Tool 1: Building Your Security Culture
Codes of Conduct
These sample codes of conduct are designed to help create an environment within your
institution where all employees are aware of their responsibility to protect customer
information.
SAMPLE 1:
Confidential Information and Personal Liability
Employees, directors and their associates may be held personally liable for using
confidential information (obtained while serving as a director or employee) for personal
benefit. They may also be subject to governmental or corporate administrative action.
[Institution Name]’s business and customer information and any related files are
confidential and cannot be disclosed to unauthorized persons (including competitors)
without permission.
SAMPLE 2:
Confidentiality and Integrity of Information
Information about the Corporation, its affiliates, customers, suppliers and employees
obtained by virtue of employment with the Corporation is confidential and must be
treated as such. Information should neither be modified nor destroyed without proper
approval. Disclosure of confidential information to unauthorized persons outside the
company is prohibited.
Authentication
In keeping with our tradition of confidentiality, methods of customer authentication, such
as an authorization code, are used whenever necessary in the ordinary course of business
to obtain information of a confidential nature.
Accountability
It is the policy of [Institution Name] to treat all information regarding its customers and
employees in strictest confidence. Failure to maintain the confidentiality of this
information will result in corrective action, up to and including immediate dismissal.
SAMPLE 3:
Introduction
In implementing [Institution Name]’s vision in accordance with our values, this Code of
Conduct (the Code) serves as a guide to ethical conduct for all employees of [Institution
Name]. This policy covers areas of business conduct when working with clients,
customers, suppliers, the public and other employees. It also addresses conflicts of
interest, which could arise between the personal conduct of employees and their positions
with [Institution Name].
Penalty for Violations
Employees are expected to act fairly and honestly when conducting business on behalf of
[Institution Name], maintain [Institution Name]’s high ethical standards, and obey all
applicable laws. Violations of the Code and applicable laws or failure to cooperate with
an internal investigation may constitute grounds for corrective action, up to and including
immediate dismissal.
Safeguarding Confidential Information
When conducting business, many employees may become privy to confidential
information about [Institution Name], its present and prospective customers and
suppliers, its stockholders and employees. Employees who possess such confidential
information must understand that it has been given to them for an express business
purpose, may be disclosed only on a need-to-know basis, and used only for a proper
business purpose. Discretion should be used when confidential information is disclosed,
and it should never be disseminated to unauthorized persons.
Misuse of confidential information may result in civil or criminal liability, or in sanctions
or penalties against both [Institution Name] and the individual responsible for misusing
such information.
Procedures to Restrict Flow of Information
Because [Institution Name] is a multi-service financial institution, banking and securities
laws, as well as good business practices, require that [Institution Name] have procedures
(“firewalls”) to prevent material nonpublic information obtained while engaging in one of
[Institution Name]’s diverse business activities from being utilized improperly by others
within or outside of [Institution Name].