• Privacy & Security

  • Last Updated January 1, 2020

    1. ABOUT THIS PRIVACY STATEMENT
    2. HOW WE COLLECT, USE AND SHARE PERSONAL INFORMATION
    3. ADDITIONAL INFORMATION ABOUT ONLINE INFORMATION
    4. CHOICES RELATED TO HOW WE USE PERSONAL INFORMATION
    5. HOW WE PROTECT THE CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL INFORMATION
    6. CALIFORNIA CONSUMER PRIVACY ACT – RIGHTS FOR CALIFORNIA CONSUMERS

    CIT Group Inc. and its Affiliates (as defined below) (collectively "CIT," "we," "us," or "our") respect your privacy and are committed to treating and using Personal Information (as defined below) about you responsibly.

    I. ABOUT THIS PRIVACY STATEMENT

    This Privacy Statement ("Statement") explains how CIT collects, uses and shares Personal Information, from or about you in connection with CIT products and services, as well as when you use CIT’s websites or mobile applications that link to this Statement (each, a “Site”, and collectively, “Sites”).

    Throughout this Statement, we refer to "Personal Information", which means information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with you or your household. Personal Information does not include Public Information (for example, information from federal, state or local government records), Aggregated Information (information relating to multiple individuals that has been combined and grouped together, resulting in a data set that contains no personal information) or De-identified Information (information that is not attributable to an identified or identifiable individual).

    This Statement also describes certain rights that California Consumers have under the California Consumer Privacy Act of 2018 (“CCPA”) with respect to their Personal Information. A “California Consumer” is a natural person who resides in California. For further information, please reference the “ VI. CALIFORNIA CONSUMER PRIVACY ACT – RIGHTS FOR CALIFORNIA CONSUMERS” on page 4.

    If you are an individual and have a CIT financial product or service for your personal, family or household purposes, please see our CIT Consumer Privacy Notice for additional details about how we use and share Personal Information that we collect in connection with providing you those financial products or services.

    CIT operates general audience Sites that are accessible to the public. Our Sites are not intended for children under 16 years of age. We do not knowingly market our products or services to children, nor do we knowingly collect or sell Personal Information from children under 16 years of age.

    II. HOW WE COLLECT, USE AND SHARE PERSONAL INFORMATION

    How we collect Personal Information

    The types of Personal Information we collect depends on your interaction with us, including the types of products or services you applied for or use. We, or entities that we contract with to provide services to support our business and delivery of our products and services (“Service Providers”), may collect Personal Information:

    • Directly from you, such as when you apply for or obtain one of our products or services, or if you apply for a job with CIT;
    • From financial and non-financial companies related by common ownership or control (our “Affiliates”), based on your relationship with them and as permitted by law; and/or
    • From other entities that we work with who are not Service Providers (“Third Parties”), such as credit bureaus.

    We (or our Service Providers) may also collect Online Information, such as IP address, browser or device information, or other information about you indirectly through interactions with our Sites or ads, such as:

    • The types of devices you use to visit our Sites and interact with us;
    • Your device’s browsing history on our Sites;
    • Information about the ads or content from us (or our service providers) that you view, access or click on; or
    • The location of the device you use to visit our Sites (with your consent)

    Though Online Information may not, alone, reveal your specific identity, some of this information may be used or associated with Personal Information, or may itself be considered Personal Information. Please see Section III for more information.

    How we use Personal Information

    We (or our Service Providers) may use Personal Information for the following business purposes:

    • To deliver products, information, or services, that you may request, including to:
      • complete transactions;
      • provide account services;
      • recognize and remember you when you visit our Sites;
      • improve our Sites and make them easier to use;
      • notify you about updates to your accounts, products, and/or services;
      • perform quality assurance activities that maintain the quality of services provided to you; or
      • respond to your inquiries.
    • To provide advertising about our products and services including:
      • sending marketing materials inclusive of special offers, email notifications, or other notices regarding CIT’s products, services, or news; or
      • presenting personalized content or tailored ads that may relate to your interests and/or location.
    • To manage security risks and prevent fraudulent activity, including to:
      • detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activities;
      • debug to identify and repair errors that may impair existing intended functionality;
      • verify your identity such as when you apply for an account or access our online/mobile services; or
      • assess your creditworthiness, including obtaining credit reports if you apply for credit or apply for a financial product or service.
    • To conduct employment-related activities at CIT, including to:
      • perform background checks;
      • deliver employee benefits programs; or
      • contact references you provide during your application process.
    • To perform other activities, as permitted or required by law including:
      • to perform internal research;
      • in connection with litigation;
      • to comply with regulatory record retention requirements; or
      • for audit purposes within our organization. 

    How we share Personal Information

    We may share your Personal Information, as permitted or required by law with:

    • CIT Affiliates;
    • Service Providers;
    • Regulatory authorities or governmental agencies to meet regulatory or legal requirements; or
    • Third Parties, with your consent or as permitted by law.


    III. ADDITIONAL INFORMATION ABOUT ONLINE INFORMATION

    Online Information

    When you visit or browse our Sites, we may collect Online Information as described in Section II of this Statement. The purpose of collecting this information is to improve the effectiveness of our Sites and product offerings. The collection of this information allows for the compilation of anonymous and Aggregated Information about the usage of our Sites and can help us improve your use of our Sites, for example, providing quick login, streamlining site navigation and maintaining up-to-date content for all users. Should you configure your browser to reject Cookies, you may disable some of our online service's features.

    Online Behavioral Advertising, “Cookies”, and Similar Technologies

    CIT and our digital Service Providers (e.g. ad network or agency) may use Cookies, mobile advertising identifiers, and other information for the purposes of delivering tailored advertising to you on other party websites. “Cookies” are pieces of data stored by your browser and used by web servers to uniquely distinguish your browser from all others and remember your browser over time, including preferences and other information. We and our Service Providers may also use Web Beacons with or without Cookies for various purposes, including analytics and targeting interest-based advertising. “Web Beacons” are small image files that are loaded when a web page or other online resource is processed by your browser (including when emails are opened). If you click on one of our ads on another party’s website, Cookies may also be used to track the effectiveness of our online advertising and for the purposes of delivering ads that may be relevant to you in the future.

    Links to Other Sites and Other Privacy Policies

    Our Sites may contain links to other party websites. When you click on these links, you may be providing information, including Personal Information, to the other party, us, or both. CIT has no control over the privacy practices or content of these linked websites, so we recommend that you carefully review the privacy policies or statements of every other party website that you visit.

    IV. CHOICES RELATED TO HOW WE USE PERSONAL INFORMATION

    You have choices about how we use your information, including what kinds of marketing you want to receive from us.

    You can opt-out of having our Service Providers use your web browsing behavior for purposes of serving interest-based advertising by opting out here. You may still see some of our untailored ads, but these will not be served to you based on your inferred interests or web browsing activity on our online services. Please note this opt-out works via Cookies, so if you delete Cookies, use a different device, or change web browsers, you will need to opt-out again.

    You can also opt out of receiving marketing offers via email, telephone or direct mail. Every offer will include instructions on how to opt out, or if you prefer, please send your opt-out request to privacy.questions@cit.com. We will still contact you for transactional purposes, such as to service your account or respond to an inquiry.

    Do-Not-Track-Signals

    We currently do not employ technology that changes how our servers treat your browser if our servers receive a "do-not-track" signal from your browser.

    V. HOW WE PROTECT THE CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL INFORMATION

    CIT uses reasonable physical, electronic, and procedural safeguards to protect Personal Information from unauthorized access, deletion or alteration. As part of our security practices, CIT does not send requests for Personal Information to our customers via e-mail or texts. Any Personal Information you request CIT to send you via email, such as your account balance, is encrypted. However, standard email communications are not. Therefore, you should not transmit your Personal Information to us through email. Please note that no company can guarantee perfect online security, and please remain careful and vigilant in your online activities.

    VI. CALIFORNIA CONSUMER PRIVACY ACT – RIGHTS FOR CALIFORNIA CONSUMERS

    The CCPA requires us to make certain additional disclosures and provides California Consumers with the ability to request additional information about their Personal Information. This section explains these rights and describes how California Consumers may submit a request to exercise those rights.

    Please note that the rights under the CCPA do not apply to Personal Information collected, processed, sold or disclosed pursuant to:

    • Gramm-Leach-Bliley Act (Public Law 106-102), the federal privacy regulation. Generally, this will apply to any Personal Information obtained in connection with CIT financial products or services that are used primarily for personal, family or household purposes; or
    • Fair Credit Reporting Act (12 CFR 1022). Generally, this will apply to Personal Information related to credit history or credit worthiness.

    Categories of Personal Information We Collected Recently

    In the 12-month period prior to the date of this Privacy Statement, CIT or our Service Providers have collected the following categories of Personal Information, which we may have shared for a business purpose, as permitted or required by law:

    Category of Personal Information collected in the previous 12-months Was the Personal Information shared for a business purpose*?
    Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Yes
    Category of Personal Information collected in the previous 12-months (continued) Was the Personal Information shared for a business purpose*?
    Certain, sensitive types of Personal Information, such as gender, age, marital status Yes – only with our Service Providers to the extent necessary for a business purpose
    Commercial information, such as records of personal property, products or services purchased Yes
    Audio, electronic, visual, thermal, olfactory, or similar information, such as phone recordings; ATM and in-branch video monitoring Yes
    Internet or other electronic network activity information, including, but not limited to browsing history, search history, geolocation data (with your consent) and information regarding your interaction with our Sites, collectively “Online Information” Yes
    Professional or employment-related information, such as job title, employer name, or languages Yes
    Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), such a school name, number of years attended Yes – only for applicants of employment and employees
    Inferences drawn from Personal Information to create a consumer profile that may reflect consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes Yes

    *For more information on our sharing practices and the related business purposes, please reference Section II of this Privacy Statement above.

    Your rights under the CCPA

    The CCPA grants California Consumers various rights around the Personal Information that is collected about them. The rights are explained in further detail below:

    1. Right to Know About Personal Information Collected and/or Disclosed
      California Consumers have the right to request information about their Personal Information that CIT has collected in the preceding 12 months. Upon our receipt of a verifiable request from you, we will disclose the following information:
      1) The categories of Personal Information we have collected about you.
      2) The categories of sources from which the Personal Information was collected.
      3) The business or commercial purpose for collecting your Personal Information.
      4) The categories of third parties with whom we share your Personal Information.
      5) The specific pieces of Personal Information we have collected about you.

    2. The CCPA allows California Consumers to submit a maximum of two (2) requests in any 12-month period.

    3. Right to Request Deletion of Personal Information
      California Consumers have the right to request that CIT (and any Service Provider) delete any Personal Information about you which we have collected from you. This right to request deletion does not apply to any of your Personal Information that is subject to an exception in the CCPA, for example, where we need to retain the Personal Information to complete a transaction for which the Personal Information was collected, to prevent fraud or to comply with a legal obligation.

    4. Right to Opt-Out of the Sale of Personal Information
      CIT does not sell Personal Information and will not sell Personal Information without providing you with prior notice and an opportunity to opt-out, as required by law.

    5. Right to Non-Discrimination
      CIT does not discriminate against any California Consumer who exercises any of the rights described above. This includes denying goods or services; charging different prices or rates; or providing a different level of service or quality of goods or services.

    How to Submit a Request

    California Consumers can submit a request, by either completing the Online Request Form or by calling us at 1-866-206-2711, Monday through Friday from 8:00 a.m. to 4:30 p.m. PST.

    Submitting a Request through Your Authorized Agent

    California Consumers have the option to designate an authorized agent to submit a request on their behalf. To do this, the authorized agent must select “authorized agent” in the Online Request Form and provide all of the required information, along with proof of authorization in the form of a notarized authorization form, signed by the California Consumer who is the subject of the request. We will also contact the California Consumer directly to verify the request.

    We will respond to requests within 45 days and will notify the requester if we need additional time.


    Changes to this Statement

    This Statement is subject to change. If we make changes to this Statement, we will revise the “Last Updated” date at the top of this Statement. Your use of the Site means that you accept the terms of this Statement.

    Any dispute related to this Statement will be governed by our Terms of Use.

    Contact for More Information

    If you have questions or concerns about CIT’s privacy practices or this Statement, please email us at privacy.questions@cit.com.


    Last update: March 2020 

    Download Privacy Notice

    FACTS WHAT DOES CIT Bank N.A. (“CIT”) DO WITH YOUR PERSONAL INFORMATION?
    Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
    What?

    The types of personal information we collect and share depends on the product or service you have with us. This information can include:

    • Social Security number and income
    • account balances and payment history
    • transaction history and credit history

    When you are no longer our customer, we continue to share your information as described in this notice.

    How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons CIT chooses to share; and whether you can limit this sharing.
    Reasons we can share your personal information Does CIT share? Can you limit this sharing?
    For our everyday business purposes - such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus Yes No
    For our marketing purposes - to offer our products and services to you Yes No
    For joint marketing with other financial companies No We don't share
    For our affiliates' everyday business purposes - information about your transactions and experiences Yes No
    For our affiliates' everyday business purposes - information about your creditworthiness No We don't share
    For non-affiliates to market to you No We don't share
    Questions?

    Call 1-866-206-2711 or go to www.cit.com/privacy 

    Who we are
    Who is providing this notice? CIT Bank, N.A. and its OneWest Bank and CIT Bank Residential Servicing divisions.
    What we do
    How does CIT protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. Measures include computer safeguards and secured files and buildings.
    How does CIT collect my personal information?

    We collect your personal information, for example, when you:

    • open an account or make deposits
    • pay your bills or apply for a loan
    • give us your contact information

    We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.

    Why can't I limit all sharing?

    Federal law gives you the right to limit only:

    • sharing for affiliates' everyday business purposes - information about your creditworthiness
    • affiliates from using your information to market to you
    • sharing for nonaffiliates to market to you

    State laws and individual companies may give you additional rights to limit sharingSee below for more on your rights under state law.

    Definitions
    Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies.
    • Our affiliates include companies with a CIT name such as CIT Group, Inc.

    Nonaffiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
    • We do not share with nonaffiliates so they can market to you.
    Joint marketing A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
    • We do not jointly market.

    Other important information

    California residents: If you are a California resident, we will not share nonpublic personal information about you with our affiliates or any nonaffiliated third party, other than as permitted by law or with your consent.

    Vermont residents: If you are a Vermont resident, we will not share nonpublic personal financial information about you with our affiliates or any nonaffiliated third party, other than as permitted by law, or with your consent.

    Nevada residents: Nevada law requires that we provide you with the following contact information regarding "do- not-call" lists: (a) Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington St., Suite 3900, Las Vegas, NV 89101; Telephone 702-486-3132; email: BCPINFO@ag.state.nv.us; and (b) If you wish to be placed on our internal "do-not-call" list contact CIT Bank, N.A., P.O. Box 7211, Pasadena, CA 91109-7311; Telephone: 800-669-2300; email: Privacy.Questions@cit.com

    The USA PATRIOT Act, a federal law, requires all financial institutions to obtain sufficient information to verify your identity when creating a new banking relationship. You may be asked several questions including your name, address, date of birth, Social Security number or other government-issued identification number, and to provide one or more forms of identification to fulfill this requirement. In some instances, we require other identifying documents and/or use a third party information provider for verification purposes. Our established Privacy Policy helps protect your personal information

    If you suspect an e-mail or website is fraudulent and/or you have been the victim of a fraud scam, unauthorized charges or identity theft, you should immediately report this information to OneWest Bank Customer Contact Center at 1-877-741-9378. You should also contact your local police and request a copy of any police report or case number for reference. In addition, call the three major credit bureaus (Equifax, Experian and TransUnion) to request that a fraud alert be placed on your credit report.

    Common Fraudulent Scams

    Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.

    The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

    The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.

    Tips to prevent BEC:

    • Train and educate employees to recognize common impersonation tactics used by online fraudsters
    • Use two-factor authentication. With two factor authentication users must provide two forms of authentication (usually a password and a unique verification code sent as a text or e-mail)
    • Establish protocols and procedures for wire transfers; always verify the identity of an individual requesting a change of wire instructions via verified phone number or in person

    Both terms involve forged or faked electronic documents. Spoofing generally refers to the dissemination of an e-mail which is forged to appear as though it was sent by someone other than the actual source. Phishing, also referred to as vishing, smishing, or pharming, is often used in conjunction with a spoofed e-mail. It is the act of sending an e-mail falsely claiming to be an established legitimate business in an attempt to deceive the recipient into providing personal, sensitive information such as passwords, credit card numbers, and bank account information after directing the user to visit a fraudulent website. The website is not genuine and was set up only as an attempt to steal the user's information.

    We are aware that there are companies engaging in telemarketing activities that will spoof (or manipulate) the caller ID to make it appear that the call is coming from OneWest Bank or other financial institutions. These companies are performing this illegal activity for purposes of enticing the called party to pick up the phone, after which they proceed to pitch the service they are offering. We encourage any customer receiving this type of call or any other suspicious call in which the caller claims to be a representative of OneWest to ask for the name of the caller and then contact our Call Center or use our branch locator to contact their local branch to report such activities.

    Identity theft occurs when someone steals your personal information in order to commit fraud. The fraudsters may use your information to apply for credit, file taxes, or obtain medical services.

    If you suspect that you may be a victim of identity theft, please contact the Federal Trade Commission at  https://www.identitytheft.gov/

    Tips on preventing Identity theft:

    • Secure your Social Security Number (SSN) by not carrying it in your wallet and only provide when necessary.
    • Review your credit card and account statements on a regular basis to review for any unauthorized transactions.
    • Create complex passwords that are not easy to guess and change your passwords if a company that you do business with has a data breach.
    • Protect your mobile devices with passwords and use two-factor authentication when available.

    Many fraudsters are located overseas. In order to perpetrate some of their scams, they need to open a bank account in the US. Fraudsters contact victims in the US through any number of approaches, including online ads for work from home schemes and romance schemes. The fraudster instructs the victim to open a bank account and then provide the fraudster with the login credentials and password. The account is then used to accept and transfer funds to the fraudster.

    Signs that you may be acting as a “money mule”:

    • You received an unsolicited email or contact over social media promising easy money for little to no effort.
    • You are asked to open up a bank account in your own name or in the name of a company you form to receive and transfer money.
    • As an “employee,” you are asked to receive funds in your bank account and then process or transfer funds via a wire transfer, ACH, mail, or money service business (such as Western Union or MoneyGram).
    • You are allowed to keep a portion of the money you transfer.
    • Your duties have no specific job description.
    • Your online companion, whom you have never met in person, asks you to receive money and, subsequently, forward the funds to an individual or business you do not know.

    An advance fee scam occurs when the victim pays money to someone in anticipation of receiving something of greater value—such as a loan, contract, investment, or gift—and then receives little or nothing in return. They may involve the sale of products or services, the offering of investments, lottery winnings, inheritance money, or many other alleged opportunities.

    The fraudster impersonates a Bank Official, such as the Bank CFO, and contacts the intended victims via text message or e-mail. The impersonator promises a large percentage of an unclaimed deposit, since the account holder is purportedly deceased, and the money will be returned to the Bank if not claimed. In return for the victim completing a claim form and paying a legal fee or insurance fee, promises are made that the victim will obtain the funds.

    Victims of lottery scams can receive a phone call, e-mail or letter declaring the recipient is the winner of a lottery or sweepstake that they never actually entered. The recipient may be instructed to contact the sender to negotiate the balance of their winnings, at which time personal information is requested to verify the recipient's identification.

    Grandparents Bail Scam
    In this scheme, the fraudster calls the victim and claims to be a friend, hospital representative or some other type of “official” messenger. The caller will inform the victim that their grandchild has been involved in some type of incident with law enforcement or other authorities, and that a cash bail payment is required immediately. The victim is instructed to make payment by wire in order to avoid their grandchild being held in jail.

    Romance Scam
    The fraudster makes contact with the victim through e-mail, telephone, social media or dating websites. The fraudster then convinces the victim, after a series of email exchanges, text messages or phone calls, to send money to the fraudster for a variety of reasons. These can include money for medical procedures, for hardship or to provide money so they can travel to meet you. The meeting never takes place and once the money is sent, it is gone. The fraudster usually asks for the money via wire or gift cards.

    Additional Fraud Resources: