This document (“Policy”) governs the oversight of privacy of nonpublic personal information (“NPI”) gathered by ATX Funding Strategies, LLC (“Moby Cap”) in connection with WebBank’s (“Bank”) lending program.
As financial services professionals entrusted with sensitive financial information, we respect the privacy of our customers and are committed to treating customer information responsibly. We are dedicated to protecting confidential information and have established standards and procedures to safeguard that personal information.
Except where specifically addressed herein, this Policy follows the Roles and Responsibilities, Training, Monitoring and Testing, Issue Management, and Document and Record Retention sections in the Compliance Management System Policy (“CMS”).
The purpose of the Policy is to ensure that the risks related to NPI are understood and managed in a systematic fashion that is compliant with Bank policy, applicable laws, regulations and guidance, and serves the best interests of Moby Cap, the Bank and their customers.
This Policy applies to the privacy of all NPI associated with all Bank products or services provided by Moby Cap in accordance with individual program agreements.
It is the policy of WebBank not to disclose nonpublic personal information about our customers to nonaffiliated third parties except as provided by law.
NPI consists of nonpublic information that is collected in connection with providing a financial product or service. Specifically, it means both:
1. personally identifiable financial information, which includes:
· information a customer provides on an application for a loan or other financial product or service;
· account balance information or payment history;
· information that a customer provides to us (or our agent) that we obtain in connection with collecting on a loan or servicing a loan;
· any information collected through an Internet “cookie”;
· information from a consumer report;
· the fact that a customer is or has been one of our customers or has obtained a financial product or service from us; and
· any information about our customer if it is disclosed in a manner that indicates that the customer is or has been our customer.
2. any list, description, or other groupings of customers that are derived using any personally identifiable financial information that is not publicly available. Lists include,
but are not limited to, any list of customers’ names and addresses that is derived in whole or in part using personally identifiable information that is not publicly available, such as account numbers.
Nonpublic personal information does not include information that is available from public sources, such as telephone directories or government records. It also does not include aggregate information or blind data that does not contain personal identifiers.
The Bank and Moby Cap (the “Parties”) will comply with all applicable privacy laws, regulations and guidelines pertaining to disclosure of business customers’ NPI.
The Bank’s regulatory environment establishes shared accountability and responsibility for the privacy of NPI oversight between Moby Cap and the Bank. Although Moby Cap is responsible to manage the program, ultimately the Bank is responsible to ensure that the risks arising from these activities are understood and controlled. Therefore, the governance structure of Moby Cap’s Privacy of Nonpublic Personal Information program is designed to enable coordinated planning and execution between the two organizations.
a. Policy and Procedures – The Policy and procedures identified within have been reviewed and approved by Moby Cap’s Executive Management, as well as the Bank, and will continue to be reviewed on an annual basis. The Policy and procedures may be changed only with the prior written consent of both Parties, or by written notice provided to Moby Cap by Bank but without Moby Cap’s prior written consent, to the extent that the Bank determines that such change is required by applicable laws or necessitated by safety and soundness concerns.
b. In addition to obtaining the Bank’s requisite consent. Any revisions or updates to this Policy requested by Moby Cap shall be made in accordance with Moby Cap’s Policy Management Policy.
Roles and Responsibilities
Moby Cap’s organization is structured to support a cross-functional and interdependent oversight environment. Moby Cap’s Executive Management is active in strategic planning of the program and review of changes in risk and issues that arise. Moby Cap maintains dedicated compliance personnel with responsibility for the successful execution of the program. Sufficient expertise is maintained within the organization to effectively execute key processes requiring high levels of skill and specialized understanding of regulatory requirements. Sufficient staffing is maintained to ensure all critical risks are assessed and monitored, as needed. Segregation of duties is maintained between functional areas that represent potential conflicts of interest. Communication channels are clearly established between Moby Cap and Bank personnel.
Bank Reporting Requirements
Moby Cap will provide the required reporting to the Bank in the timeframes agreed upon between the Parties. Moby Cap will also provide any required reporting to demonstrate adherence to this Policy in a format and timeframe as deemed reasonable.
The purpose of the issue escalation process is to ensure that Moby Cap’s Executive Management and senior leadership within the Bank are aware of matters requiring management attention and action. All issues identified, including those found by auditors, testing, or other monitoring mechanisms that have an impact on the Bank’s program should be escalated in a form and timeframe as agreed to between the Bank and Moby Cap. For additional information see the Issue Management Policy and associated procedures.
The purpose of the change management process is to ensure that Moby Cap’s Executive Management and senior leadership within the Bank are aware of proposed changes to the program and to ensure that changes are authorized prior to implementation. For additional information see the Regulatory Change Management Policy and associated procedures.
Written procedures are the primary reference for the day-to-day management of the risks associated with NPI. At a minimum, Moby Cap will maintain written procedures for information collection, information sharing, opt-out provisions (if applicable), confidentiality, limits on employee access, unauthorized access by employees, security, record retention and destruction, information about former customers, complete and accurate information, and designation of responsible individual.
The processes listed below, constitute the required Program elements as executed day-to-day. Standards, requirements, and execution steps are further defined in supporting procedures.
Information about applicants, customers, guarantors, and the owners or officers of applicants is accumulated in various ways including, but not limited to:
- Loan applications
- Information from a consumer report
We will limit the use and collection of information about our customers to that which is necessary to conduct our business. All Moby Cap employees are responsible for maintaining the confidentiality of customer information.
Limits on Employee Access
Employee access to personally identifiable customer information will be limited to those with a business reason to know such information.
Unauthorized Access by Employees
Disciplinary actions will be instituted against any employee who inappropriately accesses or discloses personally identifiable information of customers.
How We Share Information
Moby Cap continuously strives to maintain the confidentiality and integrity of the personal information in its possession and has instituted measures to guard against unauthorized access to such information. We maintain physical, electronic and procedural safeguards that comply with federal regulations and leading industry practices to safeguard nonpublic personal information. All of our operational and data processing systems are stored in a secure environment. The secure environment protects account information from being accessed by third parties. This secure environment is assured by the partitioning of data and the use of “robust” encryption to prevent “hackers” from changing or manipulating information in electronic files. Even if a “hacker” were able to access the system, they would not be able to obtain certificates that would be necessary to enable them to see any downloaded data. We will continue to enhance our physical, electronic, and procedural safeguards that protect nonpublic personal information as new technologies become available.
Paper records will be stored in a secure location at all times.
Complete and Accurate Information
We will continually strive to maintain complete and accurate information in our customer account files. Should any customer ever believe that our records contain inaccurate or incomplete information about the business, they have been advised to notify us, we will investigate all concerns and correct any inaccuracies in its file.
All personnel with specific responsibilities related to this Policy and the processes in place to mitigate associated risks are appropriately trained within thirty (30) days of the employee’s start date. All affected employees receive refresher training annually or as necessary when changes are made to this Policy and its procedures. Evidence of training is retained and made available upon request.
Monitoring & Testing
Moby Cap maintains appropriate monitoring and testing to reasonably detect and prevent control design or effectiveness failures. In addition, Moby Cap will provide any necessary reporting or data to the Bank in support of its monitoring and testing requirements. The Bank and Moby Cap will work closely to ensure effective coordination and communication of such activities.
Privacy processes are monitored on an on-going basis. Changes related to risk, process or control failures are tracked and managed through an issue tracking system. Issues logged in the system have an owner, issue date, issue description, priority level, Bank risk level and an action plan, including a remediation date. A summary of issues is reported to Moby Cap’s Executive Management and the Bank on a monthly basis as part of the Risk Management Committee’s responsibilities. Issues requiring action or Moby Cap’s Executive Management’s attention are managed through the issue escalation process.
Documentation & Record Retention
All activities supporting adherence to this Policy are documented and retained for review by the Bank, external auditors and federal and state regulators. This includes policies and procedures, risk assessments, monitoring reports, training materials, and issues that are currently open or closed. Records are retained in compliance with the Records Retention Policy and associated procedures.
The unnecessary retention of records may lead to inadvertent misuse. Thus, we will not retain records longer than is useful to the administration of a customer’s relationship or as subject to the retention schedule required by law.
ATX Funding Strategies dba Moby Cap
Attn: Customer Service Department
1700 S Lamar Blvd, Ste 331
Austin, TX 78704