Privacy Examinations: How Should You Prepare?

Evaluating an institution's compliance with privacy requirements is one of those things that is simply difficult to get a handle on. The obvious approach is to make sure that there is a privacy policy, that the policy and notices accurately reflect the actual practices, and that privacy notices went to all customers within the designated time. But this approach, while not unimportant, is only the tip of the privacy iceberg.

Privacy "Defined"
Before doing an audit or an examination, it is important to establish just what privacy means and what laws are included. We use the term privacy to describe many laws, some of which actually do protect consumer privacy.

The original privacy law is the Fair Credit Reporting Act. This is only an indirect privacy protection in that it limits the uses that may be made of certain consumer data under certain circumstances. Then came the federal Right to Financial Privacy Act which simply protects the privacy of customers from certain government investigations.

The newer privacy laws again fail to deal directly with consumer privacy. Instead, they regulate uses of consumer data and mandate information security. G-L-B is really a prohibition against using consumer data for marketing purposes. The FACT Act provides privacy protections by giving consumers more access to their consumer reports and establishes strict standards for information security. None of these laws broadly guarantee privacy.

Practices Covered
We've drawn the parallel before, but getting your hands around privacy is much like the Y2K exercise. You have to look everywhere and include the use of imagination. Information sits in some surprising places and opportunities to violate privacy are everywhere.

Traditionally, the compliance program has looked first and primarily to product delivery. Most compliance requirements involve specific actions, such as providing disclosures, when the product is sold. Privacy has no such focus. Privacy violations can occur wherever there is information - and that is pretty much everywhere.

To evaluate privacy protections and practices, it is necessary to look everywhere in the institution. This ranges from the desk-tops and computer screens in the lobby to file rooms and then to computer systems. Examining for privacy must include more than some specific tests such as a review of policy and privacy notices. It includes testing computer systems, contracts with vendors, and even the culture of the institution.

Audit Elements
Examiners, and therefore your auditors, look at privacy largely in the context of the G-L-B requirements and Regulation P. Thus, the exam modules are organized around specific Regulation P requirements.

First, there is a review of sharing customer information with non-affiliated third parties for joint marketing or vendor services. Sharing for marketing purposes is considered very high risk. To evaluate compliance, the audit must include the opt-out system - when opt-out notices are sent, how they are handled when they come in, and how the opt-out is implemented and maintained.

If there is no information sharing outside of the legal exceptions, the audit should review information procedures and protections but the audit does not have to review the process of reviewing implementation and maintenance of opt-outs.

After this, things get more complicated. Examiners look at use and re-use of information. This includes information sent to and information received from another non-affiliated financial institution and the uses to which such information is put. Finally, examiners look at practices for sharing account numbers and access codes with any non-affiliated third party.

Preparation
Examiners recommend some best practices to use in preparing for a privacy exam or audit. These best practices should be a part of your regular privacy program.

First, know where information is. What you should have - or develop - is an information atlas. This should include all of the ways in which information can exist: paper and electronic.

Next, know where and how information flows. Information comes into the institution in a variety of ways, including the core sources which are customer input and credit reports. Information also goes out. We transmit information on a daily or hourly basis, sending it to servers, third party vendors, and credit bureaus. But information also moves around inside the organization. To know how this is happening, you should have a list of actual and potential users of customer information.

With a better handle on the information maps, review policies and procedures to be sure that they accurately reflect what is going on. At the same time, consider whether everyone who should have procedures does in fact have them. It is easy to overlook some of the less obvious ways that information is handled.

The structure of your organization is also important. The relationship of affiliates and the relationship or overlap of affiliate products is a core element of how information sharing happens, regardless of the policy. You need to look closely at both organizations and products to identify the weak points in information control. For example, if mortgages are made in one affiliate but another affiliate is a finance company, it is very possible for credit reports to flow over your information dam from one company into the other.

If you have an opt-out program, that also needs checking. Getting opt-out notices to and from customers is relatively straightforward. But, making sure that the opt-out is properly maintained on all systems is much more complex. What happens, for example, if there is a system conversion? And also make sure that multiple name accounts are properly covered by opt-outs.

Privacy protection won't just happen. It needs ongoing attention to be sure that the program meets the needs of your customers, your current systems and practices, and all of the relevant laws.

ACTION STEPS

Look at your information map and see if all information and all flow directions are included. If not, update it.
Share the information map and policy with those who handle customer information. Ask them to compare these with their actual practices and note any differences.
Review the records destruction practices to be sure they are sufficient to protect customer privacy and comply with G-L-B and the FACT Act.
Review all contracts with third parties (including compliance consultants!) to be sure that the vendor guarantees appropriate privacy protections. The guarantees should be consistent with your program.
Train regularly. Use recent news stories about information leaks to grab your audience's attention.