First Community Bancshares, Inc.
In this Policy, we refer to “our affiliates.” When we do, we mean one or more members of the First Community Bancshares, Inc. family of companies. At present, our affiliated companies are First Community Bank and Peoples Community Bank, a division of First Community Bank and First Community Insurance Services and GreenPoint Insurance Group. First Community Bank’s affiliate is First Community Wealth Management. When we use words such as “nonaffiliated” or “non-affiliates,” we mean companies that are not part of the First Community Bancshares, Inc. family of companies. In addition, “we,” “our,” or “us” refers to First Community Bancshares, Inc., First Community Bank and People’s Community Bank, a division of First Community Bank First Community Wealth Management an affiliate of First Community Bank and First Community Insurance Services and GreenPoint Insurance Group.
It is the policy of First Community Bancshares, Inc. (the “Company”) to comply with all federal, state, and local laws and regulations. The purpose of this policy is to set forth the responsibilities of the Board, Management and staff in order to establish acceptable levels of compliance with Regulation P and the Fair Credit Reporting Act (FCRA). Another purpose of this policy is to create a general framework to support, facilitate and enforce reliable practices which are needed to establish a comprehensive privacy program. Additionally, it is the Company’s intention to allow its subsidiaries and affiliated companies to mutually share customer information for all customers not opting out of information and marketing sharing.
STATEMENT OF NEED AND DEFINITION
The scope of this policy is intended to address the privacy matters pertaining to employees of First Community Bancshares, Inc. (the Company) and, as appropriate, its wholly owned subsidiaries including First Community Bank (the Bank) its affiliate First Community Wealth Management and People’s Community Bank, a division of First Community Bank and First Community Insurance Services and GreenPoint Insurance Group as they discharge their customer confidentiality responsibilities.
In order to have an effective privacy program, the following concepts are to provide general guidance for the Board of Directors, Management, Privacy Officer and staff of the Company:
The privacy program shall be managed and designed to protect the Company from financial and reputation risk;
The privacy program shall be managed and designed in a cost effective manner that encourages sound business practices;
The privacy program and operational systems shall be implemented in a manner that will cause employees to comply with laws and regulations; and
The privacy program will be an integral part of the way we do business and not a barrier to providing excellent customer service.
The Board of Directors is responsible for general oversight of compliance programs including the privacy program to ensure safe and sound operation of the Company through Management. The Board of Directors ensures that capable management and sufficient resources are in place to administer compliance programs required by various regulatory agencies. It is the duty of the Board of Directors to review and adopt policies and programs that achieve adequate compliance with the privacy laws and regulations.
Management is considered to be those officers who are authorized to administer the overall operation of the affiliated companies and communicate with the Board of Directors. Management is responsible for enforcement of privacy policies adopted by the Board of Directors through formation of adequate frameworks, procedures and support systems. In addition, Management is to ensure competent expertise is available to interpret and control privacy compliance initiatives. Management is to develop and institute efficient and practical means for the Company to meet privacy standards and guidelines. Management will assign staff specific privacy compliance responsibilities (ownership) to make certain policies and procedures are administered sufficiently.
Specific Management or Employee Responsibilities
The Board of Directors and Management maintain a Compliance Committee (“Committee”) which oversees the compliance program and framework and keeps abreast of compliance matters affecting the Company. The Committee includes one member of the Board of Directors serving as Chairman. Other members of management serve on the committee in a regulation owner capacity. The Privacy Officer will be a voting member of the Compliance Committee and will be responsible for reporting activities related to privacy compliance to the Committee on an ongoing basis.
DIRECTOR OF ENTERPRISE RISK MANAGEMENT
Management will designate a Privacy Officer to administer and coordinate the Company’s privacy program. More specifically, the Privacy Officer is responsible for coordinating the privacy framework and assessing its performance through effective means. This Officer serves as regulation owner on matters relating to privacy compliance and assists the Regulatory Compliance Officer in developing and implementing adequate policies, procedures and systems.
Marketing and Advertising
The Privacy Officer will coordinate with the Company’s Marketing Department to ensure advertising and customer communications are conducted within privacy and FCRA guidelines. The Company’s Marketing Department will be responsible for coordinating with the Privacy Officer to develop and deliver appropriate annual privacy disclosure updates.
The Privacy Officer will report to the Director of Enterprise Risk Management. Privacy program matters involving violations of law and regulation are to be reported to the Director of Enterprise Risk Management on a regular basis.
Quarterly, or more frequently, if needed, the Privacy Officer shall prepare a report to Management and the Committee regarding the Company’s privacy program, and in particular, detailing any changes that have been made to the program or any changes in the underlying regulations and any suggestions for changes in the Company’s privacy policies and procedures. The Committee shall evaluate and recommend any changes to Management and the Board of Directors as deemed necessary.
Monitoring and Audit
The Compliance Officer is responsible for establishing monitoring mechanisms that assess the effectiveness of the privacy program. Compliance monitoring mechanisms are structured in a manner which evaluates functionality of policy and procedure relative to fulfillment of regulatory requirements. Compliance monitoring is performed independently from the Internal Audit Department’s efforts in determining the adequacy of the Company’s privacy program.
It will be the responsibility of the Director of Enterprise Risk Management with input from Management, the Privacy Officer and the Compliance Officer to evaluate privacy compliance risk. The risk evaluation process shall gauge the potential for particular violation(s), the likelihood and frequency of such violation(s), and the estimated damages to the Company if such violation(s) should occur. Taking these risk evaluations into consideration, Management will be required to assign regulatory ownership in relation to applicable policies, procedures, and business practices.
It will be the responsibility of the Privacy Officer to stay abreast of any pending laws or regulations or amendments to existing laws or regulations related to privacy that may impact the Company. The Privacy Officer in conjunction with the Compliance Officer shall make preparations and implement compliance frameworks and systems to address regulatory changes and meet regulatory standards.
It is the intention of the Board of Directors, Management, and staff to operate the Company successfully within the many regulatory guidelines that govern the financial services business. By adopting this policy, the Board of Directors demonstrates its strong commitment to that end. Management will be relied upon to administer and execute steps necessary to maintain an acceptable privacy program. In addition, Management will employ appropriate checks and balances to ensure the tenets of this policy are met.
Approved by First Community Bancshares, Inc. Board of Directors: May 27, 2014