Financial services firms are not adequately guarding the privacy of on-line customers, increasing the chances that Congress will intervene, a leading regulator said Thursday.
The Federal Trade Commission surveyed more than 1,400 commercial Internet sites, including 125 operated by financial institutions, and discovered just 14% post any notice of their information collection practices. Only 2% provide a comprehensive privacy policy.
"The results that we report today can only be described as disappointing," FTC Chairman Robert Pitofsky told reporters. "Right now, I would say that industry self-regulation simply has not worked."
The results for banks and other financial companies closely tracked the overall findings. Only 16% disclose their information practices, while nearly all the financial companies surveyed collect Social Security numbers, personal income and asset figures, or other application data through their Web pages.
"The fact that they do no better than the general sample is more troubling because of the sensitive financial information some of those sites collected," said David Medine, the FTC's associate director for credit practices.
"Oftentimes there was no disclosure how that information would be used or to whom it would be given," he said. Nor were consumers given options on limiting unrelated uses of their data.
Though industry representatives defended banks' performance, they agreed the report should serve as a wake-up call.
"We have a ways to go," said Marcia Z. Sullivan, government relations director for the Consumer Bankers Association. "It is not a top priority with them on the retail side as it should be."
John J. Byrne, senior counsel at the American Bankers Association, said that the industry's strides in recent months nevertheless demonstrated that "we do not need regulation or legislation."
An unscientific search by the ABA found more than 100 banking organizations had privacy or security policies on their Web sites. The Consumer Bankers Association found 32 of its 50 largest members post privacy statements on-line.
According to the Federal Deposit Insurance Corp., about 1,600 banks and thrifts operate Web sites. Only 220 of them let customers conduct financial transactions on-line, but many of the other sites take loan and other applications.
Mr. Pitofsky said that he still favors self-regulation for such a dynamic economic sector.
The FTC on Thursday proposed legislation barring on-line data collection from children without parental permission, but Mr. Pitofsky said a decision on any additional recommendations won't be made for about two months.
"If it gets no better than it is now, I would predict that many in Congress are going to want to act," the FTC chairman said.
Privacy of financial information is a rising concern on Capitol Hill.
House Banking Committee Chairman Jim Leach plans to introduce legislation by the end of June that would limit disclosures of consumer account information, his spokesman said.
In a June 3 letter to Rep. Leach, Rep. John J. LaFalce, D-N.Y., urged hearings on the threat to customer privacy posed by large financial conglomerates.
William J. Baer, director of the FTC's bureau of competition, echoed those concerns during a Senate Judiciary Committee hearing Wednesday. Cross-industry mergers such as the Citicorp-Travelers Group combination raise questions about unbridled information sharing.
"Consumers might not anticipate that providing information for insurance underwriting purposes to one entity, for example, might later be used by a financial institution that is or becomes an affiliate," he said.
