May 4, 1999
OCC Guidance Describes Effective Web Privacy Practices
WASHINGTON — The OCC today provided national banks with examples of effective practices for developing privacy policies and communicating them to customers who use their Internet sites.
"The Internet opens the door to new opportunities for financial institutions," said Comptroller of the Currency John D. Hawke, Jr. "However, to capitalize on those opportunities, banks must reassure consumers that the bank-customer relationship — and the expectation of privacy that is an essential part of that relationship — will be honored as much on the Internet as it is in the branch office."
The guidance issued today is intended to help banks develop and communicate privacy policies. It does not set new examination standards or impose new regulatory requirements on banks. While the guidance includes examples of practices that appear to work well, national banks are free to find other effective ways to devise and communicate privacy practices.
The most effective disclosures are clear, prominent and easy to understand. For example, some banks use "hypertext" links that automatically present disclosures to customers when different transaction options are selected. Other banks place links to privacy policies in the footer of each Web site page.
Effective policies and procedures often involve senior management knowledge or participation and, in a number of banks, the personnel responsible for developing privacy practices report directly to senior officials.
Various banks, particularly larger institutions, have formed privacy working groups with representatives from different departments in the bank, including legal, marketing, compliance, retail, systems, security and human resources.
Some smaller institutions have found that an interdisciplinary team approach was not needed. In those cases, senior management appointed a particular division or employee to develop policies and procedures.
Some institutions have initiated reviews of third party relationships to assess adherence with the bank's own privacy practices. Several banks that provide customer information to unaffiliated third parties for joint marketing purposes or operational support have required the third party to sign an agreement limiting the use of the information.
Banks with effective privacy practices have taken steps to ensure that their policies were understood by employees involved in the handling of confidential information. Policies have been communicated through employee handbooks, codes of ethics, internal newsletters and through mailings and internal Intranet postings, among other means.
In addition, a number of banks have established programs or procedures to enhance compliance with privacy policies. For example, some banks have determined the adequacy of compliance through internal audits, while others use periodic reviews rather than formal audits.
Many banks have established mechanisms for handling consumer privacy complaints and inquiries. One bank has appointed an Ombudsman to handle such complaints, while another catalogues complaints and routes them to different centralized locations for handling.
- Advisory Letter 99-06 (PDF)