WASHINGTON - Bankers who have recently put privacy policies into effect said it is best to tell customers as much as they need to know about their rules - and nothing more.

"It's possible to be honest without overpromising and without scaring your customers," said Stephen L. Durkee, vice president of privacy implementation at Citigroup Credit Services Inc., on Monday at the Consumer Bankers Association's 2000 Privacy Conference.

Citigroup has implemented a privacy policy that is considered a model in the industry, and has been training all its employees about the policy and its ramifications.

The effort has been "overwhelming" and "extremely expensive," but not the impossible task some bankers had predicted, Mr. Durkee said.

After Citicorp merged with Travelers Group two years ago, "we asserted that we would institute a comprehensive global privacy program for all our companies and consumers," he said. "We did actually meet that goal. We actually got through it. We did what we promised."

Financial institutions face a delicate balancing act when introducing privacy policies to customers, Mr. Durkee said. Banks must protect customers' personal information, but they also must keep up the marketing end of their business, he said.

"My underlying feeling about" how far banks should pull in one direction or the other "is really that it's an uncertainty," he said.

The Gramm-Leach-Bliley Act includes some enhanced privacy stipulations for banks, and conference speakers emphasized that banks should follow those stipulations closely, but be careful not to make promises they cannot keep.

For example, if a bank promised its customers it would never share information with affiliates, then merged with an institution that would find the information useful, the bank could be in a bind, Mr. Durkee said.

"If you're thinking of mergers, you should consider" offering customers an 'opt-out' option, which would allow the bank to sell or share data unless the customer instructed it not to, he said.

While maintaining a balancing act is manageable, changing your business model once it is in place is not, Mr. Durkee warned. "One thing we think is impossible is, once you've told a customer, 'We're never going to share your information,' to go back and change your mind."

During a lunchtime slide show, Martin E. Abrams, vice president of information policy and privacy at Experian Inc., a credit bureau based in Orange, Calif., offered this advice to bankers: "You want to be in balance" between maintaining a sense of trust with customers and allowing a certain amount of data to circulate.

"If I go too far in my use of information, and the media writes about it, I tip the balance and I hit a spring," he said in front of a screen image showing the words "Public Reaction" inside of a spring. "What happens when you hit a spring? You end up sitting on the economic deflator."

Customers and shareholders will take their money elsewhere if the proper balance is not kept, he said.

Julia F. Johnson, director of information policy at Banc One Management Corp., a unit of Bank One Corp. in Columbus, Ohio, agreed with Mr. Durkee that banks should take care when implementing their policies. "Don't try to cram everything into your Gramm-Leach-Bliley notice," she said.

Ms. Johnson encouraged banks to leave open as many options as possible. Every bank will "create [its] own future" in the crafting of its privacy policy, she said. "If you're building a new system, I'd add lots and lots of empty fields."

Bank One recently faced its own implementation hurdles when it planned a mailing of 68 million notices informing customers of its privacy policies, Ms. Johnson said.

The first issue dealt with the number of policies to adopt, she said. "Do we have one policy or 38?" she said, referring to the company's 38 units, including the credit card division First USA.

Another dilemma involved the company's different brands, Ms. Johnson said. "If you send a First USA customer a Bank One policy, and they have never heard of Bank One before, then they don't know what they're getting."

"As our margins shrink and customers want to be served in new ways," banks will have to consider the implications of threats from Internet start-ups, Mr. Durkee said. "It could happen. It probably won't, but it's something we need to take seriously."

Mr. Abrams said banks will also have to treat their information policies as more than just their cosmetic practices to comply with Gramm-Leach-Bliley. Responding to a question posed by Mr. Durkee, Mr. Abrams said that the law "pushed you into a position where you had practices first without knowing what you really believed."

As far as sending privacy notices to customers, "you're going to have trouble down the road if you have notices without the intellectual capital about what your organization truly believes," he said.

After the exchange, retired Citigroup privacy executive Peter Gray updated the conference on a forum he attended that morning in which presidential candidates George W. Bush and Al Gore spelled out their positions.

Not surprisingly considering the tone of the two recent debates, "The Gore position sounds very much like the Bush position," Mr. Gray said. The camps agreed on the basic issues of consumer access and control, he said.

A Bush administration would likely give more flexibility to the private sector and allow for more self-regulation, Mr. Gray said. But in either case, "you're going to see federal legislation, and the question is how are you going to shape it," he said.

In his opening speech, Joe Belew, president of the Consumer Bankers Association of Arlington, Va., said that bankers will face the privacy issue "no matter who wins the White House, no matter who controls Congress."

From Our Archive:

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.