Privacy Principles The IBAA, The Bankers Roundtable -- together with its division, the Banking Industry Technology Secretariat (BITS) -- the American Bankers Association, and the Consumer Bankers Association worked together to provide the industry with a uniform set of privacy principles. Consumers are increasingly concerned about their personal privacy. The action was taken to assure the American public that financial privacy will be protected when conducting business with commercial banks. These principles are for the use of the associations' member banks in meeting customer needs to understand and protect the use of personal information. In parallel with the development of the privacy principles, BITS adopted a "Privacy Principles Implementation Plan." The BITS board of directors is made up of the chairs of 11 large U.S. bank holding companies as well as representatives of the IBAA and ABA. Reprinted below are the privacy principles and the implementation plan. IBAA urges all community bankers to adopt and implement customer privacy principles for their own banks. Privacy Principles Recognition of a Customer's Expectation of Privacy Financial institutions should recognize and respect the privacy expectations of their
customers and explain principles of financial privacy to their customers in an appropriate
fashion. This could be accomplished, for example, by making available privacy guidelines
and/or providing a series of questions and answers about financial privacy to those
customers. Financial institutions should collect, retain and use information about individual customers only where the institution reasonably believes it would be useful (and allowed by law) to administering that organization's business and to provide products, services and other opportunities to its customers. Maintenance of Accurate Information Financial institutions should establish procedures so that a customer's financial information is accurate, current and complete in accordance with reasonable commercial standards. Financial institutions should also respond to requests to correct inaccurate information in a timely manner. Limiting Employee Access to Information Financial institutions should limit employee access to personally identifiable information to those with a business reason for knowing such information. Financial institutions should educate their employees so that they will understand the importance of confidentiality and customer privacy. Financial institutions should also take appropriate disciplinary measures to enforce employee privacy responsibilities. Protection of Information via Established Security Procedures Financial institutions should maintain appropriate security standards and procedures regarding unauthorized access to customer information. Restrictions on the Disclosure of Account Information Financial institutions should not reveal specific information about customer accounts or other personally identifiable data to unaffiliated third parties for their independent use, except for the exchange of information with reputable information reporting agencies to maximize the accuracy and security of such information or in the performance of bona fide corporate due diligence, unless 1) the information is provided to help complete a customer initiated transaction; 2) the customer requests it; 3) the disclosure is required by/or allowed by law (e.g., subpoena, investigation of fraudulent activity, etc.); or 4) the customer has been informed about the possibility of disclosure for marketing or similar purposes through a prior communication and is given the opportunity to decline (i.e., "opt out"). Maintaining Customer Privacy in Business Relationships with Third Parties If personally identifiable customer information is provided to a third party, the financial institutions should insist that the third party adhere to similar privacy principles that provide for keeping such information confidential. Disclosure of Privacy Principles to Customers Financial institutions should devise methods of providing a customer with an understanding of their privacy policies. Customers that are concerned about financial privacy will want to know about an institution's treatment of this important issue. Each financial institution should create a method for making available its privacy policies. PRIVACY PRINCIPLES IMPLEMENTATION PLAN Adopting a Plan for Implementing Privacy Principles Each bank will approve a plan for implementing The Banking Industry Privacy Principles at the level of the Board of Directors or the Office of the Chair, with subsequent notification of this action to the Board. Communicating with Bank Customers It is important to communicate the bank's policies related to customer privacy to the bank's customers. How that is done should be left to each bank to decide and may include use of existing channels. Advising and Training Employees All employees should be informed and educated about the bank's plan for implementing The Banking Industry Privacy Principles. How this is done will be decided by each bank. Establishing a Privacy Mark There may be need and value in having a banking industry privacy mark that assures the public that certain safeguards have been met. The Banking Industry Technology Secretariat will explore this possibility and make recommendations to the BITS Board of Directors. Contracting with Third Party Vendors Each bank will obtain agreement from third party vendors, on a case-by-case basis, to comply with the bank's privacy principles. Informing Customers of Third Party Opt-out Where a bank provides information to unrelated and unaffiliated third parties for their independent use for marketing or similar purposes, the bank will notify customers of their right to opt-out from the bank providing customer information to those third parties. Complying with Privacy Principles Banks will apply their own internal process to assure compliance with the bank's privacy principles. Addressing Breaches of Policy Breaches of policy will be addressed internally on a case-by-case basis by each bank. Maintaining Accurate Customer Data Each bank will establish and maintain procedures by which customers can correct inaccurate customer information. |