Managing With Clear Policies & Procedures

It isn't a regulation yet, but the message is clear. Financial institutions should have clear policies that state their intention to protect their customers' privacy, inform the customer that this is the case, and establish the necessary priorities and procedures to carry this out.

The long-awaited 1999 banking reform act contains several provisions that deal with privacy. One of the provisions is that banks must adopt a privacy policy and disclose that policy annually to customers. Needless to say, banks should also take steps to ensure that employees know what the policy promises and to ensure that employees honor the policy in their decisions, activities, and treatment of customers and bank products.

So now comes the big question: what exactly is a privacy policy and what provisions should it include? There is a great deal of opportunity here because customer privacy issues vary depending on the product or circumstances. In fact, when regulators and others talk about privacy policies, they mean several different things - all of which you should do.

First, the bank should have a general privacy policy, adopted by its board and fully backed by senior management. This policy should establish the bank's fundamental attitude toward privacy. It should be a statement of the value or priority the bank places on honoring and protecting the privacy of its customers. It should also be clear enough and direct enough that all employees - and we mean all - can readily understand the policy.

Next, you should consider adopting privacy policies that are tailored to the specific issues of a product or service. If, for example, the bank offers Internet banking or on-line banking - or just telephone banking - the bank should have policies and procedures that protect the customer's privacy in that special service. The policy or policies should also take into account any issues that arise from the bank's structure such as information sharing with affiliates.

The Master Policy
Each bank should have a policy on the general principles of consumer privacy which the bank will follow. This policy should apply to all aspects of the bank's customer relationships - and to every employee in the bank.

This policy is the foundation for all bank-customer relationships that touch on privacy issues. It is the policy or philosophy that applies to any situation that arises without being addressed by a more specific policy. It is as important as the bank's business strategy. In fact, think of privacy as part of a business strategy. It is central to how customers perceive banks.

There are at least five key elements that your general customer privacy policy should address. These include:

Notice: notice to consumers about your policies;
Choice: providing consumers with choice about how the bank will use customer information;
Accuracy: a commitment to maintain accurate personal customer information;
Security: security measures the bank will use to protect consumer information; and
Service: a system for receiving and responding to consumer questions or requests.

Notice
Notice to the customer is a basic precept of any policy that affects them. Privacy is no exception. Once the policy is adopted, your first step should be to notify customers and inform them about the policy. The policy and procedures should be developed with this notice to customers in mind.

Having an effective privacy protection policy is important. But you should also make the most of having a good policy. This means explaining the policy to customers so that they can understand what the bank will do and not do with information about them and their accounts. Remember, the better protections the bank provides to consumers, the more loyal those customers will be to the bank.

The notice should be clear, prominent, and easy for customers to understand. A notice on the wall is a good idea. In addition, the new law will also require sending your policy to customers at least annually. This means a statement stuffer. You might also want to consider more creative - and attractive - ways to communicate your policy. Using consumer education materials or a Q&A format could be effective not only to communicate the policy, but to strengthen customer loyalty.

Choice
A good policy should provide consumers with the ability to understand and decide whether to participate in ways the bank may share information about customers. Even where not specifically required by law or regulation, the agencies strongly urge institutions to provide their customers with the right to opt out of any use or sharing of their information.

Opt-out notices should be clear and easy to identify, read, and understand. And, the procedures for opting out should be relatively easy for the customer to perform. It should be as simple as making a phone call to a designated number or checking a box (big enough to see with the naked eye) on a response card.

Establishing complex procedures for opt-out could be construed as an unfair or deceptive trade practice. The more difficult the process, the more likely it could be to view the practice as intended to trick or deceive the consumer.

Accuracy
On the front burner of the privacy issue is the right of the customer to have some control over how their personal financial information is used and who has access to it. Equally important, however, is that harm can be done to a consumer if information is inaccurate, regardless of who uses it. Rick Fischer, partner with Morrison and Foerster, advises that accuracy is a major component of the privacy debate. The consumer's ability to ensure that information about them is accurate is as important as ensuring that information remain confidential.

Your policy should establish standards for accuracy. It should also provide for action the bank may take when errors in customer information occur. Note that this may mean disciplinary action involving staff that failed to maintain the accuracy standards.

Security
Remember the guard at the door of the bank? Those days are long gone. Now, the biggest threat may be a 15-year-old with a computer, a modem, and nothing more interesting to do than hack into your data cache. Where security is concerned, the question is how safe is the data?

Traditional banking practices, such as going to the file to check a customer's signature card or pulling up a loan file, still occur, but electronic privacy concerns are growing every day. Your privacy policy should therefore deal not only with who has access to customer files, when files may be pulled, and where they may be used. Your policy should also deal with the electronic aspects of data security. For this, you need data experts.

Increasingly, the folks who run computers are vital to the compliance program. They not only have control of periodic statements, ARM readjustments, and other compliance requirements, they are sitting on the lid of the privacy issue.

All of the other issues, access, accuracy, notice, management of opt-outs, and more are in fact managed by your operations staff. They should be involved in the design of your privacy policy to ensure that the policy and the computer systems are consistent.

Service
Whether customers want information about their information, or want to limit how you use their information, or want to find out whether they have exercised the opt-out already, the bank should have an easy and responsive system for them to use. The need to offer responsive service is right up there with the need to have a process for taking billing error complaints.

This process should be up and running at all times. There should be an easy method for customers to use to opt out. And bank staff should be trained to recognize and accurately carry out customer requests. A hotline for customers to call would be a good idea. Consider posting the hotline number in your lobbies and including it on statements.

Make the Policy Work
The bank's privacy policy, whether general or specific (such as an Internet privacy), should also be realistic. Do not set standards that cannot be met or maintained. The customer is relying on your representations.

The bank should have procedures for protecting information about customers. These procedures should give everyone in the bank the appropriate guidance on when and how to protect, use, or release customer information.

You will need separate and specific procedures for each function that handles or has access to customer information. Your policy and procedures should deal with issues such as who has access to, and use of, account information, loan information, and number and extent of banking accounts or relationships. These issues are different for loan officers than for customer service reps.

In order to be effective, the procedures must be realistic. Don't invent procedures that sound great on paper but will constrict important bank functions. For example, don't promise that no employee will ever, ever look at account information. You will need to be able to review account information and account status to respond to customer inquiries about their account.

Training is an unavoidable and necessary component of the procedures. In fact, procedures won't work unless staff knows what to do. Every staff person should be familiar with the overall policy. They should also know what information they are permitted to access and what they are permitted to do with the information. Everyone should be aware of any limitations applicable to them.

The training should give attention to practice situations so that staff are sufficiently adept at handling difficult situations such as pretext phone calls.

Letting Consumers Opt Out
Fundamental to the ability to share or use information about customers is the requirement that customers be able to choose to not let their information be used or shared. This ability to "opt out" is central to any ability or permission for the banking industry to use customer information.

Opt-out options should be clear to the customer, easy to do, and available to the customer whenever the customer chooses to opt-out. One test of the effectiveness and fairness of your privacy policy is the extent to which the bank gives customers a realistic opt-out option.

Best practices might include providing a privacy hotline for consumers to call with questions, concerns, or a request to opt out; providing regular notices with customer mailings so that customers are informed throughout their relationship with the bank, not simply at the beginning of the relationship. The opt-out notice and/or form should be clear, easy to read, and easy to complete. It is perfectly legitimate to tell customers what solicitations or information they will not receive if they opt out. That arguably helps them to make an informed choice. However, any such information should be balanced and fair.

ACTION STEPS

Review what your bank has in the way of privacy policies. Start a "library" of old and current policies that bear any relationship to privacy.
Inventory your bank for products and practices - such as trust accounts, sale of non-traditional products and Internet or electronic banking - that should have customized privacy policies.
Make a list of staff you should meet with to discuss each aspect of a comprehensive privacy policy. Be sure to include people from marketing and operations so that you can discuss ways to send notices to customers.
Start drafting your policy. Do this as a team, or ask key people throughout the bank to review the draft before you send it to the Board.
Schedule the policy for review and adoption by the Board of Directors. Ask for enough time to give a ten minute briefing on privacy issues affecting banks now and in the future.
Put a positive approach to the whole privacy issue. Don't drag a bank kicking and screaming into compliance. Stress that a good privacy policy is a strong tool for building and enhancing customer relations.