Quick Cache

By Published on .

The convenience of online banking comes with a price, and we're not talking about another user fee. According to the Interagency Financial Institution Web Site Privacy Survey, conducted by the Federal Deposit Insurance Corporation (FDIC), all of the 50 largest financial institutions that are online collect three or more pieces of personal or demographic information about users. What concerns the FDIC is how banks are handling the data. The survey found that only eight of the 50 largest institutions meet all five principles of the "fair information practice," an Internet industry standard that explains what data is being collected, allows consumers to opt out, permits access to the information, provides secure storage for the data, and gives customers a way to contact the company regarding privacy issues.

Only three sites of the online top-50 are non-interactive, meaning they don't allow customers to bank online (access accounts, transfer funds, open new accounts, etc.). Interactive or not, all 50 sites gather personal details from users. The most commonly collected data are names and telephone numbers - all sites collect this information. Ninety-eight percent of the sites collect users' postal and e-mail addresses as well. More in-depth information is gathered less often. Sixty-eight percent of interactive sites ask users about their occupation, 49 percent about gender, 40 percent about marital status, and only 9 percent about race. Non-interactive sites ask none of these questions.

Forty-eight of the 50 largest banks online post privacy disclosures on their sites. Two of the 48 do so with an "information practice statement," which usually focuses on data security. The remaining 46 have a "privacy policy" - a comprehensive disclosure describing the institution's policies and practices related to the collection and use of user information. But for consumers, finding it may not be the easiest task. True, all but one of the 46 that post a privacy policy have links to it from their home pages, but get ready to scroll: Two out of three sites put links to their policies near the bottom of the page. And take a good look at it now, because you may not see it again: The FDIC found that privacy policies are less accessible on pages where banks are requesting personal or demographic data - the exact procedure privacy statements are designed to explain. Just 57 percent of the bank Web sites with privacy statements have links to their policies from such pages.

FleetBoston Financial is one of the nation's largest financial institutions with an interactive Web site. Online, the bank's customers can create "My Page" - a personalized site where they can add hotlinks to their favorite FleetBoston pages. When setting up My Page, consumers are asked not only for their name, zip code, and e-mail address, but also face multiple-choice questions such as: "How do youspend time with your kids?" and "If you were to buy a new car this year, would you buy..." While FleetBoston is very clear in its privacy policy that it "will not obtain personally identifying information about you when you visit our site unless you choose to provide such information to us," there is no link to this statement from the My Page setup.

For consumers, knowing what's collected about them is only half the battle; the other half is being able to do something about it. Only 31 percent of banks with privacy disclosures allow customers to opt out of providing personal information for internal use. Of that group, 13 percent permit consumers to exercise that choice online. More banks (53 percent) say users can opt out when their personal data could be shared with third parties, but only 4 percent let consumers take this course online. These numbers are bound to rise, however. The passage late last year of the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act, requires that banks give their customers the opportunity to opt out of marketing solicitations from third parties. More consumers might take them up on the offer if they knew that 38 of the 50 sites state somewhere in their privacy policies that the bank can use a customer's personal information to contact them for marketing purposes. And all but one provide a statement informing consumers that their data could also be passed along to third parties.

"Some banks do nothing with the information they collect," says Sonia Barbara, spokesperson for the American Bankers Association (ABA) in Washington, D.C. "Others provide limited information to third parties who offer products that their customers may be interested in. If you're not interested in a product, then by all means you should be able to opt out, but many customers do want that information." Barbara adds that data shared with third parties is very basic, limited for the most part to a name, phone number, and address. The ABA also encourages financial institutions to require third-party marketers to adhere to the same strict security standards that the banks themselves enforce.

Still, most financial institutions refuse their own customers access to even the most basic information they collect. Just 13 of the top 50 banks online inform consumers that they can ask questions about the information they provide, and 12 sites explain how users can correct errors in their personal data. How consumers could know there are errors remains a mystery, though, since only one site allows customers to review the information collected about them. Think you might like to contact your bank about now? Good luck. Only 11 banks tell their users online how to submit a question about privacy.

While admitting that there is room for improvement, the banking industry is not entirely displeased with its performance in the FDIC survey. "Trust is the cornerstone of any good business," says Barbara. As a result of the continued focus on privacy, she expects that "bankers will be looking at all areas and reevaluating their policies."

Most Popular