OCC Takes Hard Line on Customer Data Privacy

Banks' increased freedom to gather information on their customers is clashing with some newly articulated regulatory concerns about personal privacy.

Major banking companies got what they wanted in 1996 amendments to the Fair Credit Reporting Act, which allow them to share certain marketing information among their affiliates. But compliance by credit card issuers and other marketers has drawn the scrutiny of regulators, in particular the Office of the Comptroller of the Currency.

Julie L. Williams, the OCC's general counsel and until recently the acting comptroller, said in an interview, "We have discovered that in the area of opt-out notices there are various approaches, and some of them may be more effective or complete than others."

She was referring to the rights consumers have to remove their names from mail- and phone-solicitation lists. Though the amendments were effective in 1997, many banks have only recently begun to notify customers about opting out.

"It wasn't as easy as everyone thought it would be," said Marcia Sullivan, director of government relations for the Consumer Bankers Association. "It's a very expensive proposition for banks to do this."

Under the new rules, banks may share customer information with their affiliates-such as data from loan applications and credit bureau reports- only if they inform customers of their intentions and give them an opportunity to opt out of marketing efforts that would follow.

Affiliate sharing used to be restricted to transaction data-records of a bank's own experience with its customers. Consumers have no opt-out right in those cases.

The fear is that financial institutions would ultimately develop data bases with very specific customer information that could be easily misused.

The OCC has said some notices are too hard to spot, including those that appear only in fine print. It will soon issue best-practices guidance, offering examples of notices that fulfill the spirit as well as the letter of the law.

Bankers expect the OCC guidelines to become a "de facto" regulation, said John Byrne, senior counsel and compliance manager of the American Bankers Association in Washington. "The OCC is going to create new responsibilities that were not in the law."

Banks generally think the OCC has not given them "a fair shake" on privacy, Mr. Byrne said.

An official of the Federal Trade Commission, which enforces the Fair Credit Reporting Act, has also weighed in on affiliate sharing.

"If consumers can be denied credit because of this unregulated pooling of information," that is a problem, said David Medine, associate director for financial practices at the FTC.

Ms. Williams said, "We are not taking the position that certain data bases are per se bad." The OCC is concerned about "what the information is used for."

A number of scenarios of potential abuse have been circulating, some of which bankers regard as extreme or highly unlikely. Citigroup's name often comes up because of the information-sharing that could take place between its bank and insurance affiliates in the old Travelers Group.

Mr. Medine said Citibank could deny an application for a credit card because of knowledge from the insurance side that the applicant has a terminal illness. Banks are not required to disclose information in these data bases to consumers. If the information is inaccurate, consumers suffer, Mr. Medine said.

Mr. Byrne of the ABA said, "No one in our industry would say that is a valid use of information."

Joan P. Warrington, a Citigroup vice president and general counsel, said, "It seems to me that if we deny an application for credit, we have to give a reason for it."

Furthermore, Ms. Warrington said most of the information eligible for affiliate sharing is already available to consumers. Banks are most interested in circulating credit bureau and application information.

Before affiliate sharing, banks could get credit reports under restricted conditions, primarily if the consumer applied for credit, or to check existing accounts.

"Once the consumer gets in the door, companies can get the report when they have no legal purpose to see it," Mr. Medine said.

Financial institutions maintain that their only objective is to provide consumers with offers that interest them.

"The more knowledge we have about consumers' needs, the better we can target products to them," Ms. Warrington said.

Ms. Warrington said there is a further consumer benefit: "You want to be treated based on your whole relationship with the organization."

A mortgage application, for example, is a particularly rich vein of information that Chase Manhattan Bank wants to tap for sharing among various affiliates.

"It allows us to make very specific offers," said Chase vice president Eugene Ret, declining to disclose exactly how the bank will do so.

The newsletter Privacy & American Business of Hackensack, N.J., in its 1998 consumer survey with Louis Harris & Associates, found the public wary of information sharing, especially if unaffiliated companies were involved.

On a hypothetical question about telephone companies' use of personal data, 80% were completely or totally opposed to sharing with nonaffiliates. That came down to 50% if it were between related companies, and only 21% in that instance if advance notice were given.

The FTC is less concerned about marketing uses of data bases than about how they affect lending decisions.

"I think a lot of this is prompted by the overall change in the privacy climate in this country, in part spurred by" the European Union Directive on Data Protection, Ms. Warrington said.

The directive, which took effect in October, governs how companies of any nationality can use the information they gather on European citizens. It is far more restrictive than U.S. law and gives consumers greater control over how their personal information is collected and used.

European privacy officials have been urging the U.S. government to adopt similar privacy laws, but the American negotiators have resisted. U.S. corporations argue that the European directive hampers their marketing efforts unduly.

Ms. Warrington has been immersed in these issues since August, when she began spearheading a privacy training program in Citigroup's U.S. card division. The initiative, which will involve changes for employees and customers, was put in motion by A. Sami Siddiqui, president of Citibank's card business in North America.

Over the next two and a half months, Citibank credit card customers will be receiving notices about their right to opt out of marketing resulting from affiliate sharing.

Applications for new credit card accounts have been revised. The signature panel now includes opt-out notices. The company also developed global privacy polices, pulling together disparate polices that applied to various consumer businesses but not the whole company.

Last November, Citibank card services began an employee training program to sensitize its customer service representatives and marketing executives to privacy issues. The focus of the training is on global privacy policies- or "promises," as Citigroup calls them.

A pamphlet designed for this training describes Citigroup's goal: Privacy "must be woven into our corporate culture as values to be upheld and cherished, not merely rules to follow."

The training, including a video, lasts about an hour and a quarter and will eventually be rolled out throughout Citigroup, Ms. Warrington said. Chase Manhattan executives described similar initiatives that began last year.

As the regulators take closer looks at the policy implications, banks are still in the early stages of building sophisticated data mining capabilities.

The process of customer profiling "is still very primitive," Ms. Warrington said. She contends that affiliate sharing will not result in "one single profile" that is damaging to personal privacy.

"It will lead to more testing on whether this person will become delinquent, or whether someone will be interested in a balance transfer offer, and so on," she said.

"I see the most important issue in 1999 as the customer's access to information," Ms. Warrington said. The issue, she said, is being pushed to center stage by the discussions between U.S. regulators and European privacy officials.

U.S. banks like Citigroup are in the middle of these discussions, grappling with how to satisfy Europeans' privacy standards and the increasing concerns of U.S. regulators.

"We have proprietary credit scores, fraud scores, records that may go back for years, but that may be costly to produce," Ms. Warrington said. "We have collection notes and customer service notes and computer-generated correspondence. When you start to think of how much there is, it is not so simple to say, 'the customer should get his or her full record'-because what is that?"

Thomas P. Vartanian, a Washington-based partner in the law firm Fried, Frank, Harris, Shriver & Jacobson, said banks are being swept into the maelstrom of Internet privacy controversy.

"Consumers would have been shocked five years ago to know all the information that exists on them," he said. The difference now is how much easier access has become, because of the Internet and sophisticated software tools.

"The underlying change is the medium," Mr. Vartanian said, "and that is what is going to push institutions to address privacy with their customers."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER