Establishing a privacy program in your credit union: how to begin

NCUA has proposed a privacy regulation to implement the privacy provisions of the 1999 Gramm-Leach-Bliley (GLB) Act, and some credit unions have responded by attempting to quickly draft new policies and procedures. Though this anticipatory effort may appear to be productive, we recommend a slower and more thoughtful approach, especially since mandatory compliance will not occur for at least 6 months. So what should you do to prepare for the new regulation? At RSM McGladrey, Inc., we took a long look at our clients' current privacy practices, as well as the proposed regulation. Our review resulted in a six-step method for implementing the new privacy regulations. Steps 1 through 3 should begin immediately; steps 4 through 6 should be put into effect after compliance is mandatory. Step 1: Convene your privacy team: Privacy regulations coverage will be institution-wide. As a result, each credit union needs to assess their practices. Current practices in drafting privacy policies have resulted in errors. This is due to an inaccurate belief that compliance is just a Web site issue or compliance issue. Privacy is an issue for your entire organization. Due to the institution-wide coverage of privacy, you will need to convene a privacy team. The team needs to have across-the-organization representation. Step 2: Conduct an information-sharing inventory: By far the most important step in building a privacy program is to assess your current information-sharing practices. At RSM McGladrey, we call this process an Information-Sharing Inventory, or ISI. Why is an ISI so important? Because without understanding your current practices you will be unable to build disclosures, control risks, adapt to changes in state law, or perform ongoing monitoring and testing. To perform an ISI, you must first survey the entire environment for areas where member information is shared, or potentially might be shared, with parties outside of the credit union. We suggest that all employees who are middle managers and above complete a questionnaire developed specifically to identify areas where information is shared. Ideally, the questionnaire would reveal: * The nature of the shared information * Any contractual limitation on the information * Necessary controls to ensure that the information provided is accurate * A general risk assessment for providing the information Once the initial questionnaire is completed, the Privacy Committee will need to determine risk, controls, and opt-out procedures. Additionally, the Committee should assess whether the practice currently in place should continue, or how it must be modified. Step 3: Assess your strategic plan: During initial privacy policy development the Committee needs to assess what strategic changes are ahead for the credit union that could add items to the ISI; i.e., a new Web venture or a new marketing relationship. Each strategic issue needs to be accounted for in the ISI so that the new Policy will accurately include them. For example, if a new marketing relationship is planned, your current policy may state that you do not share information with third parties. However, because of the pending nature of your decisions, your policy should read, "At this time we do not share information." Step 4: Develop an internal policy: Once the ISI is complete and you have considered your strategies, you can begin crafting new privacy policy. We recommend that you follow these rules: 1. Privacy policies that can be purchased are not worth the money. A canned privacy policy cannot be successfully implemented. Beware of the $99 policy. Since every credit union will have a different ISI, you need to develop a policy that is based on your actual practices. 2. Don't put absolutes in the policy. Hedge your policy with statements like "at this time" or "our practices currently are." 3. Patience is a virtue. A policy will not be required until fourth quarter. Publishing a half-right policy will not gain you any points. In fact, the final drafting of the policy should be the shortest part of your project time line. Your ISI will take the longest.. Step 5: Implement your policy: Because privacy policy covers the entire credit union, implementation will be a challenge. Key steps that will aid implementation include: * Providing a copy of the policy to all line management; * Having a clear chain of command for interpreting the day-to-day issues; * Training management and staff on the importance of privacy policy compliance; * Building a process to deal with violations of the policy; and, * Keeping your Privacy Team in place. Step 6: Monitoring and audit: In step 2, we recommended the development of the ISI. By the time you are at step 6, your ISI will pay real dividends. It will become the foundation on which your ongoing compliance monitoring and audit program will be built. For privacy monitoring, a well-prepared ISI will identify the activities that need additional controls, due to risk. A strong monitoring program will then focus on adding those internal controls to ensure mitigation of the risks. For privacy audit, your privacy auditors will use the ISI as the foundation for the audit. The auditors will test to ensure that all activities needed to be included on the ISI are actually included, including all information shared with third party marketers. Also, the auditors will test the individual ISI components to ensure that they continue to be consistent with your policy. Privacy policies are critical Developing, implementing, and complying with a strong privacy program may be the most important regulatory risk-mitigation activity your credit union undertakes in the next few years. Privacy is quickly overtaking other regulatory risk issues in prominence, and will certainly garner increased attention from the regulators, the attorneys general, the class action bar, and your members. n our opinion, a Privacy Program will not be complete unless the full extents of privacy matters are included in your program. These steps, especially the ISI recommended in Step 2, will help ensure that your credit union considers all of the risks in its program.