May 7, 1999
The OCC has issued guidance to national banks describing examples of effective practices for developing privacy policies and communicating them to customers who use their Internet sites. While targeted at web site privacy, the advisory letter also provides guidance generally applicable to bank privacy policies.
To capitalize on new Internet opportunities, banks must reassure customers that the expectation of privacy they have as part of the bank-customer relationship will be honored on the Internet just as it is in the branch office, Comptroller Jerry Hawke said.
The guidance makes clear that it is not intended to set new examination standards or impose new regulatory requirements on banks. While the guidance includes examples of practices that appear to work well, banks are free to find other effective ways to devise and communicate privacy practices, the OCC said.
Posting of privacy practices on web sites should be clear, prominent and easy to understand, according to the guidance. OCC noted that banks have used "hypertext" links or "hotlinks" to privacy statements on home pages, links that present disclosures to customers on transactional pages, and links to privacy policies on the footer of each web site page.
Disclosures typically include a description of how the bank will safeguard and handle personal information. For instance: a statement that the bank takes measures to limit employee access to confidential information; a description of the general circumstances under which the bank will share information with third parties, providing customers a choice about how their information is shared and a convenient way to opt out of mail or telephone solicitations; and an explanation of the collection and use of customer information online (including the use of "cookies").
The advisory letter is available on OCC's web site at www.occ.treas.gov.