38 JANUARY / FEBRUARY 2018 Brett J. Ashton Partner Krieg DeVault LLP Submit Compliance Connection questions to Joshua A. Myers, Indiana Bankers Association: jmyers@indianabankers.org. Krieg DeVault LLP is a Diamond Associate Member of the Indiana Bankers Association. Article author COMPLIANCE CONNECTION Contracting With A government-authorized vendor Question: Our bank recently received a letter from a third-party vendor claiming to be acting on behalf of the Indiana Department of Revenue, and insisting that we must enter into a contract with the vendor to share information about customers who may owe the state money. We have concerns about the agreement the vendor wants us to sign. Do we have to agree to share the information? Answer: No. Several Indiana banks have received letters and, in some cases, phone calls from a thirdparty vendor named Informatix Inc., advising that the vendor is acting on behalf of the Indiana Department of Revenue (IDOR). Informatix claims that Indiana law requires the contacted bank to enter into a “Financial Institution Data Matching Agreement,” whereby the bank agrees to provide data on customers who are delinquent on their state tax liability. You do not have to sign the boilerplate agreement proposed by the vendor, but you do have a legal duty under Indiana law to provide the IDOR with information about customers who are delinquent on both their state income taxes and child support obligations. • Indiana Code § 6-8.1-8-8.7(b) provides: “Each financial institution doing business in Indiana shall provide information to the department on all individuals: (1) who hold one (1) or more accounts with the financial institution; and (2) upon whom a levy may be issued by the department or a county treasurer.” • Indiana Code § 6-8.1-8-8.7(c) provides: “To provide the information required under subsection (b), a financial institution shall do one (1) of the following: (1) Identify individuals by comparing records maintained by the financial institution with records provided by the department by: (A) name; and (B) either: (i) Social Security number; or (ii) tax identification number. (2) Comply with IC 31-254-31(c)(2). The child support bureau established by IC 31-25-3-1 shall regularly make reports submitted under IC 31-25-4-31(c)(2) accessible to the department or its agents for use only in tax judgment and levy administration.” Banks should consider their obligation to preserve the confidentiality and data security of customer information before contracting with a vendor such as Informatix, and carefully review any agreement for compliance with the Interagency Guidelines Establishing Information Security Standards,* and all laws and regulations contemplated therein. While the IDOR has contracted with Informatix to collect the required customer information from banks, neither the IDOR nor Indiana state law require banks to enter into the boilerplate agreement that has been presented to many Indiana banks. The Indiana Department of Financial Institutions (IDFI) is working with the IDOR to ensure that any agreement proposed by Informatix will account for bank’s compliance obligations under federal data security and privacy laws. If you are contacted by a vendor on behalf of the IDOR, claiming you are required to enter into a boilerplate agreement, check with the IDFI, or contact your bank counsel to ensure the agreement does not run afoul of state or federal laws. HB * “Interagency Guidelines Establishing Information Security Standards” (12 CFR 364, appendix B;12 CFR 30, appendix B; 12 CFR 225, appendix F) This information is provided for general education purposes and is not intended to be legal advice. Please consult legal counsel for specific guidance as to how this information applies to your institution’s circumstances or situation.
RkJQdWJsaXNoZXIy MTg3NDExNQ==