Overhaul Your Existing Privacy System
First, establish where and how customer information is maintained. Include both computer data and paper or microfiche storage. This includes the mundane things like signature cards and loan application files (including denials) as well as the techy stuff such as databases and automated information systems.
Now determine who has access to the information and under what circumstances. This is the core of privacy management. Some people need access to this information to do their job. Others may find the information interesting, but don't need to use it in order to get their job done. Good privacy procedures will identify when information is needed, when and how it is properly used, and by whom. Your procedures should also make clear when certain staff should not have access to customer data.
Second, review your relationships with affiliates. Who are your affiliates? This may include a mortgage bank, finance company, other banks in the holding company, and more "distant" affiliates that have less to do with financial transactions.
What business relationships do you have with affiliates? A particular concern would be the referral of business or products from the bank to an affiliate. Also a delicate practice is sharing information with affiliates.
Third, review your relationships with unaffiliated third parties. Get a handle on precisely what and how much information about customers you share. Don't forget that software support vendors fall into this category. Any company that provides support in the form of processing accounts and generating statements has the ability to tap your customer database. In fact, they run it for you. The privacy concern here is the whether the bank has taken steps to hold the third party vendor to the bank's standards for protection of customer privacy.
Unaffiliated third parties include the vendors that process your accounts. They are sitting on all kinds of information about your customers. Your bank should have "control" of that information. It should not be available for the vendor's independent use.
Fourth, review your internal communication systems. Look for lapses in security or ways the information can leak. Also make sure that there is a procedure for requesting and providing customer information that takes adequate steps to protect privacy. No one should provide information to someone who is not authorized to request or receive it. This should include attention to the possibility of receiving pretext calls. The bank will need standards for recognizing and handling pretext calls to prevent information leaks.
Sixth, establish specific procedures or practices that will enhance customer privacy - and the customer's perception of how your bank protects their privacy. For example, set guidelines for displaying or concealing computer screens, including when customers are in the bank, when a bank employee is meeting with a customer, and when an employee is away from the desk.
- Review your list of affiliates. Identify all relationships, business and other, that your bank or staff has with these affiliates. Consider the privacy implications of each relationship.
- Compile a list of all third parties with which the bank does business. Evaluate any privacy implications for each company.
- Review the contracts your bank has with vendors. Look for clauses that limit any use of customer information by the vendor. If the clauses aren't there, put them in.
- Ask branch staff to look at where computer screens are placed and who may be able to read them in addition to the employee using the computer. Screens that can be seen by customers should be moved.
- Involve branch staff in developing procedures for identifying pretext calls.
Copyright © 1999 Compliance Action. Originally appeared in Compliance Action, Vol. 4, No. 13 & 14, 11/99
First published on 11/01/1999