In 1998, when Julie Johnson became the first-ever chief privacy officer at Bank One Corp., she had to dig into a lot of heavy compliance issues.
The first two years of the job were spent focused on the regulations, and on meeting everything that needed to be done to meet Gramm-Leach-Bliley Act requirements, she said.
Now that privacy notices have been sent to customers and other requirements have been met, she is moving beyond project mode, she said. Like privacy officers at other financial institutions, Ms. Johnsons responsibilities are taking on a new cast, one that lets her think strategically about privacy.
She now spends time looking at all the different ways the company distributes information, including noncommercial uses. For example, its mortgage department files property information with county governments so that tax commissioners can levy property taxes.
These are the things on my mind, Ms. Johnson said. Do we need to send everything that we are sending in order to comply with local government needs?
Another focus for Ms. Johnson is the companys database structure, and how to manage privacy throughout Bank Ones many subsidiaries. Are there things we can build into those systems to draw a curtain on information that may reside in one affiliate or another? is a question she says she has considered lately. We want to maintain an efficient database but still comply with stricter sharing requirements.
Banking companies began naming privacy officers about three years ago, to respond to consumer concerns about privacy and to the legislation that became Gramm-Leach-Bliley.
Now that the first big push to comply with Gramm-Leach-Bliley is over, privacy officers are finding that their jobs are becoming more relevant rather than less so, and they are sometimes moving in directions that were not apparent a few years ago. All in all, the privacy executives say they are becoming more integral to their companys strategic planning efforts.
And in an age when some companies seem to be using privacy as a marketing tool, financial services companies seem to be taking a more serious look at how they can reconfigure their business practices along lines that would satisfy public concerns about privacy. Now that some of the nuts-and-bolts issues have been resolved, privacy officers say they have the luxury of looking at big-picture issues, and their jobs are growing more complex and satisfying as a result.
It has evolved into much more of a strategic business position than I ever envisioned that it would at the start, said Marc Loewenthal, a senior vice president at Providian Financial Corp. of San Francisco who took the newly created position of chief privacy officer in June 2000. I interface regularly with business units, compliance and audit groups. It has evolved into a function that touches all business units.
Ms. Johnson said she plays the role of a subject matter expert in companywide privacy matters. I spend time with business units thinking about what if and helping them incorporate some of this thinking in strategic planning to try to maintain flexibility.
A favorite way for privacy officers to keep track of practices at large institutions is to form committees with representatives from various departments.
We have several committees, said Robin Warren, the top privacy executive at Bank of America Corp. of Charlotte, N.C. We meet with [senior executives] at least quarterly to talk about strategies here and what is happening, and to get their input about how privacy fits into the goals of the company.
Bank of America has several other groups at different levels, and it frequently forms privacy work groups to oversee particular projects, Ms. Warren said.
While most large financial institutions have voluntarily created privacy posts, eventually, the position may be mandated by law. A proposed amendment to Gramm-Leach-Bliley introduced in March by Sen. Bill Nelson, D-Fla., would require financial institutions to designate an executive who shall be responsible for ensuring compliance by the institution with the requirements of this title and the privacy policies of the institution.
The proposed amendment was referred to the Senate Banking Committee for further consideration.
Alan F. Westin, a co-founder and the publisher and editor of the newsletter Privacy & American Business, is a founding member of the year-and-a-half-old Association of Chief Privacy Officers, whose 50 members include representatives from American Express Co., Citigroup Inc., Equifax Inc., MasterCard International, and Royal Bank of Canada. He says the chief privacy officer job title is growing by leaps and bounds.
We have around 350 chief privacy officers in the United States, he said. Next year we predict we will have 1,000. As to future job projections: A good example is in Germany, where there are 2,000 data protection officers.
Financial institutions are still coping with the aftermath of Gramm-Leach-Blileys privacy rules, Mr. Westin said. Though privacy officers are spending more time thinking about internal company strategy, they also are keeping close watch on consumer concerns and on legislators, who may yet make the officers lives more complicated by enacting laws that vary from state to state, or that further regulate privacy at the federal level, he said.
We have some concerns, said Ms. Warren of Bank of America. There could be a whole series of state laws that are all different and require different sets of disclosures that make it difficult to treat customers consistently.
A patchwork of regulations would create a lot of inconvenience for customers, Ms. Warren said. People who use Internet banking, for example, may have difficulty gathering information on different accounts, or in getting account information when they phone in, she said. In an opt-in environment, all that would come to a screeching halt.
Ms. Johnson of Bank One said that if customers have to opt in to information-sharing procedures that are necessary for certain business practices, customers natural inertia about responding to privacy notices would become a problem. At the end of the day, customers dont want to spend a lot of time managing their privacy.
Since around 5% of customers have asked to opt out of the average banking companys information-sharing, the majority of consumers are happy with the situation as it is, Ms. Johnson said.
If it was an opt-in world, the costs of doing that development would be high, she said. Basically, you would have that 20% who are very concerned about privacy dictating what we did to the detriment of the other 80%.
Zero Knowledge of Montreal sells software designed to keep banks from running afoul of privacy legislation, but Warren Levitan, director of enterprise products, warns that banks need to do more than just follow the letter of the law. If you focus your program on legislation, you will be monitoring news and chasing your tail. It is about trust.
He says he recommends that banks consider privacy a marketing issue, and adopt good policies before they are legislated.
Jeffrey R. Cooper, a vice president and the chief compliance officer at Great American Financial Resources Inc., the Cincinnati insurance subsidiary of American Financial Group Inc., said the first phase of the companys privacy initiative was to make sure we had a policy in place. Now the next big piece is ensuring we trained employees, he said.
Mr. Cooper also works closely with the companys marketing department to make sure privacy provisions are respected. Some marketing folks ask for information and we ask, Why do you need all that, and what are you going to do with that information? We make sure our contracts have language that those with whom we share information treat that information appropriately.
W. Peter Cullen, who became the first bank privacy officer in Canada when he took the job at Royal Bank of Canada in September 2000, says that privacy should be considered a part of a banks marketing.
In Canada, the law requires us to obtain consent for use of customer information, he said. So, there is a discussion with the client about their choices, what we collect, and how it is used.
Customers in that country also have what is called right of access, meaning they can look at their own information. Mr. Cullen said this law helped customers get more comfortable with information-sharing.
U.S. banks face the danger of treating privacy as merely a legal requirement, he said. This is a very new thing, and fraught with all sorts of regulation, so it is an almost predictable outcome. We have had a privacy code for 14 years, internally. Privacy is not a new topic for us.
Eventually, banks will come to see privacy regulations as an opportunity, he said. If organizations get it right, it will engender customer loyalty and trust, he said. It is not something to be feared. It is something to be capitalized on. This is a competitive differentiator.
Jason Catlett, the president of Junkbusters Corp., a Green Brook, N.J., privacy consulting firm, said U.S. banks are doing a good job trying to police their own privacy practices, and that the privacy officers at the big institutions are rising to the challenges presented to them.
A lot of companies have established chief privacy officers that are public relations more than trying to assure the quality of the business processes, he said. I dont think that has been the case with banks.
However, Mr. Catlett did not have so much praise for the Gramm-Leach-Bliley Act. The privacy provisions of Gramm-Leach-Bliley are so weak that any privacy officer with an ounce of ethical integrity will be looking to do far more for privacy. You have all these processes of ensuring that opt-out elections are activated in a timely fashion. That is what a CPO should be doing this month.