Code (IID) listed on their CIF record as well as the last 4 of their Tax Identification Number (TIN).

In other cases, to ensure that you are speaking with the client, the caller MUST be able to give you at least 3 of the identifiers listed for the type of account in question. One of the identifiers requested should ALWAYS be the TIN (social security number for consumers), since someone who finds a checkbook or steals a check would not know that information, and we should be very suspicious of any caller who cannot supply their TIN. Many clients are wary of giving you their entire TIN# so the last 4 digits with 2 additional identifiers are sufficient.

There are a few ways to identify a client over the telephone. 

Identifiers for Deposit Accounts:

  • Tax Identification Number (TIN) or Last 4 digits of TIN (MANDATORY)
  • Inquiry ID Code
  • Account Number
  • Date of Last Deposit
  • Date of Birth
  • Amount of Last Deposit
  • Recent Debit Card Activity 

 

Best Practice: Associates cannot prompt transactions, the client must provide the information. It is recommended to get 3-4 account level activities. 

 
 

Identifiers for Loan Accounts:

  • Tax Identification Number (TIN) 
  • Loan Number
  • Amount of Last Payment
  • Date of Last Payment
  • Date of Birth
  • Collateral Information (for example: address of property, make of vehicle)
 
 

Information on Credit Cards:

Associates with access to Elan information will use a combination of 3 of the following as identifiers for credit card callers:

  • Last 4 Digits of the TIN
  • Last 4 Digits of the Credit Card Number
  • Home Telephone Number or Business Phone Number
  • Credit/Revolve Limit
  • Number of Cards on the Account

 

If the associate is unable to assist the client and needs assistance from Elan contact Card Member Services

  • Personal Accounts: 1.800.558.3424
  • Business Accounts: 1.800.558.8855
 
 

 

Once you have properly identified the caller as our client, you may answer their question or give them the information they are requesting about their account. Remember that you can only give information using this method to the client if they are a signer on the account (as confirmed by our account records). 

 
 

Client Service Center (CSC) Mobile Security Code Identification

The Client Service Center (CSC) has the capability to send a mobile security code to clients that do not remember their Inquiry Identification (ID) Code (IID). This is done when the client can give their account number or last 4 but cannot provide their inquiry ID code. This mobile security code is authorized as a form of identification unique to the Client Service Center as it requires the client to have their mobile device in their possession in order to read the security code back to the CSC associate. 

In the event the client cannot respond with the correct mobile code, the client may be able to authenticate using one of the earlier mentioned identifiers or by visiting an office.

 
 

Releasing Client Information

If you are authorized by your supervisor to release information to clients, you are responsible for understanding the established identity verification guidelines. You are not to release ANY information unless you are specifically authorized to do so by your supervisor. 

No person is to be so authorized until they have received the appropriate training.

 

Read through the accordions below to learn about what information can be released to each of these groups or in these specific situations.

To Individuals

An associate can always release information to a client if they are a signer on the account AFTER verifying the individual’s identity using established identity verification guidelines. An associate cannot release information to anyone who is not a signer on an account without the client’s written authorization unless it is in order for the client’s transaction to process, for fraud prevention or in accordance with another law or regulation. To obtain a client's permission to release information, use the Authorization to Release Information form.

 
 

To Government Agencies or Law Enforcement Officials

Regulation P does not override the exception to the Right to Financial Privacy Act which allows a financial institution to release the name, address, telephone number, and account number of an individual to government agencies and law enforcement officials upon receipt of a written request for that information

All such requests are to be forwarded to the legal desk in Deposit Services for response. No other information (such as whether or not an account is open, telephone numbers) should be released to these officials without further documentation such as a subpoena.

 
 

As Required by the Bank Secrecy Act 

Regulation P does not override your responsibilities under the Bank Secrecy Act to file Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs)  whenever they are required or appropriate. It also does not prevent us from giving basic information to law enforcement officers when we think a crime has been committed. For example: if one of our offices has just been robbed, we can give the police a list of persons in the lobby at the time or we can tell police if we think we recognize the robber. 

 
 

To Non-Affiliated Companies (Opt-Out Notices & Methods)

If a bank shares or provides non-public personal information to non-affiliated third parties for marketing purposes, they are required to provide a clear and conspicuous opt-out opportunity to each consumer before disclosing the information to the third party. Capital City Bank follows the regulatory guidelines when joint marketing with any non-affiliated third parties. We do not sell or share information with non-affiliated third parties outside of the regulatory guidelines. 

 

Clients may opt-out of information sharing verbally or in writing. The Opt-Out Opt-In form is posted in Public Documents on netinterest. A client’s opt-out remains in effect until it is revoked by the client in writing or electronically. If the client's relationship with Capital City Bank (CCB) terminates, the opt-out preference continues to apply.

 
 

To Vendors and Service Providers

Capital City Bank does not share client information without outside third parties for marketing purposes unless we have a written joint marketing contract agreement with the third party. Clients may elect to opt-out of this type of information sharing.

Client information may be shared with outside service providers and/or vendors under any of the following circumstances: 

  • It is necessary to provide services required to maintain the client’s account or complete transactions the client initiated. 
  • When mandated or permitted by law
  • As necessary in the event of a national emergency. 

Opt-out is not applicable to our clients for this type of information sharing.

 
 

To Capital City Bank Affiliates (Opt-Out Notices & Methods)

The Fair Credit Reporting Act (FCRA) previously allowed financial institutions to share their client's internal transaction history with an affiliate. As of December 2004, the Fair and Accurate Credit Transactions Act (FACTA) revised the FCRA to require financial institutions to provide an  opportunity for a consumer client to opt-out of this type of internal information sharing among affiliated companies. Capital City Bank Group’s privacy policy allows the client to opt-out of information sharing with our affiliates.

 

Opt-out Information for Joint Accounts:

  • Due to current limitations with Jack Henry & Associates (JHA) SilverLake, information about all owners of a joint account may be shared with affiliates unless all joint account owners have elected to opt-out. 
  • Affiliates are allowed to contact any joint account owner who has not elected to opt-out. 
  • Affiliates are prohibited from contacting any joint account owner who has elected to opt-out.

 

Capital City Wealth (including: Investment Services, Trust Services and Private Wealth) are affiliates of Capital City Bank. Opt-out does not apply when associates of affiliates market to a client who has a pre-existing business relationship with that affiliate; the affiliate already provides benefits to the client under an employee benefit plan; responds to a communication initiated by the client; or responds to an affirmative authorization or request by the client.

Associates of these affiliates are responsible for understanding the requirements and responsibilities imposed by the Gramm Leach Bliley Act (GLBA) with regard to affiliate information sharing and opt-out revisions available to clients.

 
 

To Clients Requesting Their Account Information

  • If the client comes to the bank in person or calls on the telephone, after you verify the client’s identity, you may release information to that client about any account on which they are a signer. 
  • If the client calls and (after you verify his identity) hands the telephone to another individual requesting that you give that individual information, you may do so at the client’s verbal request. This is valid during that phone call only and only after speaking to the client during that call.
  • If the client requests that you send or give information to a third party you must obtain a written authorization to release the information. 
    • Note: Capital City Bank (CCB) authorization forms have been developed for this purpose and are posted here
    • Other types of written authorization are also acceptable. To be acceptable, the form provided to us must authorize us OR any creditor to release information to a specific party, OR authorize us or any creditor to release information to any party, without restriction.
    • The client can fax an authorization to CCB or deliver one in person. 
  • Signed buyers’ orders or applications listing the collateral on a CCB loan as trade in are also acceptable to release information to a dealership.
 
 

Individual Other than the Client

If the individual requesting the information is not a signer on the account, DO NOT RELEASE ANY INFORMATION (other than verification of funds or payoff quotes) to that person without a written authorization from the client.

 
 
 
 

E-mail Authorizations

If the client does not have access to a fax machine and cannot come into the bank, but they do have access to e-mail, you can utilize an e-mail authorization form to release information.  You can use 1 of the following methods to have the client receive and return the authorization form.

  • Send a secured e-mail authorization through CCB’s Online Banking.
  • If the client does not have Online Banking, the CCB associate must follow the steps below to obtain a valid e-mail authorization:
    1. Verify the client’s identity using the Identity Verification Guidelines tab.
    2. Ask the client for the e-mail address they wish us to use.
    3. Send the E-mail Authorization Form to the client at the specified email address.
    4. Ask the client to reply to that email and authorize the release of information.
    5. Print the entire e-mail correspondence.
    6. Write on the printed e-mail that you spoke to the caller, verified their identity, and obtained the authorization by e-mail. Write your name by the information.
  • Identify the client using their Inquiry Identification Code (IIC), and use the e-mail address on their CIF to obtain the authorization. Once the client has replied with the authorization, follow steps 5 and 6 above.

An email sent within the bank from associate to associate is secure because it is transmitted over our network; however, email sent outside of the bank is not secure because it is transmitted over the Internet. Sensitive client or bank information (for example: account numbers, tax ID numbers, balance information) in e-mails that leave the bank are automatically encrypted by Egress if the associate is authorized to send this information by e-mail. The e-mail will be blocked if the associate is not authorized. Contact the Chief Information Security Officer or your supervisor if you do not have the ability to send encrypted e-mail. If you would like to know more about Egress see Egress E-mail Encryption.

 
 

Verification of Funds

For Business Accounts

GLBA/Regulation P applies to consumer accounts only. Therefore, if an individual, merchant, or another financial institution calls to verify funds for a business account, the associate may respond to the inquiry but must limit their response to 1 of the following

  • “Yes, the check would pay at this moment.” 
  • “No, the check would not pay at this moment.” 
  • “That account is closed.” 

If there are messages on the client’s CIF indicating that the check is fraudulent and you have identified the caller as legitimately having a check (see procedures below), you may state, 

  • “That check may not be a valid check.”

 

For Consumer Accounts

If an individual, merchant, or another financial institution calls to verify funds for a consumer account, the following steps must be taken: 

  1. Ask the caller for our client’s account number, the amount of the check, and the check number.
  2. Look at the account history to verify that the check number corresponds to the sequence of check numbers recently paid on the account.
    1. DO NOT VERIFY FUNDS without checking to see if the number on the check is a number close to the range of recently paid check numbers.
    2. If the check number the caller gives you is within the expected range of numbers, proceed to the next step.
    3. If the check number is not within the expected range of check numbers, you must advise the caller to come to the office with the check.
  3. Respond to the inquiry, but limit your response to one of the following: 
    • “Yes, the check would pay at this moment.” 
    • “No, the check would not pay at this moment.” 
    • “That account is closed.”
  4. We cannot give any other information (for example: address, telephone number, date account closed) to the caller without written authorization from our client.

 

Remember, we can always release information to a client if they are a signer on the account AFTER we verify their identity following the Identity Verification Guidelines. Other than verifying funds, we cannot release information to anyone who is not a signer on an account without the client’s written authorization.

 

Note: A client’s account history may show 2 series of check numbers or check numbers from non- consecutive books of checks. In those instances you should look at more of the history to determine if the check number given by the caller appears to agree with the “pattern” of check numbers recently paid. For example: Some clients use two different series of check numbers on the same account (if for example husband and wife each carry a checkbook on the same account).

 
 

Payoff Quotes

If you are speaking to a known business (for example: car dealership or another financial institution that you have a comfort level from prior business interactions) and the client is either refinancing our loan or paying off our loan to purchase another vehicle, do the following:

  1. Ask the business for specific information about the client and the loan before you release the payoff. The business must provide you with one of the following which they should already have on an application from the client:
    • The client’s account number and collateral description
    • The client’s TIN and collateral description 
  2. Verify the accuracy of this information by checking the information on the client's CIF.
  3. After confirming, you may release a payoff quote to that business without written authorization from the client.

 

Do not release a payoff quote to anyone else without the client’s written authorization. Written authorization can be received by fax or e-mail.

  • By fax: Must contain our client's signature. The signature should be verified unless it is received directly from a reputable merchant or another bank. 
  • By e-mail: See the E-mail Authorizations tab. 

Client authorizations are to be kept for 30 days at the location where the authorization was received.

 
 

Active Duty Military

These procedures do not alter any existing GLBA procedures for clients who are not active duty military personnel, but are intended to recognize the special circumstances currently facing many military personnel and their families.

We have an obligation to all clients to protect the confidentiality of their non-public personal financial information. We have implemented procedures to ensure that we do not release information to unauthorized parties. Some of these procedures may be difficult when dealing with active duty military serving in a hostile territory; however, we cannot relax our efforts to ensure we have the client’s permission to release information to a 3rd party.

 

Identity and Information Release

Certain information is never to be released to any 3rd party. NEVER release the active duty military client’s Social Security Number or Deposit Account/Loan Number to any 3rd party UNLESS they have a confirmed power of attorney (POA) or specific written authority from the client. However, you may be requested and it may be OK to give the 3rd party information such as payment amounts; past due amounts; number of payments past due; or whether a particular check has cleared to assist the 3rd party in handling the active duty military client’s financial affairs. This type of information is acceptable to release after you follow the steps below to attempt to obtain the permission of the active duty military client.

 

Authorization of Callers to Receive Information:

The following steps should be followed when an individual is calling for information about an account of a client on active military duty.

  1. If the individual is also listed on the account records, you can release any information they request AFTER you verify their identity using the current identification procedures. You can always base identification upon your personal knowledge if you know a client well enough to recognize their voice over the phone. Remember that you can only give information using this method to the caller if they are a signer on the account (as confirmed by our account records). 
  2. If the individual is not a signer on the account, we have an obligation to attempt to get the active duty military client’s permission to release the information. The procedures below are to be followed to try to obtain the active duty military client’s authorization. The active duty military client can use the authorization form (posted on netinterest); however, the authorization does not have to be in that format.
    1. All branches of the military encourage service members who are going overseas to designate and give a POA to an individual who can handle their financial (and other) affairs while they are away. Ask the caller if they have a POA for the active duty military client or if the active duty military client has appointed another individual to exercise a POA for them. Any requested information can be provided to a person who has a valid POA, after we receive a copy of the POA and verify the identity of the caller as the person holding the POA.
    2. Many military personnel  have access to e-mail. Ask the individual who is calling if they can supply an e-mail address for the active duty military client. The following steps must be followed by the CCB associate to obtain a valid e-mail authorization:
      1. Ask the individual calling for the e-mail address of the active duty military client;
      2. E-mail the Active Duty Military E-mail Authorization form to the active duty military client at the specified address;
      3. Ask the active duty military client to reply to that e-mail and authorize the release of information to a specified person
      4. When a reply is received, print the entire e-mail correspondence;
      5. Write on the printed e-mail the name of the party that you obtained the e-mail address from, and that you then obtained the authorization by e-mail. Write your name by the information.
  3. There may be instances when the above procedures are not possible. The active duty military client could have been deployed prior to designating a POA and may not be accessible by e-mail. If you are unable to obtain the authorization using the methods above, you may provide specific requested information to the active duty military client’s spouse, parents, or adult child. The individual would need to provide verification of their relationship to the active duty military client PRIOR to releasing the information. Birth records, marriage licenses, spousal military ID cards, or other types of documentation (utility or credit card statements with the active duty military and the 3rd party’s name) that would indicate the relationship are acceptable. Refer again to the beginning of this procedure for the types of information that can and the types of information that must not be provided to a 3rd party.
 
 

Collection Efforts for Past Due Accounts of Active Duty Military Clients:

If a bank associate calls a client to collect on a past due account and is told that the client has been called to active duty, the bank associate may ask the individual for contact information so they can reach the client. If informed that the client is “unreachable” because of their military status, it is acceptable to ask the individual to relay to the active duty military client the simple fact that the account is past due and a request that they contact us when they are able to do so. Care should be taken with releasing “too much” information.

 

However, if the individual volunteers to make a payment on behalf of the client to bring the account current, it is acceptable for the associate (using their good judgment) to provide information about the payment amount sufficient to allow that person to make a payment (it is preferable to ask the person to make such a payment directly to the collector, to make sure it is processed properly). We must be very careful about giving information to anyone other than the active duty military client or a person holding his or her POA. In general, information may only be given to a spouse; parent or adult child of the military client after satisfactory evidence of their relationship is obtained.

 
 

 

Associates must use good judgment when the active duty military client cannot be reached and has not designated a POA to handle their affairs. Remember, the intent of these procedures is to provide assistance to the military client and their family while protecting the confidentiality of their information. If you have questions about these procedures or a specific situation does not fall within the above guidelines, please contact the Chief Information Security Officer.

 
 

Address Changes

In an attempt to prevent identity theft and protect client information, a confirmation letter is mailed to BOTH the old address and the new address to confirm that the client wishes to have their address changed. The JHA system automatically prepares the letters for distribution each time an address change is made to a client’s CIF record. Deposit Services is responsible for mailing the letters. Associates should notify the Chief Information Security Officer immediately if a client reports they have received a letter and has not requested an address change.

 
 

Watch for Fraud

Pretext Telephone Calling Information

Pretext calling is a method of impersonation used by a caller to get a client’s nonpublic personally identifiable information. Pretext calling is associated with many of the reported cases of identity theft and is partly responsible for the billions of dollars lost each year from check fraud. Pretext calling was made illegal by the Gramm Leach Bailey Act.

 

Pretext callers use different ploys to get information. They often pretend to be clients, higher-level associates within the bank, officials at another bank, government regulators or law enforcement officers. Pretext callers use a number of approaches that work on the psychology and human nature of associates including intimidation and helplessness.
 

Capital City Bank associates are required to follow the established identification guidelines to avoid becoming a victim of pretext calling.

 
 

Was this article helpful?

Related Questions

Can't find what you're looking for?

Our award-winning customer care team is here for you.

Contact Support