US regulators have issued a set of non-compulsory guidelines for banks to follow in safeguarding confidential customer data.
The guidelines, drawn up under the Gramm-Leach-Blilely financial modernisation Act come into effect on 1 July, seek to establish a set of standards relating to administrative, technical and physical safeguards for customer records and information. They require banks to identify and assess risks to customer information and develop and implement a written plan outlining procedures for controlling those risks.
Importantly for banks, which feared that the imposition of legally-binding rules would hamstring their data sharing and e-commerce business plans, the regulations require only that each institution "implement a security programme appropriate to its size and complexity and the nature and scope of its operations".
The guidelines also require banks to be diligent in their dealings with third party suppliers of software and computer systems. But again, the regulators have shrunk from laying down hard and fast rules on the appropriate level of oversight which banks should exercise in this area.