Message to Bankers Sharing Client Data: Beware a Backlash

Under recent changes to the Fair Credit Reporting Act, a bank will be able to share with its affiliates any information about customers for any purpose.

Sounds great, but what if some banks abuse the new freedoms and violate consumers' privacy?

"All of us will get tarred," predicted Pamela P. Flaherty, a senior vice president at Citicorp. "Privacy needs to get embedded in our organizations as a value."

"This is not a license to kill," L. Richard Fischer, a partner at Morrison & Foerster law firm, reminded a group of bankers here last week. "There still are rules that deal with privacy. And it's important to remember that privacy is a political hot button."

The message: The industry's gain is fragile, and missteps could lead to a backlash in Congress.

It took the banking industry seven years to convince lawmakers to loosen the fair credit law's restrictions. But amendments enacted Sept. 30 will let banks and their affiliates share information from credit applications, credit bureau reports, and the institution's customer experiences, such as repayment history.

This information may be used for marketing, credit prescreening, or risk analysis. The amendments also permit banks to set up a central data base that all affiliates may tap.

But the new law also requires customers be given "clear and conspicuous" notice and a "reasonable" opportunity to "opt out," or tell the bank not to share information about them.

Those terms were not defined by Congress, and banking lawyers are advising the industry to be conservative.

"Right now I think we have a lot of latitude," said Jay N. Soloway, senior vice president and associate general counsel at Chase Manhattan Bank. "This is an opportunity for the industry to go out there and set the standard.

"The goal ought to be using information in a way that is beneficial to the customers, that is also good for the institution," Mr. Soloway said.

Banks also shouldn't try to fool customers, said Clinton W. Walker, senior vice president and general counsel at First USA Bank. "People will start coming down hard on you if you don't have that 'opt out,'" he said at a workshop here last week sponsored by the Consumer Bankers Association.

When a bank denies credit or increases a customer's rate based on information from a third party or an affiliate, the new fair credit law mandates customer notification.

The so-called "adverse action" notice must be sent within 60 days and must explain the "nature" of the information used to reach the credit or rate decision. State adverse action laws are preempted through 2004.

Under the new law, if banks want to share information about their customers with unrelated companies they must create a second data base.

In addition, the second data base may be shared with unrelated companies only if the information is used for marketing purposes - not credit decisions. Banks that cross this line will be subject to the regulations governing credit bureaus.

Banks may take advantage of the new law before it takes effect next September but only if they follow all its provisions.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER