CornerCap collects nonpublic personal information about clients from the following sources: Information received from clients on applications and other forms; information about clients’ transactions with CornerCap, CornerCap’s affiliates, or others; and information CornerCap may receive from a consumer-reporting agency.
CornerCap does not disclose any nonpublic personal information about clients or former clients to anyone, except as permitted by law. CornerCap restricts access to nonpublic personal information about clients to those employees who need to know that information to provide products or services to clients. CornerCap maintains physical, electronic, and procedural safeguards to guard clients’ nonpublic personal information.
A. CornerCap may collect nonpublic personal information about CornerCap’s clients and potential clients from the following sources:
1. Information received from account applications, questionnaires, interviews, information forms and other client interactions;
2. Information about transactions with CornerCap, CornerCap’s affiliates, or others; and
3. Information CornerCap obtains or receives from a consumer reporting agency.
All client information is to be maintained in CornerCap’s records and/or stored on appropriate electronic media. Information from potential clients may be stored in temporary files, but shall be subject to the same restrictions and limitations as other records outlined below.
B. CornerCap personnel will not share or disclose nonpublic information regarding any client or potential client of CornerCap, except (i) as necessary to service client accounts including, without limitation, the settlement, billing, processing, clearing, or transferring of client transactions; (ii) as directed by a client; or (iii) as otherwise allowed by law. Access to all client records and information, whether in paper or electronic format, is limited to CornerCap personnel for the purposes of servicing client accounts.
C. With prior approval from the CCO, CornerCap’s personnel may remove client records or information from CornerCap’s premises overnight or over a weekend when necessary to service client accounts.
D. CornerCap will provide individual clients with a privacy notice (the “Privacy Notice”) when the client engages CornerCap for advisory or other services. The Privacy Notice shall detail the types of nonpublic client information CornerCap collects, the information CornerCap shares with third parties or with affiliates, the kinds of third parties with which CornerCap shares information, the policies and practices CornerCap has in place to protect the confidentiality and security of nonpublic client information; and the procedures CornerCap has in place to permit clients or potential clients to opt-out of information sharing arrangements with third parties (inapplicable to CornerCap so long as CornerCap only shares information with third parties for purposes of servicing client accounts).
E. CornerCap distributes a current Privacy Notice on all quarterly reports sent to its clients, and thus most clients receive a Privacy Notice more than once per year. CornerCap maintains a list of all individual clients who do not receive quarterly reports and sends each such client an updated copy of the Privacy Notice on or before July 1 of each year, even if the policy has not changed since the previous year.
F. Privacy Notices shall be sent by mail unless otherwise requested by the client, and may be included in a quarterly report, newsletter or other client mailing.
XV. IDENTITY THEFT PREVENTION POLICY
CornerCap has adopted the following procedures to help ensure that the identities of its clients are not misappropriated.
A. CornerCap considers the following to be “Red Flags” that a client’s identity may have been misappropriated:
1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
2. The presentation of suspicious documents;
3. The presentation of suspicious personal identifying information, such as a suspicious address change;
4. The unusual use of, or other suspicious activity related to, the client’s account; and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with the client’s account.
B. CornerCap will attempt to detect such Red Flags by, among other ways:
1. Obtaining identifying information about and verifying the identity of, a person opening an account; and
2. Authenticating clients, monitoring transactions, and verifying the validity of change of address requests.
C. In the event that a Red Flag is detected, CornerCap may implement one or more of the following responses:
1. Monitoring the client account for evidence of identity theft;
2. Contacting the client;
3. Changing any passwords, security codes or other security devices that permit access to the client account;
4. Not opening a new client account;
5. Closing an existing client account;
6. Notifying law enforcement; or
7. Determining that no response is warranted under the particular circumstances.
D. CornerCap will ensure that all service providers engaged to perform services for client accounts have reasonable policies and procedures in place that are designed to detect, prevent, and mitigate the risk of identity theft.
E. The CCO is responsible for implementing this policy and for ensuring that it is being properly executed. In the event that the CCO determines that this policy is not being properly implemented, the CCO will arrange appropriate training for some or all CornerCap Employees.
F. The CCO will review this policy on an annual basis to determine whether there have been any changes in the risks of identity theft or changes within CornerCap that may require an update of this policy.