Privacy and Safeguarding Customer Information Policy

Purpose

This policy reaffirms the Bank of Hazelton’s realization and respect for the privacy expectations and rights of our customers regarding financial information and other related information which the bank has or gathers in the normal course of business. It is intended to provide a framework for compliance with federal law and regulation, provide guidance to bank personnel, and provide assurance to our customers.

Definitions

The terms employee and employees as used in this policy statement include all directors, officers, and employees of the bank as well as any attorneys, agents, or outside vendors who become privy to customer information.

Consumer generally means on who seeks a financial product or service from a
financial institution (for example, a loan applicant).

Customer means one who has established a “continuing relationship” with a financial institution (for example, an approved loan applicant who signs a note would become a customer).

Nonpublic personal information means personally identifiable financial information. This includes all information provided by a consumer, including name and address. This does not include consumer information on a list from which a consumer cannot be identified.

Responsibility

The board is ultimately responsible for all policies of the bank. The board directs management and employees to implement this policy and/or supervise its execution.

Privacy Principles

The bank recognizes the following elements of its privacy policy, which have become standard within the banking industry:

1. Recognition of customer’s expectation of privacy
2. Use, collection, and retention of customer information
3. Limiting employee access to information
4. Protection of information via established security procedures
5. Restrictions on the disclosure of account information
6. Maintaining customer privacy in business relationships with third parties
7. Disclosure of privacy policies to customers
8. Respect of the customer’s decision to opt out, if this is available to our customers under the regulation

Recognition of Customer’s Expectation of Privacy

Customers of the bank are entitled to the assurance that their non-public personal information, which the bank has obtained through various means, will be treated with the highest degree of confidentiality and respect. Certain expectations of privacy also contain legal rights of customers which are either granted or confirmed to them through various federal and state laws and regulations. All employees are directed by this policy to assure customers of the bank’s commitment to preserving the privacy of their information.

Use, Collection, and Retention of Consumer Information

It is the policy and practice of the bank to collect, retain, and use information about consumers and customers only where the bank reasonably believes the gathering of such information would be useful and allowed by law to administer the bank’s business and/or to provide products, services, or opportunities to its customers.

The bank collects information as part of the process of providing financial services to our consumers and customers. The bank collects information in the following ways:

1. face to face interaction
2. telephone
3. credit reports
4. lien searches from County Recorders and Secretary of State

The bank retains consumer and customer information in the following ways:

1. hard copy files secured in fire resistant and locked files
2. electronic files secured in fire resistant and locked files
3. electronic files secured on computers that are password protected

Limitation on Employee Access

Management will take all steps necessary to ensure that only employees with a legitimate business reason for knowing personally identifiable customer information shall have access to such information. To the extent practicable, access will be limited by computer access codes and granting limited access to areas in which sensitive customer information is retained. Employees will be informed at the time of their initial employment of these standards and periodically reminded of these standards during training sessions. Willful violation of this element of this policy will result in disciplinary action against the offending individual. Inadvertent violations will be dealt with in a manner to ensure that such violations are not repeated.

Protection of Information

The bank will maintain appropriate security standards and procedures to prevent unauthorized access to customer information. Such procedures should prevent access by not only unauthorized employees, but others as well. Such others include but are not limited to all non-employees with otherwise legitimate reasons for being on bank premises, computer hackers, and all intruders on bank premises.

Bank personnel will protect hard copy files of information by the following:

1. put customer files or information in the secure file cabinets or vault when not using them
2. cover or secure customer files or information when another customer enters their office or work area
3. if disposing of hard copy information – make sure that they are shredded
4. if disposing of computer media – destroy the media
5. if disposing of computers – hard drives are either destroyed or reformatted
6. all computers are password protected
7. there are adequate firewalls to prevent hacking into our computer system
8. customer information either in hard copy or electronic format shall remain on premises unless authorized by management

Business Relationships with Third Parties

If the bank is requested to provide personally identifiable information to a third party and that request is in all respects consistent with other elements of this policy, the bank will accede to the request only if the third party agrees to adhere to similar privacy principles, no less stringent than set forth in this policy, that provide for keeping such information confidential.

Disclosure of Privacy Principles to Customers

Disclosure of the privacy notice shall be provided to customers before account opening, and then annually. The bank will also re-disclose to all customers should the bank’s privacy policy change.

General Restriction on the Disclosure of Customer Information

The bank will not, except in cases allowed under the law, reveal specific information about customer accounts or other nonpublic personal information to any nonaffiliated third parties.

Exceptions for Service Providers and Joint Marketing

The bank may provide nonpublic personal information about a consumer to a nonaffiliated third party to perform services for the bank or functions on the bank’s behalf, if the bank:

1. Enters into a contractual agreement with the third party that:
   1. Requires the third party to maintain the confidentiality of the information to at least the same extent that the bank must maintain that confidentiality and
   2. Limits the third party’s use of the information solely to the purpose for which it is disclosed or otherwise permitted.

Exceptions for Processing and Servicing Transactions

The bank may disclose nonpublic personal information to service providers and joint marketing for the following:

1. As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer                             
2. To service or process a financial product or service requested or authorized by the consumer
3. To maintain or service the consumer’s account with the bank

Other Exceptions to Notice

The requirements for initial notice and for service providers and joint marketing do not apply when a bank discloses nonpublic personal information in the following circumstances:

1. For the following  protective or legal situations:
   1. To protect the confidentiality or security of the bank’s records pertaining to the consumer, service, product, or transaction
   2. To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability
   3. For required institutional risk control or for resolving consumer disputes or inquiries
   4. To persons holding a legal or beneficial interest relating to the consumer
   5. To persons acting in a fiduciary or representative capacity on behalf of the consumer
2. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the bank, persons that are assessing the bank’s compliance with industry standard, and the bank’s attorneys, accountants, and auditors
3. To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety
4. To a consumer reporting agency in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency
5. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of that business or unit
6. To comply with federal, state, or local laws, rules, and other applicable legal requirements, specifically:
   1. To comply with properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities
   2. To respond to judicial process or government regulatory authorities having jurisdiction over the bank for examination, compliance, or other purposes as authorized by law

Employee Education and Training

Management is directed to provide a copy of this policy to all bank employees and have all bank employees initial this original policy. At least once during the calendar year, the bank will conduct a meeting of all employees during which matters affecting customers’ rights to privacy will be discussed.

Record Keeping and Reporting

Management will maintain a separate file for the purpose of retaining any customer complaints which relate to this policy. The information regarding any complaints should include the exact nature of the complaint, describe the corrective actions taken, and confirm that the corrective actions resolved the complaint.

Management will make an annual report to the board concerning customer complaints which shall include the frequency and nature of such complaints and corrective actions taken. Complaints of a nature sufficient to present a risk of regulatory enforcement action and/or civil money penalties are required to be reported if and when they occur.

Review of Policy

The board of directors will make a review of this policy at least once each year and make any revisions and amendments it deems appropriate.

Approved June 5th, 2013 by the Board of Directors