Overhaul Your Existing Privacy System

You may already have a privacy policy in your bank. This is the time to take a close look at that policy and decide whether it is sufficient for today's and tomorrow's needs. If the policy is more than a year old, you can be certain that it needs a serious overhaul.

First, establish where and how customer information is maintained. Include both computer data and paper or microfiche storage. This includes the mundane things like signature cards and loan application files (including denials) as well as the techy stuff such as databases and automated information systems.

Now determine who has access to the information and under what circumstances. This is the core of privacy management. Some people need access to this information to do their job. Others may find the information interesting, but don't need to use it in order to get their job done. Good privacy procedures will identify when information is needed, when and how it is properly used, and by whom. Your procedures should also make clear when certain staff should not have access to customer data.

Second, review your relationships with affiliates. Who are your affiliates? This may include a mortgage bank, finance company, other banks in the holding company, and more "distant" affiliates that have less to do with financial transactions.

What business relationships do you have with affiliates? A particular concern would be the referral of business or products from the bank to an affiliate. Also a delicate practice is sharing information with affiliates.

Your privacy policy should give attention to whether, when, and how information may be shared between affiliates. You may also want to distinguish between affiliates for policy purposes. Give attention not only to the theoretical when and how, but specify who may conduct or request the exchange.

Third, review your relationships with unaffiliated third parties. Get a handle on precisely what and how much information about customers you share. Don't forget that software support vendors fall into this category. Any company that provides support in the form of processing accounts and generating statements has the ability to tap your customer database. In fact, they run it for you. The privacy concern here is the whether the bank has taken steps to hold the third party vendor to the bank's standards for protection of customer privacy.

Unaffiliated third parties include the vendors that process your accounts. They are sitting on all kinds of information about your customers. Your bank should have "control" of that information. It should not be available for the vendor's independent use.

Fourth, review your internal communication systems. Look for lapses in security or ways the information can leak. Also make sure that there is a procedure for requesting and providing customer information that takes adequate steps to protect privacy. No one should provide information to someone who is not authorized to request or receive it. This should include attention to the possibility of receiving pretext calls. The bank will need standards for recognizing and handling pretext calls to prevent information leaks.

Fifth, review your training programs. Training for new employees and refresher training should include clear information about the bank's privacy policy and background on why protecting customer privacy is important.

Sixth, establish specific procedures or practices that will enhance customer privacy - and the customer's perception of how your bank protects their privacy. For example, set guidelines for displaying or concealing computer screens, including when customers are in the bank, when a bank employee is meeting with a customer, and when an employee is away from the desk.

Take steps to deter employee violations of the bank's privacy policies. Job descriptions should include a commitment to honor privacy and protect customer information. Review job descriptions to ensure that each employee is held accountable for protecting customer privacy in the description of their employment responsibilities. Each employee should sign a privacy policy awareness acknowledgment. And most important, be sure your bank is committed to taking action against employees who violate customer privacy.

ACTION STEPS

Review your list of affiliates. Identify all relationships, business and other, that your bank or staff has with these affiliates. Consider the privacy implications of each relationship.
Compile a list of all third parties with which the bank does business. Evaluate any privacy implications for each company.
Review the contracts your bank has with vendors. Look for clauses that limit any use of customer information by the vendor. If the clauses aren't there, put them in.
Ask branch staff to look at where computer screens are placed and who may be able to read them in addition to the employee using the computer. Screens that can be seen by customers should be moved.
Involve branch staff in developing procedures for identifying pretext calls.