Privacy Exams Now Public
The FFIEC has released the procedures for compliance examinations with the new privacy law. As is usually the case with exam procedures, there aren't any real surprises. The procedures do give a fresh look at the privacy law - from the back end - and a few things look different.
One thing the procedures illustrate is that managing a privacy program involves much more than the process of reading a regulation and setting up a program. The new examination procedures give close attention to the ways in which the institution actually protects privacy by preventing information from leaving the institution.
The procedures start in the usual place. They begin with what the institution promised the customer. This involves looking at policies and disclosures. These documents set a baseline for the examination, much like stated underwriting standards set the baseline for a fair lending examination. Examiners then venture throughout the institution, comparing what actually happens to information to what the institution said would happen.
Examiners will evaluate the institution's notices. They will be looking for clarity and accuracy. This is going to involve some subjectivity on the part of the examiner. It may be a good idea to be ready with some market testing of your notices, even if it is only your tellers. There has already been much public criticism of notices (most of which used the suggested model language) for being difficult to understand.
The exam will involve more than looking at the obvious paper trail. Examiners are directed to look at complaint logs, including e-mail complaints, as a measurement of customer satisfaction or dissatisfaction with privacy procedures. They will look at marketing scripts to determine what information telemarketers are given and how they use it.
Examiners will also look at information processes to determine what actually happens - or could happen - to customer information. The exam procedures come in separate modules designed for specific information sharing practices. Institutions that do not share information will have a less extensive examination than institutions that share.
Each module is designed to examine and evaluate the process of protecting information and determining whether the institution has adequate controls when information is shared. The modules give emphasis to steps taken to prevent unlawful disclosure of customer information. Account number sharing is at the top of the list to check. In addition, examiners will review how the institution receives and processes requests for personal information and aggregated data.
And then, of course, there is the evaluation of the continuing process. This involves looking at the renotifications and new customer notifications provided. The privacy program must include a plan for sending out annual notices and for providing initial notices to new consumers and customers, as appropriate.
Never to be overlooked is training. Although there is no specific regulatory requirement for privacy training, institutions will be evaluated on whether their employees know what to do and what not to do. This comes down to training. Examiners will look at the "adequacy and regularity" of your training program. So be sure that privacy training is included in new employee training and the annual training calendar. In fact, the examination procedures contain some material that could be useful for training purposes. The procedures begin with a plain-English description of the act and regulations. If you are looking for reading materials to distribute, you need look no further.
All of these exam steps should be in your audit procedures as well. It's a good idea to use the exam procedures to design your audit procedures. Select the modules that are designed for your institution's policies and procedures. No matter what your stated policy, always check for information leaks. They can happen even if your policy is to not share.
Copyright © 2001 Compliance Action. Originally appeared in Compliance Action, Vol. 6, No. 9, 8/01
print
share