Amid spreading concern about consumer privacy and its enforcement, most of the nation's largest banks are appointing "privacy czars" to steer them clear of controversy.
At least seven major banking companies have recently named senior-level executives to hone and supervise privacy policies. Three of the posts have been created within the past seven months.
Banks have always emphasized the sanctity of customer information, but the new jobs are turning a spotlight on concerns once swept aside in small- print disclosures.
Bank executives tie their renewed preoccupation with privacy to the rise of on-line commerce and to how easy it has become to share data electronically. The Clinton administration has urged all companies to post privacy policies on their Internet sites, and some banks have taken this a step further, instituting systematic rules about how data must be handled.
"If there was anything that pushed me, it was the Internet," said John B. McCoy, chief executive officer of Bank One Corp., describing his decision this year to name a senior executive for privacy.
Mr. McCoy, whose company has been more aggressive than most in trying to establish itself on the Internet, said he aimed to avoid any practice that might spook customers about what the bank knows.
"If you go to Amazon.com, the third time you show up they are asking you whether you have read any novels by so-and-so," Mr. McCoy said in a telephone interview.
Mr. McCoy's choice was Julia F. Johnson, who previously managed the bank's Community Reinvestment Act programs.
"My first job is understanding what our practices are, how we collect and secure information," said Ms. Johnson, whose title is director of information policy and privacy.
She relies on people from each of the company's business lines. They describe the ways they use available information, how they share it within the company, and how they "protect information that may be shared with a vendor or processor," she said.
Fears of hacking and other computer crimes are part of the story; another dimension is the worry that overzealous marketers could cross ethical lines.
Privacy executives said in interviews that their jobs are meant to send a message, within their companies and to the public. People want to know that their banks are taking action on this issue, not simply reacting to crises or complaints.
"I'm at the corporate level to give privacy visibility," said Pamela Flaherty, senior vice president in charge of privacy for Citigroup Inc. Her company is training all its employees in privacy policies and procedures.
Many executives are still feeling their way into these jobs.
"These are brand new positions for all of us," said Karen M. Alnes, director of privacy policies at Wells Fargo & Co. "We are in uncharted waters."
Other major banking companies with privacy specialists are Chase Manhattan Corp., Bank of America Corp., Mellon Bank Corp., and PNC Bank Corp.
The backdrop to the appointments are government and consumer concerns over how easily-and often-personal information is obtained and tracked using the Internet and other advanced technology.
In a memo to employees last September, Chase Manhattan vice chairmen Donald L. Boudreau and Joseph G. Sponholz said consumer privacy has "become a significant issue in Washington, and pressure for increased government intervention is expected to grow ... It is important that we speak clearly and with one voice on this important issue."
Chase consolidated its initiatives under Patricia Alberto. She holds two titles: privacy executive of Chase Manhattan Corp., and senior vice president and manager of national consumer services, compliance, and operational risk management at Chase Manhattan Bank.
Related factors influencing banks' actions are U.S. financial reform legislation and the European data protection law, which governs how banks can use information about European employees and customers.
The U.S. legislation, now awaiting conference committee negotiations, got held up by concerns about banks' sharing of personal data with affiliated and unaffiliated companies-an issue that recently stung U.S. Bancorp of Minneapolis. It was sued by the Minnesota attorney general in June for disclosing customer information to outside companies that allegedly solicited those customers for nonfinancial products.
The company swiftly settled for $3 million, agreeing to make charitable contributions and pay the state's legal expenses.
Simultaneously, U.S. Bancorp announced a new privacy policy. It no longer sells customer information to marketing companies, and lets its customers opt out of marketing programs with affiliates.
U.S. Bancorp does not have a "privacy czar" per se, but does have a team of executives who focus on the subject. "We believe privacy is everyone's job," said spokesman Donn Waage.
On June 11, the day after Minnesota said it was suing U.S. Bancorp, Wells Fargo and Bank of America both announced privacy policies.
Bank of America pledged it would not share information with marketing companies that serve its customers, and would not let telemarketers solicit its customers for nonfinancial products.
Wells Fargo said it would quit the third-party marketing business altogether.
Ms. Alnes, who became privacy manager of Wells Fargo in January, said third-party marketing was a very small part of the bank's business. Sharing information with corporate affiliates is far more important, she said.
"Our customers expect to go into a bank in Minneapolis or Arizona and get the same service," she said. "If we couldn't share information, that would be limited."
Privacy officers seem to divide their time between following legislative developments and conferring with colleagues from different parts of the organization. Ms. Flaherty of Citigroup said she has two weekly phone meetings with 50 Citigroup privacy managers around the world. One meeting is devoted to global privacy issues, the other addresses specific issues related to the European Data Directive.
Citigroup designated its privacy officers last summer, and each has another full-time position. Ms. Flaherty, a 31-year veteran of the Citibank side of the company, has been formally responsible for privacy policies for four years. She reports to vice chairman Paul Collins. Previously, she was responsible for fair-lending and community reinvestment programs.
"The merger (of Citicorp with Travelers Group) made my job more visible," Ms. Flaherty said.
Citigroup co-chairmen Sanford I. Weill and John S. Reed made a point of saying the combination of Travelers Group and Citicorp was going to succeed through cross-selling, and "that meant that we were going to use customer information," Ms. Flaherty said.
After the merger Citibank's privacy policies were applied to Travelers, Ms. Flaherty said. The only addition the merged company made was a clause- specific to Travelers' life insurance records-saying Citigroup would not share medical information about its customers.
Cheryl Charles, senior director of research and communications of the Banking Industry Technology Secretariat, said banks are particularly concerned about the safety of on-line customer data.
"What is driving this change is electronic commerce," said Ms. Charles, whose organization, an offshoot of the Financial Services Roundtable, has tried to raise and maintain awareness of privacy issues among the largest banks' chief executive officers. "There are so many situations where information about people is available from other entities."
"Most banks thought about privacy as a fix," said Alan Westin, a Columbia University law professor and publisher of the newsletter Privacy & American Business. "They needed to write principles, make a task force, and go back to doing business."
Mr. Westin said bankers realize that simply having privacy policies in place is not enough.
Gail Magnuson, senior vice president overseeing Bank of America's privacy initiatives, said her job is to make sure the bank is prepared as "privacy evolves and becomes more complex." She previously worked at NationsBank (which is now Bank of America) as a project manager and technology expert.
One recent project Ms. Magnuson described as typical of her job was to implement the bank's new policy modifications. Customers now have four ways to opt out of solicitations, including one that drops their name from lists sold to outside companies. But since the bank has stopped selling information to third parties, it may eliminate that choice, Ms. Magnuson said.
People who opt out of marketing account for less than 2% of bank customers, said Ms. Alnes of Wells Fargo. "We are preparing to make very sure that we are systematically set up to honor that opt-out and to meet the customers' expectations."
Ms. Johnson of Bank One said some of her initiatives "might put me at odds with some marketing people," though that has not yet happened.
Ms. Johnson said the role of privacy manager is a mix of public relations and education. "We have to educate consumers about the protections that have existed in the off-line world," and send a message that "we as an industry are being equally diligent about this in the on- line world," Ms. Johnson said.
While the issues surrounding privacy seem to be changing quickly, the concerns within banks are long-standing. Ms. Flaherty said Citigroup's first brochure on consumer privacy is 20 years old.
Enid Miller, vice president of privacy policies for Mellon, said her bank has "a long history of dealing with privacy in a serious manner." She took her position earlier this year.
As privacy officers delve into their jobs, they say they are discovering how deeply privacy issues resonate beyond the world of financial institutions.
"The industry of information is way bigger than banks," Ms. Alnes said. "It's about every magazine you subscribe to that sells your name."
