ICBA - Publications - OCC Issues Web Site Privacy Guidance

OCC Issues Web Site Privacy Guidance

WWR Article
May 7, 1999

The OCC has issued guidance to national banks describing examples of effective practices for developing privacy policies and communicating them to customers who use their Internet sites. While targeted at web site privacy, the advisory letter also provides guidance generally applicable to bank privacy policies.

To capitalize on new Internet opportunities, banks must reassure customers that the expectation of privacy they have as part of the bank-customer relationship will be honored on the Internet just as it is in the branch office, Comptroller Jerry Hawke said.

The guidance makes clear that it is not intended to set new examination standards or impose new regulatory requirements on banks. While the guidance includes examples of practices that appear to work well, banks are free to find other effective ways to devise and communicate privacy practices, the OCC said.

Posting of privacy practices on web sites should be clear, prominent and easy to understand, according to the guidance. OCC noted that banks have used "hypertext" links or "hotlinks" to privacy statements on home pages, links that present disclosures to customers on transactional pages, and links to privacy policies on the footer of each web site page.

Disclosures typically include a description of how the bank will safeguard and handle personal information. For instance: a statement that the bank takes measures to limit employee access to confidential information; a description of the general circumstances under which the bank will share information with third parties, providing customers a choice about how their information is shared and a convenient way to opt out of mail or telephone solicitations; and an explanation of the collection and use of customer information online (including the use of "cookies").

The advisory letter also suggests steps banks should take to develop an effective privacy policy, including: senior management involvement; formation of a privacy working group with members from various departments of the bank (for larger banks); review of existing procedures and systems to understand the bank's current practices and ensure privacy promises can be met; internal communication and employee training (e.g., employee handbooks, codes of ethics, memos and internal distribution of policies); review of third party relationships (such as data processors) to ensure they agree to maintain the confidentiality of the information; compliance reviews; discipline for employee violation of the policy; and mechanisms for handling customer complaints.

The advisory letter is available on OCC's web site at www.occ.treas.gov.