It’s your data. You deserve to know what we do with it.
Last month the European Union’s General Data Protection Regulation (GDPR) went into effect. This has caused some needed discussion and news coverage about privacy and data security. While the credit union is not directly affected by GDPR, the regulation does raise some questions we feel our members should have answers to. These are questions that should be addressed by all financial institutions regardless of size. At First Education, we take data security seriously and do not believe that smaller financial institutions have any less risk in this area than larger institutions.
WHAT INFORMATION DO WE KEEP ABOUT YOU?
We get personally identifiable information (PII) about our members from several sources. First, there is information that you have given us. This includes your name, birth date, tax ID number, and contact information including phone numbers and address. It also includes images of documents you have provided to us. This can include driver licenses and other identification cards, birth certificates, marriage licenses, etc.
We, also, store information about your accounts with us. This includes balances and transaction details as well as documents generated based on your account activity. This can include account cards, loan documents, receipts, stop payment orders, wire forms, etc.
Depending on the services you have or have had with us, we may have information on accounts you have at other financial institutions and organizations with which you do business. For example, if you have applied for a loan with us, we may have information on loans you have with other financial institutions.
WHERE DO WE STORE THIS INFORMATION AND HOW IS IT PROTECTED?
All active personal and financial data is stored at two data centers operated by our core processor, one for production and one for business continuity. All document images are store on a local server and two archive sites. All data centers are located in the United States.
All data is encrypted in transit (128-bit SSL) and at rest (256-bit AES). The data centers utilize private non-routable address space that require a point-to-point Virtual Private Network (VPN) for access.
We do not permanently store PII on individual computer workstations or mobile devices.
WHAT ABOUT PAPER DOCUMENTS?
All documents containing PII are stored at our office or an off-site storage facility located in Cheyenne, WY. When not in use, these documents are stored in locked, fireproof filing cabinets. Over the past few years, we have dramatically reduced the amount of PII stored on paper documents. This makes the information we keep about you even more secure.
CAN YOU HAVE INFORMATION DELETED?
No, we only retain information as required by law or necessary to provide our products and services to you. Therefore, under normal circumstances, we will not delete information we have about you outside of our document retention policy.
CAN YOU HAVE INFORMATION CORRECTED?
Yes, we want the information we have about you to be as accurate as possible. If you suspect we have inaccurate information about you, contact us and we will correct it as soon as possible. If this information was provided to us by a third-party, you must notify the data provider to have them correct the information.
CAN YOU LIMIT THE INFORMATION WE COLLECT?
No, we only collect information as required by law or necessary to process transactions for you. To limit the information third-parties provide to us about you, we need to contact the third-party supplying the information.
HOW LONG DO WE KEEP YOUR INFORMATION?
Most financial information is kept for two to seven years. This includes loan documentation, receipts and other transaction documentation and tax reporting information. However, we keep certain information indefinitely. This includes PII on all current and past members and other information on membership application and signature cards. The specific retention period is based on state and federal regulations.
CAN YOU ACCESS YOUR INFORMATION?
Yes, much of it is available to you through NetTeller, our home banking system, or included on your monthly statements. You can also access information by visiting our office or sending us a letter. Limited information is available via phone. There may be a charge for obtaining some of this information.
WHO ELSE HAS ACCESS TO YOUR INFORMATION?
We provide your information or access to your information to several organizations for reasons that fall into six general categories.
1. To comply with regulatory requirements: You cannot limit this type of access.
We provide our statement provider with data required to produce periodic account statements and tax forms. The information is retained on their servers for up to three years and as need for eStatement access.
We provide our CPA firm with contact information and account balances as needed to complete the member account verification process. This information is retained by them for three years.
We provide our federal regulator with substantial information about you as required by federal regulations. However, the NCUA only retains the information for the length of our examination.
We provide our BSA support provider with information on all members as required to comply with the Bank Secrecy Act. This information is limited to name, account number and ACH activity. They store this information for up to seven years as required by federal regulation.
We provide various state federal government agencies with limited information on specific members for specific reasons. These reasons include reporting dormant accounts, compliance with the Bank Secrecy Act, tax reporting, child support enforcement activity and account verifications. This information is retained by them based on state and federal regulations.
2. To complete transactions you initiate: You cannot limit this access without limiting the transactions we perform for you.
We provide our lending support provider with contact and loan information on members with a vehicle loan with us. This is limited to contact, loan and insurance information on members with a collateralized loan with us. They store this information on their servers for the life of the loan.
We provide our IRA administrator with information needed to administer member IRAs. This is limited to contact information and information about IRAs on members with an IRA at the credit union. They retain this information on their servers as long as the IRA is active and as needed to tax reporting.
We provide our correspondent financial institution with the information needed to process wire transfers, ACH transactions and drafts. This is limited to information needed to process these transactions on members using these products including contact information, account numbers and transaction details. This information is retained as required by state and federal regulations.
We provide our plastic card supplier with data needed to print debit and credit cards. This is limited to contact information and information encoded on the card on members with a card product. This information is retained for as long as we have this relationship with them.
Our shared branching provider retrieves data from our servers as needed to process transactions for our shared branching system. Limited to information needed to process the transaction on members using this product. Only name and account number information are retained on their servers as needed for reporting and error resolution.
We also retrieve data from other credit unions as need to process transactions for their members. Name, account and transaction details are retained by us as needed for reporting and error resolution. If you request a shared branching transaction at another credit union, they will retrieve data from us as needed to process your transaction. This information is retained by them as needed for reporting and error resolution.
We provide this transaction processor with the information needed to process Automated Clearing House (ACH) transactions originated with us and as needed to verify or correct information on ACH transactions originated by other financial institutions on accounts with us. This is limited to name, account number and transaction details. This information is retained by them based on federal regulations.
We provide our check printer with data needed to print drafts/checks for members. This is limited to contact information and information encoded on the check on members with a draft account. This information is retained on their servers as long as we have this relationship with them.
Our core processor stores all data and processes all transactions related to your accounts with us. This includes processing debit and credit card transactions and providing internet banking, mobile banking and bill pay services. This information is retained on their servers as long as is necessary to comply with regulations and to provide services to you.
We provide this loan processor with data needed to process loans using their product. This is limited to contact and loan information on members using this product. This information is retained on their servers for the life of the loan.
We provide account number and truncated PII to an internet service provider to allow members to authenticate for their services. This information is retained on their servers for as long as we have this service with them.
We provide information to other financial institutions that is needed to complete specific transactions. The transactions include wire transfers, shared branching activity, ACH originations and account verifications. Information is retained on their servers per the policy of that institution.
3. To detect and prevent fraud and other illegal activities: You cannot limit this type of access.
We provide one consumer reporting agency with contact information and account information on members who have caused a loss to the credit union on a checking or other deposit account and members who have recently opened an account with us. They retain this information on their servers indefinitely.
We provide two consumer reporting agencies with contact information and credit performance on members with a lending relationship with the credit union. They retain this information on their servers indefinitely.
4. To comply with court orders or other legal proceedings: You cannot limit this type of access.
We provide law enforcement agencies and law firms with information specifically required to comply with a court order. This information is retained indefinitely and is generally in the form of paper documents.
5. To market our products and services to you: You can limit some of this type of access by notifying us in writing.
We provide various marketing partners with contact and other information needed to market our products to our members. This information is retained on their servers only as long as needed to produce the marketing campaign.
6. To market third-party products and services to you: You can limit this type of access by notifying us in writing.
We provide two marketing partners with contact and other information needed to market insurance products to our members. This information is retained on their servers only as long as needed to produce the marketing campaign and to service members that choose their products.
WHAT EFFECT DOES CLOSING YOUR ACCOUNT HAVE ON THE DATA WE KEEP ABOUT YOU?
Information on closed accounts is retained as required by state and federal regulations. Some information is retained indefinitely. However, sharing of most information is stopped once an account is closed.
WHAT CAN YOU DO IF YOU THINK THERE WAS UNAUTHORIZED ACCESS TO YOUR INFORMATION?
Notify us as soon as you become aware of the unauthorized access. You should, also, notify local law enforcement.
WHAT CAN YOU DO IF YOU HAVE MORE QUESTIONS?
Contact us by phone at 307-432-7400, by email at firstname.lastname@example.org or in person at 120 West Carlson Street.