Citibank Bids to Influence World Privacy Debate

Citibank is trying to take privacy into its own hands.

The New York bank is mobilizing on an international scale to influence how privacy standards are set and how governments will respond to them.

Raising concerns that governments will regulate poorly unless banks and other corporations act first and control the dialogue, the Citicorp unit has been addressing privacy issues in conferences it has sponsored in the United States and Europe, and in papers it has commissioned.

In the works is an Internet site, supported by Citibank, that will be a global forum on privacy concerns.

Citibank's leadership has been noticed in the corporate community: "I know of no other organization that is spending the resources they are," said Martin E. Abrams, vice president of information policy and privacy for Experian, the credit bureau.

And yet there are suspicions in the consumer world. Evan Hendricks, editor and publisher of Privacy Times, said the bank wants to forestall the possibility that the United States will have to raise privacy standards to more stringent European levels.

"Citibank will do everything possible to see that Americans don't have the same privacy rights as Germans," Mr. Hendricks said.

Operating perhaps the most extensive of all multinational retail and corporate banking networks, Citibank has more at stake than many of its industry peers. And it has already been burned by a controversy in Germany, which galvanized the bank into its current activism.

Citibank's introduction two years ago of the Bahn Card, a credit card linked to the German railroad system, enraged consumer activists because applications were processed by travel agents and railroad clerical staff rather than by bank employees.

The Germans also took umbrage at Citibank's way of informing rail customers about the card. Letters invited patrons to apply for a new pass with a credit or debit card function. The material did not make clear that commuters could get a pass without a payment feature, according to consumer advocates.

Citibank ruffled more feathers by asking for prospective cardholders' incomes, addresses, and employment data on the application. These are standard questions on credit card applications in the United States-but not in Germany.

"We didn't do our homework," said Duncan A. MacDonald, Citibank's general counsel for cards in Europe and North America. Mr. MacDonald plays a key role in developing the company's consumer privacy policies.

Determined to reverse its negative image, Citibank launched the international initiative. One of its primary goals is domestic: To increase the level of debate and awareness in the United States, where to many European officials' eyes, privacy policies are dubious at best.

One of the series of conferences was held in May in Washington at the Brookings Institution, which is examining how European privacy standards affect U.S. businesses.

Citibank also convened meetings in Frankfurt and Berlin. In attendance were such U.S. figures as J. Beckwith Burr, attorney adviser to Commissioner Christine Varney of the Federal Trade Commission, and Barbara Wellbery, chief counsel of the National Telecommunications and Information Administration.

Another meeting is scheduled for September in New York.

"We think it is in our interest and ultimately in global data industries' interest to have a very strong dialogue with privacy authorities," Mr. MacDonald said. He wants to see that "at least self- regulation has a chance, and if legislation has to be enacted it is smart legislation."

Europe already has legislation in this area, the European Union Data Protection Directive, which will be effective Oct. 8, 1998. It stipulates that personal data may not be transferred from Europe to a non-European country if it is determined that the second country does not "adequately" protect the information.

At the time of the Bahn Card fiasco, Citibank's chairman, John Reed, "was announcing to the world that Citibank would be a global institution, and a key component to that was to solve the privacy data protection issues," said Mr. MacDonald.

After the problems came to light, Mr. MacDonald swiftly flew to Germany and met with "the moral authority on privacy issues in Europe," Spiros Simitis, a professor of law at the University of Frankfurt and a former data protection commissioner.

Mr. Simitis explained the legal and cultural nuances of doing business in Europe. He also suggested other people in Europe that Mr. MacDonald should speak with about privacy matters.

Even before the Bahn Card incident, Citibank had signed a pact with German authorities. The bank agreed to abide by the country's privacy standards and be held accountable if a German citizen were harmed by something Citibank did.

For example, if a German citizen were denied credit because of false information Citibank provided to another creditor, or if Citibank were responsible for erroneously preventing a card authorization, the cardholder would have the right to sue Citibank.

Citibank then signed similar contracts-called interterritorial agreements-in Italy, Greece, Portugal, and Spain, countries where Citibank has or will soon have card operations.

The contracts "are really about showing good faith politically," Mr. MacDonald said. "Trust is the main ingredient."

Such a gesture is "nearly unheard of," said Alan F. Westin, a law professor at Columbia University and publisher of the newsletter Privacy & American Business. Mr. Westin is Citibank's privacy consultant.

Mr. Hendricks, the U.S. consumer privacy advocate, pointed to the fact that German law allows consumers to see the records Citibank or any other bank maintains on them and to correct these files if there are inaccuracies.

"Americans don't have a contractual right to see the information" in their bank files, said Mr. Hendricks.

Mr. MacDonald retorted, "If a consumer in the United States asked us for their application and billing statements, we would give it to them. What a German can do is ask us for everything in their files, but it never happens."

Mr. Hendricks also pointed out that Citibank can collect information on its customers in the United States and use the data for a purpose other than that for which it was collected. The bank might allow companies to sell their products and services to its customers, using a customer's name, address, and telephone number. German law does not allow a bank to sell such information to a third party.

Mr. MacDonald said Citibank does not sell its customer lists to third parties, but it might present a company's products to its customers.

Citibank is "trying to get a 'gold card' from the European community, so that it won't have anymore run-ins with Europe," said Mr. Hendricks.

Nevertheless, other banks and companies doing consumer business abroad are looking at Citibank's agreements with data officials for guidance.

"The experiment they have done with contracts has added greatly to our knowledge of what works," said Mr. Abrams of Experian.

The contracts meet the "adequacy" standards of European data commissioners, Mr. MacDonald said, and they permit European regulators to audit the bank's card processing operations in South Dakota and Nevada.

One year after the Bahn Card was launched, Citibank invited the federal data protection commissioner in Berlin, Hansjurgen Garstka, to conduct an audit of Citibank's processing operation in Nevada. Then Citibank assembled a group of leading privacy experts in the United States to meet with Mr. Garstka at Columbia University. The group met again in Germany.

Part of the experts' agenda is to coax U.S. banks to adopt privacy policies. Despite relatively strong privacy statements by the likes of Visa and MasterCard and an increased focus on privacy by the Clinton administration, mobilizing banks "is like pulling teeth," Mr. Westin said.

Still, Mr. MacDonald is hopeful. "The debate has gotten hotter, with the Federal Trade Commission and the media turning on the heat," he said. "That will bring religion, and I'm guessing we will see some results."

Several proposals have grown out of Citibank's work.

One is an idea-which Citibank backs-to enable European officials to conduct on-line audits of bank card operations. This would reduce officials' need to travel abroad to inspect foreign companies' operation sites, as Mr. Garstka did.

"In 10 years, the average data protection office may have 1,000 companies to audit in 10 countries," Mr. MacDonald said. "No government is going to fund that, and that will have consequences.

"The government will be more difficult to deal with, more restrictive on information moving outside of the country."

Conducting audits on-line would cost European governments just pennies, Mr. MacDonald said, and would save them countless travel expenses. He estimated on-line audits would happen in about a year.

Another significant result of Citibank's privacy conferences, Mr. MacDonald said, is a plan to develop a Web site that would serve as a discussion forum for the European Data Directive.

The Web site, due in September, will have names, addresses, and telephone numbers of data officials around the world. It is being funded by companies like Citibank, Visa, MasterCard, Fair, Isaac & Co., and KPMG Peat Marwick. The site will be managed by Privacy & American Business and the American Institute for Contemporary German Studies at Johns Hopkins University.

With the Internet as a resource, Mr. MacDonald said, "academics, officials, and business executives can have a dialogue without hopping on a plane."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER