Appraisal News For Real Estate Professionals

2006/05/16

GLB Privacy Rule For Appraisers - Policy Statements and Opt-out Provisions

a la mode, inc. has developded a “Best Practices” Series dealing with compliance issues of the Gramm-Leach-Bliley (G-L-B) Act - Click here for the full article The first in this series - Must Appraisers Comply With the Gramm-Leach-Bliley Act? - dealt with some of the background issues, how it applies to appraisers, what are some of the risks in ignoring the act, and the two rules that affect appraisers - Safeguards and Privacy. This section deals specifically with the Privacy Rule. Under the Privacy Rule, individuals fall into two categories: “consumers”, and “customers”. Consumers are any individuals who engage the institution at least once. Customers are simply consumers who have an ongoing relationship with the company. Both must be given privacy statements regarding the use of their NPI, and opt-out notices at specific times and circumstances, by the institution they engaged. That last phrase is essential. When a lender or other business client provides the appraiser with NPI on an individual as part of a transaction, the appraiser is not required to provide another privacy policy disclosure to the individual. The appraiser’s client must ensure that the suppliers it engages are in compliance with the privacy disclosures and opt-out notices it already provides to the individual.
Best Practices: Do not send privacy notices to consumers brought to you by a business client. The obligation is on the institution whom the consumer directly engages.
Appraisers who are indeed directly engaged by individuals must do the following:
  • Provide a conspicuous and understandable initial notice of the privacy policy, covering handling of NPI, opt-out methods, and security safeguards
  • Provide opt-out notices of sharing of NPI, with a "reasonable opportunity" to respond (weeks or months)
  • Provide new revised privacy and opt-out notices if policies change
  • For “customers” only, provide an annual privacy statement reminder for the duration of the relationship

Typically, an appraiser does not share the NPI with any non-affiliated third parties except where required to process the report. Appraisers don’t usually sell or otherwise distribute their databases for marketing purposes. Most appraisers should be able to invoke the exceptions to opt-out notification as provided in sections 313.13, 313.14, and 313.15 of the act.

Under section 313.14 in particular, appraisers would not be required to send an opt-out notification nor even provide notice that sharing of the NPI has been undertaken, when the party to whom the data is disclosed is a non-financial service provider used in processing the transaction. Likewise, in cases where the appraiser was not directly engaged by the consumer, the act of providing the data to the appraiser’s service providers would not be a violation of the original client’s privacy obligations to the consumer under section 313 of the law.

However, when directly engaged by the consumer and even when claiming exemption under any provision of section 313, the appraiser must provide the privacy policy statement up front in order to be granted the exception. Unless the consumer is aware of the policy overall, there can be no exceptions granted.

Also, note that the security provisions still apply. The appraiser must be sure that the service provider provides security controls, and that they are commensurate with the appraiser’s written security and safeguards policy.

Best Practices: Do not share NPI data with anyone other than service providers who meet your security standards, and you can generally use the opt-out exceptions in section 313. Treat all consumers and customer clients the same, by providing the “initial,” “revised,” and “annual” privacy policy disclosures to every individual who has engaged you. Annual disclosures should be sent within the calendar year (i.e., by December of the year).

Remember that unless the privacy policy disclosures are provided in all three conditions (initial, revised, and annual), the exceptions under section 313 cannot be invoked.

The privacy statement itself needs to address how the NPI will be handled and disclosed (if at all), how the consumer may opt out, and how the appraiser safeguards the data.

The latter is why the company’s individual safeguards policy must be in writing. The privacy statement does not need to include the full text of it, but it does need to state that the procedures are in place and are in writing.

, , , , , , ,

0 Comments:

Post a Comment

<< Home