Well, maybe not anymore. But two years ago, it was allowing DoubleClick to gather information on its customers.
In it, the author noticed that DoubleClick, that notorious internet ad agency, placed a 1x1 pixel tracking image on customer machines during the login on a secure server, seemingly with Bank of America's blessing.
The article didn't indicate any resolution to the issue, but it goes to show: if corporate IT execs think nobody is going to notice: wrong. And the egg on your corporate face, even two years down the road, isn't worth the few pennies you'll get from selling out your customers.
Personally, I think this just goes to show how you can't trust privacy policies: the best privacy you have is that you keep yourself.