07:19 AM
Banks Need to Pay More Attention To Privacy
Nearly a year after the deadline for compliance with Gramm-Leach-Bliley, many banks view privacy as primarily a regulatory problem rather than a strategic one. That may come back to haunt them, say industry experts.
Only 20 percent of respondents in a survey conducted last fall by KPMG defined privacy as a strategic issue, versus 78 percent who defined it as a compliance issue. With a growing proportion of consumers saying privacy is important to them, banks that don't pay sufficient attention to privacy concerns may find themselves at a competitive disadvantage.
Banks have an opportunity to go beyond Gramm-Leach-Bliley-to parlay their reputation as trusted fiduciaries into a broader role as protectors of consumer privacy, similar to the role they play in business-to-business e-commerce with entities such as Identrus.
"The question is whether they will trust us as the custodian of their information," said Peter Cullen, corporate privacy officer at RBC Royal Bank. "That's the higher ground."
Royal Bank has been providing its customers with privacy tools from Zero-Knowledge Systems, a Montreal-based manufacturer of security and privacy software. The tools, which were distributed free in a pilot last fall, alert consumers to unauthorized attempts to connect to their computer, simplify online registration processes, prevent cookies from being stored and send personal information only when it's the consumer's choice.
"We wanted to help them be comfortable with their online experiences," Cullen said. "They think it's appropriate that their financial institution would make it available to them."
One sign that banks are headed in the right direction is the growing number of chief privacy officers. Some 43 percent of respondents in the KPMG survey said their firms have a chief privacy officer in place, up from 25 percent in a survey done the previous year.
To be effective, however, chief privacy officers need a technology infrastructure that supports privacy policy management, according to a Meridien Research report, From Policy to Practice: Privacy Management Solutions. This involves more than simply adding an opt-out indicator to the customer information file. Instead, what's needed are a set of business rules, governed by a rules-based "engine," that spell out an organization's policies and procedures about customer information.
These rules, which could be coded as XML documents, would be able to treat data differently, depending on the business application. For example, business rules may stipulate that highly sensitive identifiers, like Social Security numbers, may be used when trying to identify a customer over the telephone, but may not appear on any item of mail or e-mail.
Only a few institutions have put such an infrastructure in place, despite an upsurge in privacy spending. The global market for privacy management solutions is projected to grow to $167 million by 2006 (up from $20 million this year), according to Meridien Research.
A big chunk of this spending will go toward database enhancements (e.g., opt-out indicators), or encryption technology, biometric authentication and single sign-on solutions. These initiatives, though, do little if anything to improve privacy management and compliance.
Very few organizations, according to Meridien, have committed to the design and development of privacy management "middleware" that manages customer privacy at a one-to-one level and assists in the codification and enforcement of robust, enterprise-wide privacy policy.
Elements of a privacy middleware solution include a metadata layer, a rules-based policy module and a security module. The middleware interacts with external components, such as front-end systems, databases, data warehouses and customer information files.
It isn't a question of the size of the bank or its IT resources, said RBC's Cullen. "If I have a rules-based engine that allows me to manage data flows, it doesn't matter whether the organization is large or small. It's the same rules-based engine."