The Conference of State Bank Supervisors, State Regulatory Registry (“SRR”), and CSBS Education Foundation (“CSBSEF”), (collectively, “CSBS”), have a duty to protect and minimize exposure of personal information – a duty CSBS takes very seriously. This Privacy Notice (“Notice”) covers CSBS’ practices for collecting and processing personal information about individuals including but not limited to its employees, subcontractors/suppliers, and visitors or users of any CSBS website or system (e.g. CSBS.org, NMLS, and NMLS Consumer Access) (collectively and individually, “you”).
This Notice includes the following:
- How and why CSBS collects personal information
- How personal information is used and protected
- When and with whom CSBS may share personal information, and
- What choices you can make about how CSBS collects, uses and shares personal information.
CSBS is committed to managing personal information in accordance with applicable law or regulation.
2 Control of Information
Unless otherwise specified below, personal information you submit to CSBS is controlled by CSBS.
However, any personal information you submit to a State or Federal Regulatory Agency (“Agency” or “Agencies”) through the Nationwide Multistate Licensing System (“NMLS”), or other such system, is considered under that Agency’s control. If such personal information is submitted to more than one Agency, it will be considered under the control of each Agency to which it is submitted and cannot be modified or altered unless and until each Agency has consented to the modification. Once submitted to an Agency, the personal information will be the Agency’s responsibility and subject to Agency-administered privacy policies and public information laws; CSBS and SRR are not responsible for any such personal information.
3 What Type of Personal Information is Collected?
The type of personal information CSBS collects depends on the business relationship CSBS has with you. In general, the type of personal information falls into two categories – personally identifiable information (PII) and non-PII (as further detailed below). Throughout this Notice, reference to “personal information” means either or both PII and non-PII.
In either case, CSBS may process or receive information from third party sources to supplement our records, improve quality of services, or prevent or detect fraud. For example, CSBS may process information from credit reporting agencies in conjunction with license applications through the NMLS.
3.1 Personally Identifiable Information
CSBS defines PII as information that can be used to distinguish or trace an individual’s identity, such as their name, social security number or biometric records, alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual.
The only PII CSBS collects and stores about you is the PII you have chosen to provide. This may include, but is not limited to, name, address, email address, and telephone number.
If you are an employee of CSBS, CSBS will collect the PII you voluntarily provide including, but not limited to, those items listed above and employment history, education, references, affiliations and other relevant information for payroll, benefits and administration.
Additionally, if you wish to register on CSBS websites or systems (e.g. NMLS), you may be required to submit your PII, which may include the fields listed above, and (by way of example only):
- Sensitive PII (e.g. social security number (“SSN”), criminal history record information (“CHRI”), financial account information, and demographic information).
- Communications and documentation regarding licensing and registration (e.g. license status, applicable approvals, denials and amendments).
3.2 Non-Personally Identifiable Information
CSBS collects and uses the types of non-PII listed below to help ensure our websites and services work correctly and to support our analytic efforts.
- Device Information: Internet Protocol (IP) address or the proxy address of your Internet Service Provider (e.g. Comcast, etc.); the type of device used; the type of operating system and browser type; the path you take through our websites; and other information about your session on our websites.
- Browsing Information: Cookies, web beacons and device identifier information may be used to understand the use of our websites. Cookies allow us to provide you relevant information as you use or return to our websites. Web beacons allow us to know if a certain page was visited or an email was opened.
CSBS uses these tools to continuously improve the services CSBS provides you and to ensure your user experience is as expected.
4 How is Your Personal Information Used?
CSBS limits its use of your personal information to your specific needs or requests and to meet business or legal needs in connection with the services it provides.
Some examples include:
- To communicate with you regarding membership, licensing, registration and events.
- To provide customer and operations support including responding to any requests, comments or feedback you provide to CSBS.
- To verify user identity or information for licensing or registration. (e.g. checking data against Agencies databases, the Social Security Administration, or other commercial or regulatory organizations’ databases).
- To comply with laws and government regulations.
- To provide to Agencies for the issuance and maintenance of a license or monitor registration on behalf of Agencies, and disseminate data as required by law or regulation.
- To protect the security and integrity of our websites and our business.
- To facilitate and process payments for services.
- To fulfill tax, reporting and other financial requirements and obligations.
- To administer employee payroll, benefits, tax/regulatory compliance, and other record keeping and administration requirements; and
- To consider applications for employment.
CSBS may combine personal and non-personal information, including information from third party sources. CSBS may also share your personal information with financial services or securities industry regulatory organizations, as permitted by law or regulation.
5 How Does CSBS Share Your Personal Information?
CSBS will not sell, rent or otherwise profit from your personal information. CSBS may share your personal information in limited circumstances, such as to provide our services, when legally required or permitted, or with your consent. CSBS will not share your personal information outside its corporate structure, except in the following circumstances:
Service Providers: CSBS may share your personal information with service providers that help with our business activities, including software developers, software services, billing vendors, payment card processors, and other companies that help us improve our services. CSBS requires all service providers to keep any personal information secure and undergo private, and in some case government, administered background checks. Our service providers are not permitted to use or share your personal information for any purpose other than providing services on our behalf. Your personal information may be stored or processed by our service providers. CSBS does not permit such storage or processing to take place outside the United States.
Legal Requirements: CSBS may share your personal information in other circumstances, which include situations when sharing is required by law, or CSBS believes sharing will help to protect the safety, property or rights of CSBS, our partners, our members, or other persons. Examples include:
- Responding to an investigative body in the case of a breach of an agreement or violation of law;
- Responding to a search warrant or other valid legal inquiry;
- Preventing harm to persons or property;
- Identifying or addressing fraud or financial or security risks;
Business Transfers: In the event all or a part of CSBS is merged, sold or reorganized (including transfers made as part of insolvency or bankruptcy proceedings), personal information about you could be shared with the successor business. CSBS will use reasonable measures to help ensure that any successor treats your personal information in accordance with this Notice.
Regulatory or Government: CSBS has information sharing agreements with Agencies and other financial and securities industry regulators to aid in compliance with applicable laws and regulations. As a result, CSBS may copy, process, store, use or manipulate your personal information and other information stored in its systems (e.g. NMLS) for the purpose of disseminating such information, in accordance with such agreements. CSBS is diligent in ensuring such agreements account for the protection of personal information by the Agencies or other such partners.
In addition, your personal information, but not sensitive PII, may be made available to the public as required or permitted by law or regulation (e.g. providing certain data on NMLS Consumer Access as required by the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (12 U.S.C. 5101, et seq)(“SAFE Act”)).
Training and Discussion Sites: From time to time, CSBS might offer online or in-person training sites, chat rooms or other such discussion sites. Keep in mind that if you choose to post in such sites, you may be revealing your personal information to the public. If you do not wish to share your personal information, you should not include any personal information in your postings or you should refrain from using the training or discussion sites. By using such training or discussion sites, you acknowledge that CSBS has no control over what third parties may do with the personal information you share in those sites.
With Your Consent: In any circumstance other than those described above, CSBS will ask for your affirmative consent before it shares your personal information outside CSBS, and CSBS will not sell, rent or otherwise profit from your personal information.
6 What Are Your Choices?
CSBS provides you the following choices regarding the use of your personal information.
- You may choose not to provide us with any personal information.
- You may set your browser to not accept cookies, or to warn you when a cookie is being placed on your computer. If you choose to not accept cookies, however, your ability to navigate on CSBS websites may be hindered.
- If you would like to unsubscribe from any of our services or would like us to remove you from any of our online mailing lists, please send an email to firstname.lastname@example.org with the title “Unsubscribe” and give a brief explanation.
- You may choose to not have your personal information shared by contacting email@example.com. However, if you choose to not have your personal information shared with the parties mentioned above or in the ways mentioned above, please do not submit your personal information to any CSBS website.
NMLS users have the same choices. However, NMLS may require the collection of sensitive PII (e.g. SSN, credit report, or criminal history). Your specific consent to the collection of this sensitive PII will be requested prior to the collection of that information. If you do not wish to have it collected, you may decline but it will impact your ability to use NMLS, acquire the applicable license or registration, and/or adhere to the legal requirements of the licensing body (State or federal agency). SRR does not share such sensitive PII with any third parties unless specifically required by law, regulation or contractual obligation.
7 How Do You Access and Update Your Personal Information?
On CSBS.org, you may access the personal information CSBS has collected about you and correct any inaccuracies by logging in and clicking on the “update profile” link.
NMLS users may access and update their personal information through the User Profile section of NMLS or by contact the NMLS Call Center at 1-855-665-7123.
8 How Does CSBS Secure Your Personal Information?
CSBS is committed to securing your personal information on each of its websites and/or systems that collect or retain your personal information. CSBS uses commercially reasonable efforts to prevent from unauthorized access, use or disclosure the personal information submitted to and collected through our websites and/or systems that collect or retain your personal information. CSBS requires that its third-party service providers implement security policies and procedures at least as stringent as those used by CSBS. However, CSBS is not responsible for the unauthorized access, use or disclosure of any personal information by a third party.
9 How Will CSBS Respond in the Event of a Security or Privacy Breach?
In the event CSBS becomes aware of a security or privacy breach which it believes has resulted or may result in the unauthorized access, use or disclosure of your sensitive PII (e.g. SSN, CHRI), CSBS will promptly investigate the matter and notify the applicable individuals and/or Agencies of such breach. The investigation and notification will be without delay while also taking into consideration: (1) legitimate needs of law enforcement; (2) measures necessary to determine the scope of the breach; (3) efforts to identify the individuals affected; and (4) steps to restore the reasonable integrity of the applicable website(s) and/or system(s) that collects or retains personal information.
CSBS will work diligently with all applicable Agencies to coordinate notification of affected individuals and any other parties of any breach, in accordance with applicable law or regulation. Responsibility for notifying affected individuals and other third parties of any breach will be in accordance with agreements between CSBS, the Agencies, and applicable law or regulation.
10 What Are Your Privacy Protections for Specific Types of Personal Information?
In addition to this Notice, CSBS may have specific privacy notices for the collection of specific types of personal information. For example:
- Through NMLS, the collection of sensitive PII, such as criminal history record information and credit report information, for certain licensing actions requires a specific privacy notice. Those privacy and/or consent notices are available through the following sites:
- CSBS may use or link to other sites or third parties may link to a CSBS website. CSBS is not responsible for the content or practices of any other sites. This Notice only applies to the websites of CSBS and its affiliates, as noted in the introduction. If, through a CSBS website, you are taken to a third party’s website, CSBS encourages you to review their privacy statements.
11 Who Can I Contact at CSBS about the Privacy Notice?
You can contact our Privacy Officer at firstname.lastname@example.org or by writing to the following address:
Conference of State Bank Supervisors
c/o Chief Privacy Officer
1129 20th Street NW, 9th Floor
Washington D.C. 20036
12 How Will I Know if this Notice Changes?
CSBS will provide additional notice of significant updates. CSBS will post the date our Notice was last updated in Section 14 below.
13 How Does this Notice Apply to Children?
CSBS websites are not targeted to children under the age of 13 and CSBS does not knowingly collect personal information from any child under the age of 13. If CSBS does receive such personal information, CSBS deletes it as soon as it is discovered, provides notification of such to the submitter, and does not use it or share it with third parties.