Is Your Bank's Web Site Ready for the 'March Sweeps'? the Federal Trade Commission Is Surveying Internet Privacy Practices

Article excerpt

The Federal Trade Commission is surveying Internet privacy practices. Here's why you should care

This month, businesses that maintain sites on the World Wide Web face their own version of television's ratings "sweeps." The client to impress, in this case, isn't an advertiser, but the Federal Trade Commission. The agency plans to conduct a survey of commercial Web site privacy practices and notices, and report its findings to Congress by June 1. The stakes: the degree to which government becomes involved in what companies do with their Web sites.

Banks are part of this scrutiny, but unfortunately, all signs point to an industry that may be unprepared for it, and may even be largely unaware of it. It all boils down to a single issue: privacy. Banks' challenge is to demonstrate that they are providing sufficient privacy protection for users of their Web sites to avoid adding yet another layer of regulation.

What the FTC has been up to

Financial privacy on the Internet has been the subject of congressional hearings as well as discussions at a series of FTC workshops. Prime concerns are:

(1) What do banks do with the data they gather from customer interactions with their Web site? This data can be provided voluntarily when a customer fills out a form or sends an e-mail, or it can be accumulated automatically through such technologies as "cookies." (Cookies are small data packets that record information about a user's visit to a Web site, which an Internet server computer stores on the user's hard drive for future visits.)

(2) Do banks provide notice to Web visitors about their policies on use of data obtained through the Web? For banks, this disclosure is the most immediate challenge.

Even as members of Congress push for various forms of legislation regarding on-line privacy, the Administration and the FTC thus far have favored a "hands off" policy regarding Internet privacy. In testimony and other efforts, ABA has been encouraging this attitude, as part of a campaign to let the industry police itself. This effort has included publication of privacy principles for financial institutions and distribution of a special ABA compendium, Privacy in Electronic Commerce. (For more information, see the association's Web site . For a more general site dealing with Web privacy from a business perspective, see .)

"Banking is already covered by a plethora of privacy laws," insists John Byrne, ABA senior counsel and manager of its compliance center. "We don't think that banking needs to fall under the same umbrella as all the other industries that are trying to catch up."

The association believes the existing laws and regulations already provide sufficient control to cover banks' efforts on the Web. Further, the industry faces concerns not posed to many other industries; for instance, the "know-your-customer" requirements of anti-money-laundering regulations, which take on a whole new meaning in cyberspace.

Banking regulators, for the most part, have been mum on the matter, putting far more stress in their Web scrutiny on bread-and-butter compliance issues such as truth-in-lending. For many banks, "that's probably seemed more pressing than privacy," says Steve Neel, vice-president of customer operations at nFront, a consultant to numerous Web banks. Neel points to a customer bank's recent experience with federal compliance examiners who included an exhaustive evaluation of its Web site in their review.

To the degree that banking regulators have addressed the matter publicly, it has been in the context of security. One example of this is FDIC's Financial Institution Letter 131-97, "Security Risks Associated With The Internet."

Still, federal banking regulators will, no doubt, catch up on the privacy front, and FTC is already there.

FTC has been pushing the privacy issue from two perspectives. …