Privacy: Practical Tips for Implementing Privacy

At BAI's ACE 2001 Conference (Audit, Compliance, Electronic Security), two bankers gave some practical tips on implementing the new privacy requirements. John Topczewski, Risk Manager for Johnson International, Inc., and Eugene Ret, Privacy Manager for Chase Manhattan, shared their ideas and lessons learned.

Topczewski recommends easing the path by adopting a policy of no third-party information sharing that is not provided for in the exemptions. For smaller institutions with limited resources to manage the flow of customer information, this may be the most practical policy to adopt. However, even with this policy, there are numerous issues to manage.

Information about customers is everywhere. The key to managing a successful privacy program is having knowledge about all this information and how it is used and communicated.

Who needs to be involved?
No privacy team is complete without representation from legal, compliance, marketing, internal and external communications, technology and systems, and operations. Each of these functions - especially marketing - plays an important role in the acquisition, use, and distribution of information.

But this is not the whole team. Topczewski advises that all business lines must also be represented. The concern is that bits and bytes of information may be sitting around in all sorts of places and your privacy program must account for them. How do you know what every line of business is doing with every bit of information about everyone? The only way to find out is to work with each line of business. Include businesses such as safe deposit boxes which may be tracked on a different system.

This may result in a group that is too large to function efficiently. You can solve this problem by creating subgroups for specific topics or information functions.

Marketing Responsibilities
Topczewski recommends a "new mindset" for marketing staff. This involves viewing the privacy preferences of customers as an integral part of marketing strategy. Each solicitation program should include an actionable customer request. The customer must be able to act, and the bank must respond.

Marketing pieces should also be seen as an opportunity to craft a message to influence or modify customers' privacy views and behavior. The era of heavy-handed marketing is over, replaced by marketing that informs and persuades. Throughout any marketing piece should be a tone of respect for the customer and the customer's privacy.

Always important in the compliance world, the marketing pieces should produce documentation and an audit trail. Marketing is a vital part of the privacy formula and both the bank and the examiner must be able to review it for compliance.

Also involve marketers in drafting policies and notices for customers. Sure, let the lawyers have at it, but the marketers are the members of your team that have the necessary skill to put your notices into language that consumers can (and will) read and understand. This is not a time to get all tied up in legalese and boilerplate. Use the people with good plain-language communication skills.

Make Decisions in Gray Areas
As with any new regulation, there are many areas that are gray. Topczewski recommends the high ground of opting for more privacy protection. This is clearly a subject that is not suited for minimal technical compliance. His rule is "assume the consumer is protected."

It is not worth the risk to assume that consumers coming in through an affiliate such as an insurance company are not protected. Give every customer the same protections, regardless of how they enter the financial services family.

Have a Program
Your privacy program should be a real, functioning program. It should also be ongoing. Eugene Ret expects examiners to ask the bank to show how the process works in the bank. It probably won't be enough to produce the policy and notices. This is not like Y2K with a final date to get past. The July 1, 2001 date is the beginning.

To keep the program going, Topczewski and Ret suggest several activities. Test your call centers and service representatives. This is definitely a time for mystery shopping. Make sure that your business lines have the capability to provide the privacy services and protections that you have promised. Also, establish review and control protocols for future activities that are subject to privacy rules, such as any marketing activities.

ACTION STEPS

Take a hard look at your bank's organization chart. Consider whether your privacy task force has included all of the members that should be a part of the process.
Go through the same process with your holding company, especially if your holding company includes financial service providers other than banks.
Review all of the products and services your bank offers. Check these against your privacy program to ensure that your program has included them.
If marketing has not been involved in your task force, ask them to review your policies and notices for plain language impact.
Identify and put into place controls to protect customer privacy throughout the bank.
Don't stop! Keep the program going.