TOOLBOX. ABA Financial Privacy

Transcription

1 ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management s support. Involve Your Board and Senior Management Consider a Board Privacy Resolution Review Your Employee Code of Conduct Appoint a Privacy Manager or Designate a Responsible Person Review Your Security Officer s Responsibilities BANKERS

2 TOOL 1 CONTENTS Board and Senior Management Involvement...3 Sample Board Resolution...5 Sample Codes of Conduct...6 Customer Information Security Program...8 Elements of a Comprehensive Risk Management Plan...9 C H E C K L I S T ABA Financial Privacy TOOLBOX Involve Your Board and Senior Management Consider a Board Privacy Resolution Review Your Employee Code of Conduct Appoint a Privacy Manager or Designate a Responsible Person Review Your Security Officer s Responsibilities Conducting an Information Self-Assessment Perform an Information Self-Assessment How do you collect information? How do you share customer information within your organization? How do you share information with third parties? How do you provide customer notice? How do you provide customers the right to opt out? How do you allow customer access and correction? How do you provide information security? How do you handle customer questions and concerns about privacy? Complying with Gramm-Leach-Bliley Understand the Requirements of the GLB Act Draft Your Written Privacy Notice Sample 1 (for institutions without affiliates, including most community banks) Sample 2 (for institutions with affiliates) Sample 3 (for institutions with affiliates, joint marketing, and third party sharing outside of the exceptions) Ensure Third Parties Abide by Your Privacy Standards Going Beyond GLB: Medical Privacy & Identity Theft Stress The Importance of Keeping Medical Information Confidential Be Proactive in Preventing and Resolving Cases of Identity Theft Training Your Employees Implement Privacy Training Implement Training on Combating Pretext Calling BANKERS Communicating with Customers Communicate Your Institution s Policy Toward Privacy Communicate the Benefits of Information Sharing BANKERS 2

3 TOOL 1 Board and Senior Management Involvement From the Board Room to the Back Room The success of your privacy program will, in large part, depend upon your board s and your management s continual commitment to maintaining your customers trust and confidence that their information is being properly safeguarded. Involve Your Board of Directors Our industry s successful response to the Y2K concerns was built upon the regular involvement of the board of directors. The issue of privacy and how we use and protect our customers information is no less a concern for our institutions than Y2K was. In fact, privacy may prove to be an even bigger challenge, given rising customer anxieties over information use, the spotlight from the media, the politicians in Congress and state houses that seek restrictive laws, and the rapidly changing technologies that enable information to be transmitted in nanoseconds. At least with Y2K, the issue ended on Jan. 1, ABA s Task Force felt strongly that a successful privacy program starts with the involvement of the board and senior management. Having privacy as a regular agenda item is one way to keep your board informed. There, senior management could report progress in customer communications, in complying with the privacy regulations, and in reporting what customers are telling you about their concerns. Importantly, it also helps to build a track record to demonstrate to regulators your commitment to this issue. For a board of directors to lead, it needs to understand the importance of protecting the privacy of financial information to your customers, your institution and our industry. There may be no more important group to educate than your board members. The training materials in Tool 5 can help begin this process. Your board should also set the standards of responsible use and protection of customer information for your institution and every employee. A board resolution incorporating the voluntary guidelines of the Task Force is one means to do this. A Sample Board Resolution has been included with this tool. Other board responsibilities you might consider include approval of your institution s written information management/privacy policy and oversight of the program implementing and maintaining this policy. The specific oversight of the program may be delegated to the board s audit committee. Responsibilities here include assuring that information practices are being carried out within the parameters of your own policies and practices. In addition to the recently finalized regulations implementing the Gramm-Leach-Bliley Act s privacy provisions, the federal regulatory agencies in June proposed standards for safeguarding customer information under the Act. The section of this tool entitled Information Security Program for Safeguarding Customer Information outlines the board responsibilities contemplated in the proposed federal guidelines. Involve Senior Management Since customer information flows through all departments of your institution, senior management should be involved in the development and implementation of your information management/privacy program. It is also the responsibility of senior management to keep the board informed of the current status of the program by reporting, on a regular basis, the overall status of the program. Tool 2: Conducting an Information Self-Assessment will enable you to conduct a detailed review of how information is shared within and outside your institution. Importantly, it will help senior management answer questions like: Are our practices customer-oriented? Would they meet public scrutiny? Is this what we want to do with our customers information? 3

4 TOOL 1 A commitment to employee training is essential to the success of any program. To that end, ABA will be offering a variety of training tools through teleconferencing and other means. Employees should also be made aware of their responsibility to protect customer information. Sample Codes of Conduct have been included in this tool to assist you in this effort. Appoint a Privacy Manager Creating and implementing a privacy program requires day-to-day oversight, particularly during the initial implementation stage. Senior management should appoint a privacy manager who will have overall and ultimate responsibility for the creation and maintenance of your institution s privacy program. While that individual might have additional responsibilities, depending upon the size and complexity of your institution, a fixed portion of his or her time should be allocated to the institution s privacy program. In many community banks, the job will go to an individual who already has a full load of responsibilities. If that occurs, senior management should ensure that the privacy manager has sufficient support from others in your organization. Providing the privacy manager with sufficient resources and authority to implement your institution s privacy program is critical to a successful program. Review the Security Officer s Responsibilities The fact that all institutions have either a security officer or an employee with security responsibilities should be communicated to customers as part of your privacy policy. The role of your institution s security officer may have to be revised to reflect your information management/privacy policy, as well as the pending customer information security standards. The duties of the security officer include physical security, information security and investigations of criminal activity. The security function is increasingly responsible for creating an environment within your institution that makes unauthorized access to personal financial information by employees a violation of corporate policy. The security officer is accountable for establishing systems to prevent unauthorized access to, or manipulation or destruction of, customer information. 4

5 TOOL 1 Sample Board Resolution This board of directors resolution incorporates the voluntary industry guidelines. You may wish to amend it as appropriate to address your institution s specific practices. Privacy Pledge Whereas [Institution Name] recognizes its customers expectations of financial privacy; and whereas preserving our customers trust is one of the core values of our institution and the broader banking community; we therefore resolve to abide by the following guidelines for the responsible use and protection of our customers information:! We will always value the trust of our customers and the importance of keeping their personal financial information confidential.! We will provide our customers with our policy on using their personal financial information responsibly and protecting it.! We will hold our employees to the highest standard of conduct in ensuring the confidentiality of customer information.! We will hold any personal medical information about our customers sacred and will NOT use it for marketing purposes or in making credit decisions.! We will use information responsibly in order to provide our customers with significant benefits, including fraud prevention, improved products and services and to comply with laws.! We will establish procedures to maintain accurate information and respond in a timely manner to our customers request to change or correct information.! We will use a combination of safeguards to protect our customers against the criminal use of their information and to prevent unauthorized access to it.! We will offer our customers the option of restricting information shared with third parties for marketing purposes and honor their preferences.! We will require the companies we do business with to abide by our privacy policy to maintain the confidentiality of our customers information. 5

6 TOOL 1 Sample Codes of Conduct These sample codes of conduct are designed to help create an environment within your institution where all employees are aware of their responsibility to protect customer information. SAMPLE 1: Confidential Information and Personal Liability Employees, directors and their associates may be held personally liable for using confidential information (obtained while serving as a director or employee) for personal benefit. They may also be subject to governmental or corporate administrative action. [Institution Name] s business and customer information and any related files are confidential and cannot be disclosed to unauthorized persons (including competitors) without permission. SAMPLE 2: Confidentiality and Integrity of Information Information about the Corporation, its affiliates, customers, suppliers and employees obtained by virtue of employment with the Corporation is confidential and must be treated as such. Information should neither be modified nor destroyed without proper approval. Disclosure of confidential information to unauthorized persons outside the company is prohibited. Authentication In keeping with our tradition of confidentiality, methods of customer authentication, such as an authorization code, are used whenever necessary in the ordinary course of business to obtain information of a confidential nature. Accountability It is the policy of [Institution Name] to treat all information regarding its customers and employees in strictest confidence. Failure to maintain the confidentiality of this information will result in corrective action, up to and including immediate dismissal. 6

7 TOOL 1 SAMPLE 3: Introduction In implementing [Institution Name] s vision in accordance with our values, this Code of Conduct (the Code) serves as a guide to ethical conduct for all employees of [Institution Name]. This policy covers areas of business conduct when working with clients, customers, suppliers, the public and other employees. It also addresses conflicts of interest, which could arise between the personal conduct of employees and their positions with [Institution Name]. Penalty for Violations Employees are expected to act fairly and honestly when conducting business on behalf of [Institution Name], maintain [Institution Name] s high ethical standards, and obey all applicable laws. Violations of the Code and applicable laws or failure to cooperate with an internal investigation may constitute grounds for corrective action, up to and including immediate dismissal. Safeguarding Confidential Information When conducting business, many employees may become privy to confidential information about [Institution Name], its present and prospective customers and suppliers, its stockholders and employees. Employees who possess such confidential information must understand that it has been given to them for an express business purpose, may be disclosed only on a need-to-know basis, and used only for a proper business purpose. Discretion should be used when confidential information is disclosed, and it should never be disseminated to unauthorized persons. Misuse of confidential information may result in civil or criminal liability, or in sanctions or penalties against both [Institution Name] and the individual responsible for misusing such information. Procedures to Restrict Flow of Information Because [Institution Name] is a multi-service financial institution, banking and securities laws, as well as good business practices, require that [Institution Name] have procedures ( firewalls ) to prevent material nonpublic information obtained while engaging in one of [Institution Name] s diverse business activities from being utilized improperly by others within or outside of [Institution Name]. 7

8 TOOL 1 Customer Information Security Program Agency Proposal On June 21, 2000, the federal regulating agencies proposed guidelines for establishing standards for safeguarding customer information under section 501(b) of the GLB Act. The privacy rules propose disclosure of the existence of an institution s security and confidentiality procedures. Examples of how to disclose these procedures can be found in Tool 3 s Sample Privacy Policy Notices. The agencies believe that most institutions already have procedures in place similar to standards being proposed. The following is based on the proposal only, but we believe that the final version will closely track the proposal. ABA will publish an updated version of this when the agencies finalize the proposal. You still have time to comment on the proposal comments are due August 25 th. Purpose According to the GLB Act, these safeguards are intended to: Insure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the integrity of customer records; and Protect against unauthorized access to or use of customer information that would result in substantial harm or inconvenience to any customer. Key Proposed Elements The agency proposal, which will either be in the form of guidelines or regulation, outlines steps for putting in place an information security program. 1 Board Involvement: The proposal contemplates board of director oversight to: Approve the institution s written information security policy and program; and Oversee efforts to develop, implement, and maintain an effective information security program, including regular review of management reports. Senior Management Responsibilities: The proposal contemplates three responsibilities for management: Evaluate the impact of changing business arrangements on the institutions security program (e.g., mergers, joint ventures, outsourcing). Document compliance with the final guidelines. Keep the board informed (e.g., regular reports of risk assessment, risk management and control decisions, results of testing, and attempted or actual security breaches). Program Requirements: The proposal contemplates that institutions must: Identify and assess the risks that may threaten customer information; Develop a written plan; Implement and test the plan; and Adjust the plan on a continuing basis. You still have time to comment (until August 25, 2000) The agencies have specifically invited comment on how this proposal would impact community banks. The agencies noted that community banks operate with more limited resources than larger institutions and may present a different risk profile. Therefore, the agencies specifically request comment on the impact of this proposal on community banks current resources and available personnel with the requisite expertise. Comments should address whether the standards are reasonable and realistic for community banks, and whether the proposed regulation s goals could be achieved for community banks through an alternative approach. 8 1 Visit to review the full proposal.

9 TOOL 1 Elements of a Comprehensive Risk Management Plan This checklist based on the regulators recent proposal on information security identifies the factors an institution should consider in evaluating the adequacy of its policies and procedures to manage risks associated with sensitive customer information. Not all of these factors are intended to apply to every institution. However, it provides a good reference list for establishing your own comprehensive approach. The regulators suggest the following factors be considered: Access rights to customer information. Access controls on customer information systems, including controls to authenticate the identity of and grant access only to authorized individuals and companies. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information. Contract provisions and oversight mechanisms to protect the security of customer information maintained or processed by service providers. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems. Response programs that specify actions to be taken when unauthorized access to customer information systems is suspected or detected. Access restrictions at locations containing customer information, such as buildings, computer facilities, and records storage facilities. Protection against destruction of customer information due to potential physical hazards, such as fire and water damage. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access. Procedures to confirm that customer information system modifications are consistent with the institution s information security program. Response programs to preserve the integrity and security of customer information in the event of computer or other technological failure, including, where appropriate, reconstructing lost or damaged customer information. 9

10 TOOL 1 Notes 10

11 TOOL 1 Notes 11

12 TOOL BANKERS 12