Comment: Programs Needed to Comply with Privacy Law

in their ability to use and disseminate confidential financial information about their customers. Growing public concern about the misuse of this information has caused regulators to increase their vigilance in enforcing these restrictions, and to consider expanding them.

Now more than ever it is imperative for banks to become familiar with the law in this area and adhere to it closely.

Though both the Electronic Fund Transfer Act and the Federal Reserve Board's Regulation E impose disclosure obligations on banks, by far the most important restrictions in this area are imposed by the Federal Fair Credit Reporting Act, or FCRA. It strictly controls financial institutions in their use of credit and other confidential financial information about existing or prospective customers.

The consequences of not complying are potentially significant. People whose financial information is misused have recourse to sue banks for damages and recover the attorneys' fees expended. People can also recover punitive damages from banks that knowingly misuse their information.

The Federal Trade Commission, too, along with state attorneys general, may sue banks for noncompliance and obtain civil penalties and injunctive relief. The FCRA even imposes criminal penalties on banks and their officers who knowingly seek financial information on prospective customers from credit bureaus under false pretenses.

In recent years, the ability to gather and use confidential consumer financial information in commercially desirable ways has increased substantially. Advances in technology have made collecting, sorting, and disseminating this information easier than ever before. In addition, the growing popularity of electronic commerce, including on-line banking, has let financial institutions offer more services over the Internet and has also led to a tremendous increase in the volume of personal financial information circulating there.

Industry consolidation and diversification, coupled with certain changes in the law, have significantly increased the number and range of business activities of banks and their affiliates, greatly expanding the opportunities for cross-marketing.

The growth in direct marketing has led to a huge increase in the demand for information that can be used to identify potential consumers of financial services and other products. Large-scale, computerized consumer information clearinghouses, called superbureaus, have evolved to satisfy this demand. They collect, organize, and disseminate this information to both physical-world and virtual merchants eager to target their sales activities to the best prospects.

In 1997, amendments to the FCRA took effect that authorized banks to take advantage of some -- but not all -- of these technological advances and commercial opportunities.

Beyond limited exceptions, however, the strict controls on the use of confidential consumer financial information have remained in effect. Recent events suggest that many banks and other financial institutions may not be aware that their ability to disseminate information about their customers remains extremely limited.

A recent case in Minnesota, Hatch v. U.S. Bank, is an example of how this issue has captured government authorities' attention. Mike Hatch, the Minnesota attorney general, sued the principal subsidiary of U.S. Bancorp for allegedly selling credit and other information about its customers to MemberWorks, a telemarketing company. MemberWorks reportedly used this information to solicit certain U.S. Bank customers to apply for credit and participate in bulk consumer purchase programs. Fees for these programs were allegedly charged to consumers' checking or credit card accounts.

According to the complaint, the bank had assured its customers that their personal financial information would be kept confidential and that information about customer accounts would be provided to third parties only to respond to an inquiry, complete a transaction the customer had authorized, or in certain other limited circumstances. Also, MemberWorks reportedly paid the bank $4 million for this information, plus a commission of 22% on revenue from sales by MemberWorks to U.S. Bank customers.

Mr. Hatch argued in the complaint that, by selling MemberWorks not only information about consumer transactions with U.S. Bank but also information obtained from credit bureaus (including behavior and bankruptcy scores), U.S. Bank had obtained and used consumer credit information for purposes not authorized by the FCRA.

It was further argued that, given the bank's assurances of confidentiality on the one hand and its unauthorized sale of personal credit information on the other, U.S. Bank had violated state consumer fraud, deceptive trade, and false advertising statutes.

The case was settled in early July, with the bank agreeing to pay about $3 million to the state and certain charities and to refund to customers the amounts they had been charged for MemberWorks products and services that they did not want or use.

The order of dismissal prohibits U.S. Bank from sharing customer data with telemarketers and other unaffiliated parties for purposes of marketing nonfinancial products and services. It bars the sharing of any such data with any other parties or for any other purposes without first giving customers notice and an opportunity to opt out.

The order also requires U.S. Bank to disclose to its customers each category of information it proposes to share with affiliated and nonaffiliated companies and to give them simplified opt-out procedures.

Congress, too, has recently become extremely interested in this issue, and numerous bills were introduced this year to address a growing national concern about financial privacy.

Most prominent among them was HR 10, the financial reform measure approved by the House in early July and now before a conference committee. Title V contains a number of provisions that would enhance consumers' FCRA protections. Banks, brokerages, and insurance companies would be required to disclose their privacy policies to customers and let them opt out of the sharing of any nonpublic personal information -- including transaction and experience data -- with unaffiliated third parties.

HR 10 also would completely prohibit financial institutions from giving customer account numbers to third parties for use in direct marketing.

The groundswell of interest in and support for enhanced privacy protections ensures that this or something similar will become law.

In light of the intensified public interest in privacy, the Office of the Comptroller of the Currency has issued an advisory that emphasizes the need to adhere closely to the express limitations in the FCRA. It even suggests language to be included in consumer notice letters in order to achieve this goal and to foster informed consumer decision-making. According to the OCC, the notice can be an effective tool to underscore a bank's commitment to protecting customer privacy while promoting goods and services available from affiliated companies in which customers may have a real interest.

Banks and all other financial institutions must strictly adhere to all applicable federal and state consumer information sharing laws. There is already substantial financial risk of noncompliance -- and considerable further risk in terms of lost consumer confidence and trust. Therefore banks should develop compliance programs, if not already in place, to ensure that all divisions and employees with responsibilities in this area are fully familiar with applicable legal requirements. Careful attention should be given to any complaint or question raised by consumers or regulators relating to the use of confidential financial information, and maximum effort should be made to resolve such issues quickly and modify internal procedures where appropriate.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER