Companies Helping Small Banks with Privacy Rules

Say your bank still doesn't have a privacy policy and senior management is puzzling over how to follow the privacy rules in the Gramm-Leach-Bliley Act. Sure, you could hire a lot of lawyers, but several technology companies are presenting alternatives.

One such company is Compliance Coach, a one-year-old software firm in San Diego that last Friday introduced Privacy University. This is a Web site that offers an online training program for bankers and other professionals, a privacy notice generator, and an Internet help desk.

The site asserts that it can "walk you through" Gramm-Leach-Bliley without "complex legalese" and that its privacy policy generator works "in five easy steps."

Though big banks have appointed privacy czars and crafted elaborate policies for prominent display on their Web sites, smaller banks have had a harder time keeping up with evolving legal requirements.

Compliance Coach is marketing its site not only to smaller banks but also to insurance agencies and other companies that qualify as financial institutions under Gramm-Leach-Bliley. The company says its services, available through the Internet and on CD-ROM, offer an "easy interface that allows you to proceed at your own pace."

The curriculum at Privacy University revolves around a customizable testing service. Companies can decide what they want their employees to know - the rules of Gramm-Leach-Bliley, the company's own privacy policy, or the parameters of the European Union's directive on privacy, for instance - and Compliance Coach puts together a battery of lessons and tests designed to teach and assess proficiency.

Sai Huda, chairman and chief executive officer of Compliance Coach, said higher-level managers take a slightly different version of the program, one that is more like an "executive summary" and less like an exam. "The test is optional for board members," he said.

Mr. Huda's company has 15 employees, five of whom are privacy experts, according to company spokesman Michael O'Brien. Mr. Huda spent five years as chief compliance officer at Advanta Corp. and earlier held the same title for six years at San Diego Financial Corp.

His partner, Paul Reymann, an executive vice president at Compliance Coach, hails from the Office of Thrift Supervision, where he helped draft Section 501 of Gramm-Leach-Bliley, which covers "protection of nonpublic personal information."

The Privacy Council, a Dallas consulting firm that specializes in risk management and data protection, is repackaging Compliance Coach's software as its own product called Virtual Privacy Officer. It won't feature the name "Privacy University," but Compliance Coach will get a cut of every subscription.

The council plans to market the enhanced product to its Fortune 500 clientele as well as to financial institutions.

Gary Clayton, CEO and founder of the council, said his firm is adding its own services to Privacy University. He said that by January it will include an electronic-based newsletter service (in conjunction with Lexis-Nexis) and an audit trail mechanism that tracks and certifies where customer information is being used and distributed.

Mr. Huda said Privacy University can be particularly helpful to companies that are covered under Gramm-Leach-Bliley but do not routinely consider themselves financial institutions and have never considered privacy an issue before.

"Mortgage brokers, real estate agents, they haven't been paying attention to this," he said. "They're going to struggle with how to comply."

Companies need to address the topic now, Mr. Huda said. "The regulators are going to monitor compliance, and institutions should not wait until July 1," when compliance becomes mandatory, he said. The law's privacy provisions took effect Monday, but compliance is still voluntary.

Century Savings Bank of Bridgeton, N.J., has signed on for the service after testing it last month. Neil Blakeman, vice president of internal audits and compliance at the $200 million-asset bank, said the annual subscription costing about $1,000 is well worth it. (For companies with 10 or fewer employees, the rate is $500.)

"We don't have a large staff or anything," he said. "The transition from someone like me on the compliance side knowing the rules and then training every single person who works for the bank - it's a long and drawn-out process."

Mr. Blakeman said his bank will probably spend $20,000 on compliance, but Privacy University will make his life easier. Century Savings cannot afford to hire an employee exclusively to deal with privacy issues, he said.

A cottage industry of lawyers, consultants, technology firms, and others has emerged to guide institutions of all sizes. For example, on Tuesday, First Data Corp., an Atlanta payments processor, launched a software product called PrivacyLink that helps distribute and track responses to customer privacy notices.

Jeff Price, senior vice president of product development at First Data, said regulators will not accept any excuses from financial institutions that fail to develop coherent privacy policies and disseminate them to customers. The institutions have no choice, he said. "They've got to get this message out."

The software is intended for companies that already have privacy policies. It does not help with the content of a bank's privacy policy or statement. "We're not really doing a consulting service, but we're helping to get the notices out," Mr. Price said.

First Data says PrivacyLink can reduce overlap in the delivery of customer notices, which is bound to occur with large banks that sell multiple products to a single person.

"A retail bank will have checking account and DDA and home mortgage customers," Mr. Price said. "You want to be able to manage the cost implications of that and consolidate the same data."

A Compliance Coach survey of 200 financial services companies - half of them banks and the others thrifts, credit unions, brokerages, and insurance firms - suggested that even companies with established privacy policies commonly swap customers' personal information.

Among the 169 respondents that said they had privacy policies, more than half said they routinely share "nonpublic personal information" with a nonaffiliated third party. Twelve percent of the respondents said they have private policies but refused to comment on their information-sharing practices.

Some banks are trying to use privacy notices as marketing pieces that highlight their trustworthiness, but Mr. Price said not every bank can afford to do so.

"Amongst the large-tier institutions, you'll see more flexibility with how to issue this," he said. "But with mid-to-smaller places, there will be a more standard package. They can't afford to make it too fancy, and they don't have the time and resources to put out a very creative response."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER