Key governance topics

Information security and privacy policies

We’re committed to keeping client personal and financial information protected and secure through responsible information collection, processing, and use practices. As part of that effort, we have comprehensive global information security and privacy programs led by our Chief Information Security Officer and Chief Privacy Officer.

We demonstrate our commitment and accountability to protecting information by implementing robust information security and privacy policies and programs. These policies and programs align with external criteria and incorporate senior management and board of director level oversight, including regular status updates to our board of directors on our information security and privacy programs. In addition, we are subject to ongoing regulatory oversight and examination related to information security and privacy, and an independent Corporate Audit function conducts examinations of our lines of business to ensure compliance with standards and applicable legal requirements.

Bank of America partners closely with industry associations such as the American Bankers Association, the Bank Policy Institute, the Securities Industry and Financial Markets Association (SIFMA), the Financial Services Information Sharing and Analysis Center (FS-ISAC), the National Cyber Forensics and Training Alliance (NCFTA), the Center for Information Policy Leadership, and the Future of Privacy Forum to develop global solutions for privacy and the responsible use of data as well as to identify, prevent and protect against industry or bank targeted cyber events. We are one of eight banks that came together to proactively identify ways to enhance the cybersecurity resilience of the U.S. financial system. The Financial Systemic Analysis & Resilience Center (FSARC) was an outcome of that effort and we continue to play a leading role in its evolution.

In addition, Bank of America has aligned its information security controls to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). We incorporated the NIST Cybersecurity Framework into our annual Policy management cycle and have designed and implemented internal risk-based frameworks that align with NIST. Understanding the constantly evolving nature of data protection, we continuously monitor for emerging risks and dedicate significant resources to help ensure clients’ information is protected. We proactively look for ways to build stronger defenses, ensure every step of our technology design process takes cyber risks into consideration and integrate layers of security into everything we do. During the last four years we have not experienced any material losses or other material consequences relating to technology failure, cyber-attacks, or other information or security breaches.

Our Code of Conduct and privacy and security standards and procedures require confidential treatment of client information consistent with applicable laws and regulations and reinforce our commitment to the responsible processing of personal data. Individuals who access bank computer systems and information are required to complete annual information protection and privacy training, and employees in privacy-sensitive roles receive additional training specific to their position. Annual training is supplemented with additional educational content that reinforces desired employee behaviors, creates a heightened level of accountability, and acknowledges good behavior. Vendors are also regularly assessed to ensure they maintain appropriate security and privacy controls.

Bank of America maintains an Enterprise Privacy Office, led by our Chief Privacy Officer, and a Global Information Security organization, led by our Chief Information Security Officer.

The Chief Privacy Officer oversees the effectiveness and implementation of the privacy program in business processes across the company ensuring adequate governance and oversight is in place; changes to applicable laws and regulations and recognized best practices are accounted for; standards and policies are maintained; employee training is developed and administered; and that Bank of America routinely monitors, assesses and measures business operations to ensure that processes and privacy management practices are compliant and in line with our standards.

The Chief Information Security Officer (CISO) develops and executes an enterprise-wide information security strategy that protects Bank of America’s and its clients’ information, complying with applicable legal and regulatory standards. As part of this role, the CISO manages the development, implementation, and maintenance of the information security infrastructure; oversees the protection of Bank of America’s computer-based assets by providing monitoring, detection, analysis, event handling, and containment of security incidents; monitors information security trends internally and externally; and informs senior leadership about information security-related issues and activities affecting the organization.

In accordance with applicable laws globally, the bank provides clients with privacy notices that clearly explain our information collection, sharing, and use practices. Clients can also access privacy notices and additional information about privacy and information security online through our privacy and security web pages. For all but credit card and certain affinity products, we do not share sensitive and/or personal information with unaffiliated third parties unless regulations allow it, such as with a vendor that performs a service on our behalf. Credit card and affinity clients can still exercise control over and limit the sharing of their personal information with a third party outside a statutory exception.

While we do share information between our affiliated companies for our everyday business purposes, clients are offered an opportunity to limit other types of affiliate sharing and/or use. The bank also makes it easy for clients to limit certain types of marketing. Clients can opt out of telemarketing, email, and direct mail marketing, and we provide training to employees on these options and how to guide clients through the process.

Finally, we constantly advance our technology and maintain physical, electronic and procedural safeguards to protect against unauthorized access to client information. This includes providing clients with new security tools that help protect them.

  • Secure technology: Our fraud prevention and security systems help protect clients with encryption technology and secure email communications. We are a recognized leader in fraud and identity safety, with strong performance in fraud prevention, detection, and resolution, based on industry assessments by Javelin.
  • Debit cards: Our Total Security Protection® package provides defense against theft, loss or fraudulent use when accessing a checking or savings account with a debit card. In addition, bank clients are able to lock and unlock their Consumer and Small Business ATM/debit cards through self-service options in mobile and online banking.
  • Social Security Number Policy: Our Social Security Number Policy protects the confidentiality of Social Security numbers, prohibits unlawful disclosure of Social Security numbers and limits access to Social Security numbers.
  • Identity theft assistance: Our Identity Theft Assistance Center offers resources to help with identity theft recovery, prevention, and education. Our Online and Mobile Banking Security Guarantee covers Bank of America accounts, the security of customer and client information, and the time spent processing payments.
  • Secure access to accounts: Our Security Center offers clients mobile and online banking tools to securely manage their finances, including options for signing into and monitoring activity on their accounts. Clients can manage their digital banking security settings in one place, and can opt in for an extra security feature at sign-in that helps verify the client’s identity with a one-time authorization code sent via text or email each time they sign in.

Tax strategy and reporting

Bank of America employs rigorous tax governance and risk management routines across the enterprise to ensure that we comply with the letter and spirit of all applicable tax laws and regulations. The bank files income tax returns in more than 100 state and non-U.S. jurisdictions each year. The IRS and other tax authorities in countries and states in which the company has significant business operations examine tax returns periodically (continuously in some jurisdictions).

Internationally, we adhere to the UK Code of Practice on Taxation for Banks. Most of our global business is conducted in locally regulated entities, such that intercompany interaction is subject to regulatory driven arms’-length standards, in addition to the U.S. tax authority’s overarching arms’-length standard.

While not an exhaustive list, some of the internal routines in place to ensure we comply with tax laws and regulations are Corporate Tax Department Risk Management Forum; Tax Shelter Reporting, List Maintenance, and Disclosure Policies relevant for principal activities and advisory activities; participation in the UK Code of Practice on Taxation for Banks; policies allowing for escalation of any matter to Reputational Risk Forums; Tax personnel participation in various forums throughout the enterprise, including Finance escalation routines and business New Product Review Forums; oversight that can include inquiry into tax practices and risks by various regulators globally; and various Control frameworks, including Sarbanes-Oxley and oversight by our Compliance, Corporate Audit, and Risk functions.

We provide financial information by region in Note 26 of our 2020 10-K. Included in this disclosure are assets, revenue, income (loss) before taxes, and net income (loss). In addition, many of our subsidiaries in the UK and other countries prepare “statutory accounts,” which consist of financial statements and footnotes that are publicly available in the UK and many other countries. Our 10-K disclosures provide a public explanation as to why our global effective tax rate may differ from the U.S. statutory tax rate. Also, some of the above-mentioned statutory reports contain tax footnotes that reconcile the subsidiaries’ effective tax rates to the relevant statutory tax rates. In addition, we regularly provide information to help investors forecast the company’s tax expense. This includes effective tax rate guidance on earnings calls and information in SEC filings, such as drivers of tax risks and drivers of deferred tax asset carrying values. Please see the 2020 10-K for complete information on the topic.

Bank of America advocates for tax laws that encourage economic growth and helps American companies compete in today’s global economy. Bank of America communicates with policymakers both independently and as part of the Alliance for Competitive Taxation (actontaxreform.com), a group of nearly 40 U.S. companies that has advocated for U.S. tax reform and is now engaged with the Treasury Department on implementation of the Tax Cuts and Jobs Act.

Stakeholder engagement

At all times, we’re listening to and engaging with a diverse set of stakeholders who are interested in or directly affected by our company’s business. As part of our stakeholder engagement process, including our shareholder engagement, we listen to the feedback of our constituents to help inform our decisions. Through continual debate and dialogue with all of these groups, we are positioned to make better informed, more balanced decisions. We do this through a variety of ongoing engagement and activity, including through our Market President network and our National Community Advisory Council (NCAC).

Market Presidents

Each of our local markets is led by a Market President. The Market President’s role is to work with our different lines of business within the company, sometimes with individual employees, to deliver the full capabilities of our company to our clients and help them achieve their financial goals. They work to make sure our clients have a positive and consistent experience with Bank of America, regardless of how they do business with us.

The Market President also leads our teams as they partner with local organizations to help strengthen our communities. They guide our efforts to be a responsible corporate citizen, whether through our day-to-day business activities, our employee volunteer programs, or our philanthropic support for organizations that make a positive impact.

Our market presidents are committed to working with the public, private and nonprofit sectors to improve neighborhoods through volunteerism, financial support of local charitable organizations and other efforts.

As part of their local leadership role, Market President regularly interact with local influencers, including civic leaders and policy makers, to solicit their feedback and engage on important issues in the community.

National Community Advisory Council

Bank of America consistently engages external stakeholders for advice and guidance in shaping our ESG practices and priorities. One way we do this is through our National Community Advisory Council (NCAC), a forum made up of senior leaders from civil rights, consumer advocacy, community development, environmental, research, and other organizations who provide external perspectives, guidance and feedback on our business policies and products. NCAC members meet with members of our senior leadership team at least twice annually.

As examples of its work, the NCAC is credited with advising on the development of our Community Financial Center strategy, including how we engage our lower income customers around products and tools like Advantage SafeBalance Banking®, Affordable Loan Solution™ and Better Money Habits™. Our engagement with NCAC members also led to the piloting of a workforce development program, Latinos in Finance, with UnidosUS focused on training bilingual talent for financial center positions.

Members of our NCAC include:

  • American Enterprise Institute
  • Asian Americans Advancing Justice
  • Brookings Institution
  • CDC Small Business
  • Center For Climate and Energy Solutions (C2ES)
  • Center for Responsible Lending
  • Ceres
  • Chicago Community Loan Fund
  • Clean Air Task Force
  • Consumer Federation of America
  • Enterprise Community Partners, Inc.
  • Financial Health Network
  • Harvard Kennedy School, CSR Initiative
  • Hope Enterprise Corporation, Hope Credit Union & Hope Policy Institute
  • Interfaith Center on Corporate Responsibility
  • Liftfund
  • NAACP
  • National Community Reinvestment Coalition
  • Opportunity Finance Network
  • Self-Help Venture Funds
  • The Leadership Conference on Civil and Human Rights
  • The National Urban League
  • The Nature Conservancy
  • The Pew Charitable Trusts
  • U.S. Green Building Council
  • UnidosUS
  • Urban Institute
  • World Resources Institute