Cost of Compliance Could Deter Data-Sharing

WASHINGTON - In the privacy debate, banks are facing a big decision: to share customer information or not.

Those that refrain may score public relations points and save millions in compliance costs. But over the long haul they could suffer, because sharing customer data to sell new products is a key source of cherished noninterest income.

"Only when you have looked at the competitive and monetary costs of sharing information … can you assess if the benefits offset these costs," said Oliver Ireland, the Federal Reserve Board's associate general counsel. "There are going to be some major financial institutions that aren't going to be sharing information. … Their compliance program will be simpler."

So far, only one large banking company - Bank of America Corp. - has decided it will not let other companies use its data.

"We will not share, sell, or otherwise disclose customer information to third-party organizations for marketing their products or services," Hugh L. McColl Jr., Bank of America's chairman and chief executive officer, said in a speech last month. "This is very important, because it leaves us completely unconcerned about privacy legislation that would regulate such sharing or selling of information.

"Opt-in, opt-out, restrict it, or prohibit it. We simply don't care, because we don't do it anyway."

A number of states have considered tough "opt-in" legislation that would require banks to get explicit customer permission before sharing their personal information. The Clinton administration is pushing similar legislation in Congress. While neither the federal nor state opt-in bills are expected to be enacted this year, lobbyists do not discount future passage.

Newly unveiled rules mandated by the Gramm-Leach-Bliley Act of 1999 will require financial institutions to explain privacy policies to customers and offer a chance to block any sharing of their financial data with third-party marketers.

Under these arrangements, banks share customer data with businesses that want to offer products to the banks' customers. For every sale, the bank earns a fee. The bank does not restrict how the third party uses the customer information.

Congress said customers must be given a chance to opt out of these deals. But the law does not give customers the right to stop banks from sharing data among affiliates or using it to jointly market another financial institution's products or services, such as insurance or investment counseling.

Joint marketing arrangements, which must be disclosed to customers in notices once a year, are exempt from opt-out requirements because the joint marketing partner is not allowed to reuse the information.

Banks also are allowed to share customer information with unaffiliated companies contracted to provide services such as printing checks and mortgage coupons. As with joint marketing arrangements, service providers must treat this information in accordance with the bank's privacy policy and may not reuse it.

"For all intents and purposes, our vendors are part of our company when they are acting on our behalf," Mr. McColl explained.

Institutions that choose not to share customer information still must send notices describing their privacy policies, but they do not have to provide opt-out opportunities nor centralize computer systems to track customers' wishes - which most large institutions say will cost millions of dollars.

"The decision to share or not share customer information is going to be made on an institution-by-institution basis depending on their marketing strategies, product array they want to offer, and [computer information] systems they have," Consumer Bankers Association president Joe Belew said.

U.S. Bancorp and Chase Manhattan Corp. have been through the privacy wringer. Both were sued by state officials for sharing customer data with telemarketers.

U.S. Bancorp, of Minneapolis, was sued last summer by the state attorney general for allegedly selling account numbers and consumer credit report information. The company agreed to stop sharing customer data with third parties that sell non-financial products.

Going beyond the dictates of Gramm-Leach-Bliley, the nation's 14th-largest bank also agreed to give customers a chance to block data sharing among affiliates and joint marketers. Only 7% of U.S. Bancorp's 6.5 million customers have exercised that right, according to Lee Mitau, executive vice president and general counsel.

Chase, which settled with New York's attorney general in January, agreed to limit the sale of customer information to names, addresses, and telephone numbers. Its customers can opt out of their information being shared with third parties selling nonfinancial products.

However, the agreement is similar to the Gramm-Leach-Bliley privacy regulations in that it lets Chase share data with affiliates and joint marketers of financial products and services.

Chase has no plans to curtail customer information sharing further, senior vice president and privacy executive Pat Alberto said. "At Chase, I don't see that as the case."

Other banks are still trying to decide whether to share customer information, and are reluctant to discuss the subject. Privacy executives at Bank of New York, Citigroup Inc., First Union Corp., Fleet Financial Group, J.P. Morgan & Co., Mellon Financial Corp., PNC Bank Corp., and SunTrust Banks Inc. declined requests for interviews.

Karen M. Alnes, director of privacy policies at Wells Fargo & Co. of Minneapolis, described the process as a "very personal decision."

"It's far too premature to quantify the costs and benefits of sharing information with third parties," she said.

But the calculation will have to be made.

"The costs and benefits are not easily quantified," said John Dugan, a partner at the Washington law firm of Covington & Burling. "For example, how do you quantify the cost of controversy? But at end of the day every institution will have to make the judgment."

Julie F. Johnson, Bank One Corp.'s director of information policy and privacy, pointed to the difficulties of using a cost-benefit analysis to set information-sharing policies.

"It's not just a dollars-and-cents thing. Determining worth is unique to each institution's own situation," Ms. Johnson said. "A small bank may need to share information to remain competitive. What is the cost of extinction?"

It is hard to predict whether the largest companies will decide to continue sharing customer data.

"Will others do as Bank of America has done? I just don't know," Mr. Belew said. Sharing information with unaffiliated companies "is a massive compliance challenge that will result in new costs for the industry. I doubt anybody has a bead on what those costs would look like."

L. Richard Fischer, a partner at the Washington law firm of Morrison & Foerster and a privacy consultant, said that in the next year "there will be more and more financial institutions saying, 'It's too expensive to get ready to share, and therefore there's not enough money in it for us to do it. If something goes wrong, the customer unhappiness is such that it's just not worth it.' "

While most bankers were reluctant to discuss the costs and benefits of sharing information, many indicated privately that the decision hinges in large part on public opinion. Banks must make consumers understand that information sharing helps them enjoy everything from more mortgage options to lower fees, industry experts claim.

"The industry is going to need to recast the issue in the eyes of consumers from win-lose to win-win," said Jo Ann S. Barefoot, a privacy consultant in Columbus, Ohio. "If it is true that there will be consumer benefits, that case needs to be made with examples and needs to be true. If [banks] don't do that, the consumer will rebel and seek political solutions."

If the industry does not sway public opinion, the deep well of noninterest income will run dry.

"The entire industry is exceptionally cost sensitive right now, and exceptionally interested in new revenue sources," Mr. Belew said. "To broaden your relationship with a customer by offering new products is what the game is all about."

The decision, he said, boils down to "the expense of redoing all your systems versus the potential revenue."