In cooperation with other federal bank and thrift regulatory agencies, the Federal Deposit Insurance Corporation (FDIC) conducted a survey of the Internet privacy policies of insured depository institutions during May and July of 1999. The survey's purpose was to review the data collection practices and on-line privacy disclosures of the financial services industry. The complete Interagency Financial Institution Web Site Privacy Survey Report, including the survey methodology, was published in November of 1999 and is posted on the FDIC's Internet site at www.fdic.gov. Printed copies are available from the FDIC's Public Information Center (1-800-276-6003 or (703) 562-2200).
Disclosure of the institution's information collection, use and dissemination practices;
Opportunity for customers to choose how their information is used;
Access for customers to ensure their information is accurate;
Security of customer information against unauthorized access and disclosure; and
Ability for customers to submit questions or complaints about privacy.
When compared to the results of an informal survey conducted by the FDIC in June 1998, the Interagency Financial Institution Web Site Privacy Survey Report indicates improvement by FDIC-supervised institutions over the past year in posting privacy disclosures on their Internet Web sites. Many institutions are taking responsible, voluntary strides toward addressing the public's privacy concerns. However, the survey results also indicate that the industry can and should do much more in this area.
Institutions should actively review their on-line privacy policies and information practices to ensure that they accurately reflect operations, particularly as the Web site evolves from an information-only site to an interactive site. Internal controls should be reviewed and enhanced, as necessary, to prevent the improper disclosure of customers' personal information. Institutions should also ensure that their information-sharing practices are in compliance with the Fair Credit Reporting Act and the recently enacted Gramm-Leach-Bliley Act.
The Gramm-Leach-Bliley Act establishes new legal requirements for financial institutions regarding consumer privacy. The Act includes provisions for protecting the security and confidentiality of customers' non-public personal information and disclosing privacy policies at the time a customer relationship is established and no less than annually thereafter. Pending forthcoming supervisory guidance consistent with the legislation, institutions are encouraged to evaluate their current privacy policies and practices to ensure that they protect the security and confidentiality of customers' personal information.
Survey Results of FDIC-Supervised Institutions With Web Sites
The FDIC separately analyzed the survey data to assess the on-line privacy disclosures of FDIC-supervised banks and savings associations. The following discussion provides a summary of the industry survey results and compares privacy practices of FDIC-supervised institutions with those of all depository institutions surveyed. The nature of the survey does not lend itself to definitive explanations for the differences among the surveyed institutions.
Existence of Privacy Disclosures
Table 1 Types of Privacy Disclosure
Types of Privacy Disclosure
Information Practice Statement
At Least One Disclosure
As indicated in Table 1, 40 percent of all FDIC-supervised institution Web sites surveyed provided at least one privacy disclosure. The disclosure record of FDIC-supervised institutions in the most recent survey was below the overall industry record in which 48 percent of Web sites provided at least one disclosure. The current survey, however, indicated progress compared to the results of an informal survey conducted by the FDIC in June 1998 in which only 20 percent of Web sites included at least one privacy disclosure.
The current survey also revealed that institution Web sites that collect information or offer interactive features are more likely to provide privacy disclosures than sites that do not. Fifty-two percent of FDIC-supervised institution Web sites that collected personal or demographic information contained at least one privacy disclosure, compared to 25 percent for those that did not collect information. Eighty percent of FDIC-supervised institution sites with interactive features provided at least one privacy disclosure, compared to 26 percent for those that did not offer interactive features.
Content of Disclosures
Effective privacy disclosures inform consumers about the information-handling policies that the institution provides. The survey emphasized four of the Federal Trade Commission's five principles of fair information practice-notice, choice, access, and security. However, the scope of the survey did not include the fifth principle of enforcement. Instead, the survey assessed "contact," which is the ability of consumers to inquire about a privacy practice.
Table 2 Content of Privacy Disclosures
Fair Information Practice Principles
Opt Out (External)
All Five Principles
* "Choice" included statements informing consumers about any opportunity to exercise choice concerning the use of their personal information. It also included statements informing consumers about whether the institution might use consumer information for purposes other than those for which the institution initially collected it, including potential disclosure to third parties. The "Opt Out (External)" element under "Choice" focused specifically on whether Web sites informed consumers about any opportunity to prevent information-sharing with third parties.
Table 2 illustrates the percentage of industry and FDIC-supervised institution Web sites that addressed any one or more of the FTC fair information practice principles. "Notice," "Choice," and "Security" were each addressed in a majority of those Web site privacy disclosures. However, only 22 percent of the FDIC-supervised institution Web sites and 21 percent of industry Web sites addressed all five privacy principles.
Financial institutions are the repositories of some of the most sensitive personal information about their customers. It is important that financial institutions have information-handling policies and practices that protect the security and confidentiality of customers' information. For additional guidance about on-line privacy policies, please refer to FDIC financial institution letter "Electronic Commerce and Consumer Privacy, Online Privacy of Consumer Personal Information" (FIL-86-98), dated August 17, 1998.
Stephen M. Cross
Director, Division of Compliance
and Consumer Affairs
James L. Sexton Director, Division of Supervision
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institutions letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).