"We're going to have a global privacy standard, which, at a minimum, is at or exceeds the highest regulatory standard," said Peter Cullen, corporate privacy officer at Royal Bank of Canada.
Although both Canada and the European Union have adopted tougher privacy laws than the United States, U.S. regulators tend to be stricter about enforcing the law. "In the U.S. you're going to have a state and federal banking examiner actually come in and examine your practices," said Cullen. "The way that privacy laws are actually managed and the way that they're actually regulated is where you see the differences."
Cullen, who reports directly to the heads of marketing and e-business, is responsible for ensuring that each RBC entity not only meets the examination criteria, but also supports the bank's public strategy surrounding privacy.
For RBC, privacy is a critical part of the customer experience. "From a customer standpoint, simply saying you meet the letter of the law isn't even meeting the customer's expectations," said Cullen. "In the case of the U.S., our standard is above what privacy regulations require."
"Some of our customers may deal with many parts of our organizations, and in some cases, in many countries," he added. "It's important to present a very consistent customer experience."
For example, some RBC customers can not only determine the types of offers they'd like to receive and the channels through which they'd like to receive them, but can also designate a specific person from the bank to initiate those contacts.
RBC measures its adherence to its own privacy standards using both comparative and financial benchmarks.
"We've been able to establish just how important privacy is to our customers, in terms of driving their commitment and their loyalty to us," said Cullen. "That allows us to calculate the dollar value that privacy contributes to the value of our brand, and ultimately, to shareholder value."
Outsourcing falls into the gray area between information security and privacy.
"Organizations are responsible for their information whether its in their control or with a third party," said Cullen. "Every one of our suppliers is required to undergo an information security privacy assessment where they tell us how they're going to protect our information."
E-mail poses another information security challenge, in that the bank has to balance security risks against customer convenience. "It's a huge question and a huge dilemma," said Cullen. "On the one hand, you've got customers who really want to communicate via expedient channels like e-mail, while at the same time, you know there are some risks."
RBC struck a balance by offering secure e-mail within its online banking system. "We will not transmit personal information via e-mail because of the risks," said Cullen. "If you want to communicate with us via e-mail, you can do so in a very safe way through our online banking system, which has e-mail capability inside of a secure, protected area."
The secure e-mail system has been deployed entirely within the bank, independent of RBC's outsourcing relationships.