In cooperation with other federal bank and thrift regulatory agencies, the Federal Deposit Insurance Corporation (FDIC) conducted a survey of the Internet privacy policies of insured depository institutions during May and July of 1999. The survey's purpose was to review the data collection practices and on-line privacy disclosures of the financial services industry. The complete Interagency Financial Institution Web Site Privacy Survey Report, including the survey methodology, was published in November of 1999 and is posted on the FDIC's Internet site at www.fdic.gov. Printed copies are available from the FDIC's Public Information Center (1-800-276-6003 or (703) 562-2200).

Financial modernization and the growth of electronic commerce continues to heighten public interest in maintaining the privacy of consumer personal information in both the physical and virtual environments. Because the business of banking relies upon customers' willingness to disclose confidential personal information, the FDIC encourages every financial institution to establish and follow a privacy policy that addresses what are generally referred to as fair information practice principles, which have been articulated by a variety of governmental and intergovernmental entities. Five core principles advocated by the Federal Trade Commission (FTC) are: notice to consumers about information practices; choice for consumers about how personal information may be used; access for consumers to personal information and the ability to correct errors; security and integrity of consumer data; and enforcement and consumer redress.

The FDIC considers a privacy policy effective if it includes, or provides for, the following principles of fair information practice:

• Disclosure of the institution's information collection, use and dissemination practices;
• Opportunity for customers to choose how their information is used;
• Access for customers to ensure their information is accurate;
• Security of customer information against unauthorized access and disclosure; and
• Ability for customers to submit questions or complaints about privacy.

An institution should also have a process for monitoring compliance with its privacy policy to ensure that the principles articulated in the policy are being followed.

When compared to the results of an informal survey conducted by the FDIC in June 1998, the Interagency Financial Institution Web Site Privacy Survey Report indicates improvement by FDIC-supervised institutions over the past year in posting privacy disclosures on their Internet Web sites. Many institutions are taking responsible, voluntary strides toward addressing the public's privacy concerns. However, the survey results also indicate that the industry can and should do much more in this area.

Institutions should actively review their on-line privacy policies and information practices to ensure that they accurately reflect operations, particularly as the Web site evolves from an information-only site to an interactive site. Internal controls should be reviewed and enhanced, as necessary, to prevent the improper disclosure of customers' personal information. Institutions should also ensure that their information-sharing practices are in compliance with the Fair Credit Reporting Act and the recently enacted Gramm-Leach-Bliley Act.

The Gramm-Leach-Bliley Act establishes new legal requirements for financial institutions regarding consumer privacy. The Act includes provisions for protecting the security and confidentiality of customers' non-public personal information and disclosing privacy policies at the time a customer relationship is established and no less than annually thereafter. Pending forthcoming supervisory guidance consistent with the legislation, institutions are encouraged to evaluate their current privacy policies and practices to ensure that they protect the security and confidentiality of customers' personal information.

Survey Results of FDIC-Supervised Institutions With Web Sites

The FDIC separately analyzed the survey data to assess the on-line privacy disclosures of FDIC-supervised banks and savings associations. The following discussion provides a summary of the industry survey results and compares privacy practices of FDIC-supervised institutions with those of all depository institutions surveyed. The nature of the survey does not lend itself to definitive explanations for the differences among the surveyed institutions.

Existence of Privacy Disclosures

The survey measured the extent to which financial institutions with Web sites posted privacy disclosures on their Web sites. Privacy disclosures include privacy policies and information practice statements. A privacy policy is generally a comprehensive disclosure describing the institution's general or on-line policies and practices related to the collection and use of consumer information. An information practice statement is usually a shorter statement focused on a particular information-handling practice, such as data security.

Table 1 Types of Privacy Disclosure
Types of Privacy Disclosure	FDIC-Supervised Web Sites (Percent)	Industry Web Sites (Percent)
Privacy Policy	33	40
Information Practice Statement	21	29
Both Disclosures	13	21
At Least One Disclosure	40	48
No Disclosure	60	52

As indicated in Table 1, 40 percent of all FDIC-supervised institution Web sites surveyed provided at least one privacy disclosure. The disclosure record of FDIC-supervised institutions in the most recent survey was below the overall industry record in which 48 percent of Web sites provided at least one disclosure. The current survey, however, indicated progress compared to the results of an informal survey conducted by the FDIC in June 1998 in which only 20 percent of Web sites included at least one privacy disclosure.

The current survey also revealed that institution Web sites that collect information or offer interactive features are more likely to provide privacy disclosures than sites that do not. Fifty-two percent of FDIC-supervised institution Web sites that collected personal or demographic information contained at least one privacy disclosure, compared to 25 percent for those that did not collect information. Eighty percent of FDIC-supervised institution sites with interactive features provided at least one privacy disclosure, compared to 26 percent for those that did not offer interactive features.

Content of Disclosures

Effective privacy disclosures inform consumers about the information-handling policies that the institution provides. The survey emphasized four of the Federal Trade Commission's five principles of fair information practice-notice, choice, access, and security. However, the scope of the survey did not include the fifth principle of enforcement. Instead, the survey assessed "contact," which is the ability of consumers to inquire about a privacy practice.

Table 2 Content of Privacy Disclosures
Fair Information Practice Principles	FDIC-Supervised Web Sites (Percent)	Industry Web Sites (Percent)
Notice	84	84
Choice * Opt Out (External)	62 17	66 18
Access	36	36
Security	76	81
Contact	33	37
All Five Principles	22	21
* "Choice" included statements informing consumers about any opportunity to exercise choice concerning the use of their personal information. It also included statements informing consumers about whether the institution might use consumer information for purposes other than those for which the institution initially collected it, including potential disclosure to third parties. The "Opt Out (External)" element under "Choice" focused specifically on whether Web sites informed consumers about any opportunity to prevent information-sharing with third parties.

Table 2 illustrates the percentage of industry and FDIC-supervised institution Web sites that addressed any one or more of the FTC fair information practice principles. "Notice," "Choice," and "Security" were each addressed in a majority of those Web site privacy disclosures. However, only 22 percent of the FDIC-supervised institution Web sites and 21 percent of industry Web sites addressed all five privacy principles.

Financial institutions are the repositories of some of the most sensitive personal information about their customers. It is important that financial institutions have information-handling policies and practices that protect the security and confidentiality of customers' information. For additional guidance about on-line privacy policies, please refer to FDIC financial institution letter "Electronic Commerce and Consumer Privacy, Online Privacy of Consumer Personal Information" (FIL-86-98), dated August 17, 1998.

For more information, go to http://www.fdic.gov/regulations/information/fils/index.html, guidance to those responsible for operating a bank or savings association -- Financial Institution Letters (FILs) addressing information systems and e-banking issues.

Stephen M. Cross Director, Division of Compliance    and Consumer Affairs

James L. Sexton Director, Division of Supervision

Distribution: FDIC-Supervised Banks (Commercial and Savings)