WASHINGTON - By July 1, banks will have mailed one billion privacy notices to their customers to comply with provisions of the Gramm-Leach-Bliley Act.
Financial companies used to view this deadline as a sort of endpoint to their privacy obligations under GLB but now increasingly see it as a starting line. As it turns out, the time and expense it took to craft and disseminate privacy notices may foreshadow yet more onerous privacy tasks ahead.
With a shifting landscape in Washington and apparently renewed life at the state level for initiatives, many experts now think all kinds of new burdens are possible, some much sooner than could have been anticipated even a month ago, before control of the Senate changed hands.
How soon? This year is not out of the question, in some minds. Richard H. Harvey Jr., chief privacy and compliance officer at Chevy Chase Bank and a former enforcement official at the Office of Thrift Supervision, said Sunday at the American Bankers Association's Regulatory Compliance Conference that the situation on Capitol Hill is far from certain. "As you know," he said, "Congress might not be done with privacy this year."
What some experts now see is the beginning of an era in privacy regulation that could find financial institutions required to integrate privacy policies into every one of their businesses. They will have to watch any third-party service provider they hire - such as check printers, account aggregators, and credit card processors - to make sure no one is abusing access to sensitive information. They will have to train employees to spot imposters who try to wrest account information by telephone.
"We're only a couple of weeks away from July 1, but as everyone knows, this is only the beginning," said John Byrne, senior counsel and compliance manager at the conference. "July 1 is not the end of the story."
U.S. bank customers are variously estimated to be getting 15 to 25 notices apiece explaining how their financial institutions handle their personal information. The same institutions must update and send out notices again next year and every year.
But speakers at the ABA conference warned that notices are only the appetizer. At a packed workshop on privacy, identity theft, and due diligence, Mr. Byrne said that more stringent privacy regulation may be coming down the pike, both at the state and federal levels. California's recent move to set up an "opt-in" environment - in which companies could not share data unless their customers explicitly permit it - may produce a "ripple effect" in other states, he said.
Moreover, he said, the new tilt in the Senate, and new leadership in the Banking Committee, brings heightened scrutiny of privacy. "Sen. Sarbanes is much more interested in holding privacy hearings and considering privacy legislation than his predecessor, Sen. Gramm," Mr. Byrne said. Whether or not new legislation is passed, he said, the attention of Capitol Hill will remain on protecting consumers' privacy.
Karen Shaw Petrou, a managing partner at the consulting firm Financial Analytics, told the conference in a keynote address Monday morning that, with the shift in the Senate, "the heat is going to be up, for sure." Ms. Petrou said she doubted that new legislation would take shape on predatory lending, but new privacy laws, she said, are a harder call.
"There's not much time left in the schedule," she said. "My bet is there won't be legislation this year, but don't call me if I'm wrong."
Mr. Harvey told the roughly 150 banking officers who attended the privacy workshop that taking a one-time inventory of their institutions' data sharing practices is inadequate. Federal guidelines, such as those concerning data security measures like monitoring and encryption, ought to be taken seriously he said. For "guidelines," he offered, try substituting the word "regulations."
Mr. Harvey said that instead of just offering friendly guidelines, regulators seem to be making unofficial demands. "I've been on the phone with regulators," he said. "And they keep saying things like 'you must.' "
Chevy Chase Bank, a $12 billion-asset thrift headquartered in McLean, Va., sent out its privacy notices in March. Since the bank does not sell customers' information to third parties, it did not have to offer an opt-out. "There was nothing to opt out of," said Mr. Harvey in an interview after the workshop.
In the workshop, he asked the audience how many had sent out their privacy notices, and almost all the hands went up. But when he asked, "How many of your notices are clear and conspicuous?", fewer than 10 hands went up, followed by some chuckling.
Ms. Petrou cited a 5% opt-out figure so far. She said 5% probably is not the proportion of customers who want to opt out but rather the percentage of people who slogged through their privacy notices.
"I have come to the conclusion that disclosures don't work," she said. "People don't read them, and they don't understand them."
Mr. Harvey said Chevy Chase set up a privacy task force, with representatives from all business lines, that meets weekly. "You have to make sure everyone is singing from the same sheet of music," he said.
Every bank employee is also a consumer, he said. And with the proliferation of identity theft, all Americans are growing concerned. "Just as it happens to our customers, it's also happening to our employees," he said.
Robert Douglas, a former private detective and the founder of American Privacy Consultants Inc. in Alexandria, Va. - which has worked for both Chevy Chase Bank and the ABA - confirmed the growing menace of identity theft. In 1992, he said, 32,000 incidents of identity theft were reported. In 2000, the total was at least 500,000. Each case, he said, cost an average of $17,000.
Mr. Douglas said that, though laws are on the books to prosecute identity thieves, federal agencies have been lax on the issue. Criminals know that, even if they are caught, they will not be punished severely, he said.
Mr. Douglas showed the audience what is available for sale on the Internet these days: magnetic stripe card readers that can alter the data on cards (such as credit limits), blank cards, card-printing machines, and so-called PIN code hackers. All available for a special package deal of $650.
"Your customers can see this," he said, and it will prompt them to worry.
Various information brokers on the Web, he said, enable a total stranger to acquire your Social Security number; medical, marriage, and driving records; bank and credit card account numbers; stock, bond, and securities data; and telephone numbers (whether published or not). Brokers can get these data simply by calling a financial institution's customer service line and asking for it.
"You must be using PINs and passwords for any account authentication," he urged.
"You are seeing an awful lot of institutions not making that changeover," Mr. Douglas said, citing advisories put out by the Office of the Comptroller of the Currency this year and last. "The institutions that are using PINs and passwords are succeeding in keeping identity thieves out."
Ms. Petrou said that some foresight and self-regulation could have kept privacy and predatory lending from becoming trouble spots. "Had we seen these issues two or three years ago , we might have avoided the litigation and legislation," she said.
Potential sources of trouble to watch now, she said, are nonbank companies - such as account aggregators - that are doing bank-like tasks. These companies do not do audits and do not self-regulate, she reminded the audience. Thus, banks should be wary when offering their services or linking to their Web sites.
"Right now they're just moving information, but some plan to move funds," Ms. Petrou said. "That gives me pause."
Though no one may be concerned just yet, these are "issues on the horizon that are not yet crises but have the potential to be," she said. Ms. Petrou said she could envision without difficulty how cutting a few regulatory corners on e-commerce could lead to foul-ups that are "embarrassing, costly, and disruptive - to the industry as a whole, as well as to the individual companies."
From Our Archive