Contact Bates Today

Bates Group is with you every step of the way. Contact us today for more information on how our End-to-End Solutions can help your firm.

Get My Solution Started

Bates Group Logo

We’re looking for talent! Interested in a career at Bates Group? Visit our Careers page.

Bates Research  |  04-09-24

Managing the Privacy Function in a Financial Institution

Image © [batjaket] /Adobe Stock

The management of the Privacy function in any financial institution is a multifaceted endeavor involving multiple departments and disciplines. If the institution has a named Privacy Officer, that person likely brings multiple skillsets to the table. A Privacy Officer needs to understand Privacy laws and regulations at the federal and state level, data classification schemes and inventory processes, information security requirements, data breach and incident management, and the institution’s operations. They must be able to analyze the privacy aspects of all of the institution’s functions, products, and services. In a financial institution dedicated to Privacy compliance, the Privacy Officer does much more than manage the Privacy Policy and oversee the sending of the initial and annual Privacy Notices. 

Multiple Approaches: 

In larger institutions, it is common to have a dedicated Privacy Officer and separate, established privacy function due to the complexities of maintaining the privacy of customer information. Larger institutions also tend to collect far more information about a customer than a smaller institution might. Even if there is a named Privacy Officer, that individual might also be the Compliance Officer, Information Security Officer, Security Officer, Fraud Officer, or have some other role. There may be one or more leaders who share Privacy Officer responsibilities despite having no privacy title. Smaller institutions must make a risk-based determination as to whether they need to establish a specific Privacy function and appoint a dedicated Privacy Officer. Institutions which operate internationally must also consider the requirements of jurisdictions outside of the United States, which may mandate the appointment of a dedicated Privacy Officer. 

Disparate Responsibilities: 

Regardless of who handles the duties of the Privacy Officer, the responsibilities of the role have to be met, and examiners will perform tests to ensure this is so. Let’s review some of those responsibilities: 

  1. Complying with the requirements of Regulation P and state laws and regulations. This involves not only ensuring that the institution protects customer’s personal information, but also that the institution is capable of processing customer requests (such as opt-out, correction, right-to-know, and deletion requests). This comprises the fundamental functions of maintaining privacy policies and procedures, owning and publishing the public-facing privacy notice, and ensuring that customer requests are reviewed and processed in a compliant manner. This goes far beyond the basic responsibility overseeing the distribution of customer privacy notices. The Privacy Officer must also oversee any exemptions or safe harbor provisions which apply to the institution, including ensuring that the flows of information to and from third parties are also compliant.  

  1. Acting in an advisory capacity for the rest of the institution concerning privacy matters, akin to running a privacy helpdesk. This involves responding to requests and questions involving all aspects of the institution’s operations. This also involves responding to questions such as “Are there any privacy implications in this event?”, “What privacy considerations are associated with this new product,” and “What are the consequences if we change how we process customer data in a certain manner?” 

  1. Assessing the privacy risk of new products, services, changes to the business and operational model, and vendors. This ensures that privacy is considered at all levels of the development cycle and becomes an integral part of how the institution grows and develops. 

  1. Understanding the institution’s data environment and ensuring that proper governance is in place to maintain the privacy of customer information. This can also involve implementing “Data Minimization”: the practice of maintaining only the data the institution truly needs, under the principle that storing or processing unnecessary data does not provide any additional benefits to the institution, but does expose it to extra risk in the event of a data breach 

  1. Providing privacy awareness and training to the institution’s staff. This may involve creating privacy-specific training, collaborating with other functions such as Information Security to add a privacy component to other training, and contributing privacy-related content to the institution’s internal knowledge base.  

  1. Managing privacy incident response activities. This can involve everything both leading to the response, as well as advising other functions on privacy-related matters as they affect the incident. Examples of privacy incidents can include accidentally disclosing personal information to the wrong customer, allowing systems access to sensitive information to employees that had no business reason to have access to that information, external unauthorized access to institution systems by a bad actor, or incorrect exposure of personal information to a strategic partner. 

  1. Managing privacy metrics, Key Risk Indicators, and associated reporting. Privacy incidents happen and they need to be tracked, assessed for risk, and reported on. 

Where things can go wrong 

When all of the above responsibilities are formally owned by an individual or individuals at an institution, the risks associated with privacy compliance, and maintaining or processing customer information, are reduced. Financial institutions should be vigilant for red flags that their privacy function may not be fully robust, as discussed in the following scenarios. 

  • When some of the above responsibilities are not formally assigned to a person or role. This causes staff in the institution to either bring a privacy issue to the wrong person or try to address it themselves.   

  • When privacy responsibilities are assigned to an individual who lacks the necessary experience, knowledge, and skills.   

  • When a responsible individual lacks knowledge in key areas. For example, a Privacy Officer with a solid Information Security and data background may be able to address technical questions concerning secure storage, but without a background in specific laws and regulations. That individual might not be able to respond to regulatory questions from other individuals at the institution or from regulators or auditors.   

  • When the Privacy Officer role is split between two or more individuals. In this instance, the institution must be sure that individuals with complimentary skill sets are able to establish a productive working relationship in order to address the multifaceted needs of privacy compliance. 

In the case of institutions which have not named a specific privacy officer, examiners will look to see that the responsibilities of a Privacy Officer are assigned and owned. They will review job descriptions, meeting minutes, and risk assessments to determine who performed them and who had input. Senior Officers in those institutions should ensure that all privacy responsibilities are owned, and that this ownership is acknowledged and understood by all individuals concerned. 

How Bates Helps

Bates Group assists our clients with support and guidance on Consumer Compliance protection. We also offer custom Compliance Training for individuals and institutions. Contact us today to learn more!

Managing the Privacy Function in a Financial Institution

Brandi Reynolds

Managing Director, BSA/AML Compliance, FinTech & Virtual Assets

breynolds@batesgroup.com

864.809.7718