The Gramm-Leach-Bliley Act, which repealed the Depression-era Glass-Steagall prohibition on affiliations among banks, securities firms, and insurance companies, also imposed strict privacy protections for all customer information.
These privacy provisions are open to interpretation by the banks that must honor them. And the various interpretations have heightened the complexity of direct mail insurance marketing efforts undertaken by banks and their insurance company partners.
Let's look at a typical, large, national bank offering its customers supplemental insurance policies through the mail.
A mail solicitation goes out; the customer completes an application and supplies an account number for billing. Then the Postal Service delivers large sacks of mail to a third-party administrator, or TPA, hired by the bank.
These days, machines open the mail, applications are scanned into a database, and bar codes on the application forms avert the need to retype information supplied by the customer.
Down the electronic conveyor belt these applications go, and insurance policies are automatically personalized and printed. Other machines make sure the completed policy is mailed along with all the riders, brochures, and forms appropriate to, for example, a checking account customer in North Platte, Neb. A premium billing file is created and sent through the ACH system.
The business of insurance administration is now lightning quick, inexpensive, and of a quality previously unachievable.
But the banking reform law threw a little monkey wrench into this smoothly running machine.
The key privacy provision of Gramm-Leach-Bliley states: "A financial institution shall not disclose … an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." (I've added the italics to focus on what requires interpretation.)
On the face of it, the bank can offer these valuable insurance services to customers but cannot disclose any account number for billing purposes to a third party for its use in marketing. The account number is crucial. With an account number preprinted on an application, buying is simple. Check a box, sign a name, off it goes.
Without this information, you're asking the customer to accurately supply an account number and ABA routing number. Then you're asking an operator at the TPA to type in these numbers and make no keying errors.
Thus burdened by account number complications, have banks stopped marketing insurance to their underserved middle-market customers? As the Wizard told Dorothy, "Not so fast, not so fast!"
Here are a couple of Gramm-Leach-Bliley solutions adopted by banks involved in direct mail insurance marketing.
Some financial institutions have interpreted the reform law in a way that lets them disclose account numbers to a TPA not involved in a marketing effort and only serving the bank and those people who choose to buy insurance. These banks feel that as long as they and their TPAs have a confidentiality agreement and the bank has disclosed to its customers that such an arrangement may be made, they comply with the law.
In this way the bank supplies the TPA with a customer information file, and it encrypts the account numbers and sends the files to the insurance company to prepare the solicitation. The insurance company is involved in the marketing effort and cannot be given access to live account numbers. And it does not get access.
When responses appear at the TPA, the account numbers are decrypted, and billing can be done according to the customer's wishes.
But what if a bank disagrees with the interpretation that an independent TPA, not involved in selling or marketing, can be given live account numbers?
In such a case, the bank could use a data warehouse company to encrypt account numbers. The data warehouse then would send separate, encrypted files to the insurer, where solicitation pieces are printed, and to the TPA, which must prepare its system to receive applications.
When the filled-out applications are received at the TPA, they are processed using the encrypted account numbers. A file of all applicants is then sent back to the third-party warehouse where the account numbers are replaced with live ones. This file is returned to the TPA, which now has live account numbers only for the customers who applied for insurance. Billing begins accordingly.
Other banks go a step further, giving customer files with live account numbers only to the data warehouse. When applications are received, the TPA creates a responder file and sends it to the data warehouse where the account number is added. The data warehouse sends the file for billing.
Many procedures can be adopted, each matching a bank's interpretation of how customer account numbers may be shared when insurance is marketed through a joint venture. The common element of all of these versions? Privacy is guaranteed, and banks can continue to offer a valuable insurance service to their customers.
