The way that Richard J. Hidy, U.S. Bancorp's chief privacy officer, sees it, his company gets no credit for the work it has done to improve its privacy policies since 1999.

It was in that year that a predecessor bank agreed to pay a $3 million fine to settle a high-profile suit in which Minnesota Attorney General Mike Hatch accused it of selling customer information to a telemarketing firm. Since then, much has changed. The Gramm-Leach-Bliley Act of 1999 has taken effect, requiring banks to send privacy notices to their customers. U.S. Bancorp merged with Firstar Corp.

And the new company has adopted what it calls an airtight privacy policy, one that includes more protections than are customary or required - but one that still draws criticism in some quarters, a reaction that frustrates Mr. Hidy.

When the attorney general's lawsuit hit it, U.S. Bancorp tried to "deal with it as adversity," Mr. Hidy said. "We built a state-of-the-art privacy policy. At the highest levels, there is that commitment."

When it revised its privacy policy, the Minneapolis company tried to follow the spirit and the letter of the settlement in which U.S. Bancorp had agreed to stop selling customer data to third parties, he said.

Now, instead of selling customers' account numbers, names, and Social Security numbers to a company that then called the customers to hawk products, U.S. Bancorp does more than most financial services companies to give its customers a respite from telemarketers, Mr. Hidy said.

Unlike many banking companies, U.S. Bancorp lets customers "opt out of all telemarketing and direct mail" solicitations, he said.

The Gramm-Leach-Bliley Act created a "big exception" to the opt-out rule by letting issuers share information with affiliate companies, even if customers opted out of data sharing, but U.S. Bancorp is not taking advantage of this exception, he said.

Another Gramm-Leach-Bliley loophole lets issuers share customer data with outside companies with which they have formed "joint marketing agreements," even if customers opt out of marketing programs, but "we said, 'That is not right,' and we will let people opt out of telemarketing," Mr. Hidy said.

Under its current privacy policy, U.S. Bancorp reserves the right to sell encrypted information about customers to telemarketers, but Mr. Hidy said this does not mean that the company is doing so nor that it is trying to use sneaky semantics to resume the practices the Minnesota attorney general condemned.

"We are not trying to get around legal restrictions to take advantage of our customers," Mr. Hidy said. "That isn't the way it is."

On the contrary, the company's past problems persuaded it to change its practices and beliefs, he said. "It's characterized as if U.S. Bank had a problem a year ago and so what they have done is reengineered things to get around that problem. We are not getting acknowledged for the leading-edge privacy policies that we have today."

Because U.S. Bancorp was the first banking company the Minnesota attorney general targeted for its information-sharing practices - prosecutors have since gone after FleetBoston Financial Corp.'s mortgage division, which Washington Mutual Inc. bought this year - the Minneapolis company took the brunt of the blame for what was then considered a common industry practice.

The suit against U.S. Bancorp prompted other banking companies, including Wells Fargo & Co. and Bank of America Corp., to step forward and say they would stop giving data to third-party marketers. Thus, these companies came out smelling sweeter than U.S. Bancorp, though they had been doing the same thing.

"We became an example," Mr. Hidy said. "U.S. Bancorp was caught in the headlines," but "the perception was different than the reality. As the attorney general said, it is nothing different than many banks do."

U.S. Bancorp's executives couldn't help but feel they were being singled out somewhat unfairly, Mr. Hidy said.

Even so, then-chief executive Jack Grundhofer said at the time of the settlement that the lawsuit had "compelled us to step back and look at this industrywide practice."

Since then, Mr. Hidy said, the company has made a periodic practice of combing through its privacy policy and revising where needed. The policy is followed to the letter, and suggestions for improvement are always solicited, he said.

"We think the lessons we learned are good ones," Mr. Hidy said. "The lessons are: Talk about what you do internally and externally; make sure [you are] aware of policies and consequences; and make sure [you are] able to articulate your commitment to privacy as an enterprise value and to safeguard customer information."

Mr. Hidy challenged fellow bankers to look at U.S. Bancorp as a model for enlightened actions on privacy. "If you look at our Web site, if you parse through what that is, we have a leading-edge privacy policy now," he said. "If you ask our senior management, they can articulate it and are proud."

The Minnesota attorney general increased the stakes in the privacy debate last December by filing suit in Hennepin County District Court against Fleet Mortgage Corp. The suit alleged that the lender gave account numbers to a telemarketer, which then allegedly billed customers for membership programs they had not approved.

The case, which has not yet gone to trial, goes further than the U.S. Bancorp suit in that it seeks to hold Fleet Mortgage responsible for any fraud committed by the telemarketer in using the account numbers.

Prentiss Cox, a Minnesota assistant attorney general, said the fraud implications could be substantial: The attorney general's office obtained a copy of a Fleet Mortgage survey of its customer service representatives. About 25% of the incoming phone calls fielded by the reps were from customers complaining about unwanted charges for the services, according to the survey.

The lawsuits against U.S. Bancorp and Fleet Mortgage prompted several large banking companies to stop the practice known as "preacquired account marketing," Mr. Cox said. "Two years ago I would have said most major financial institutions are involved," he said. "Now, in large part because of suits we brought and resulting public pressure, several withdrew from this conduct."

The threat of continued lawsuits and legislation is having a stronger influence on privacy efforts than the much-discussed Gramm-Leach-Bliley Act, he said. "GLB may have had some positive effect on sharing information, but it was woefully inadequate to address privacy concerns of customers. In large part because of suits we brought and public pressure, U.S. Bancorp withdrew from this practice."

And Gramm-Leach-Bliley is "woefully inadequate to address the problem of allowing access to accounts," Mr. Cox said. "You as a marketer get to decide if a customer consented" to buy a product.

The only prohibition in Gramm-Leach-Bliley is a provision that bars financial institutions from disclosing actual account numbers, Mr. Cox said, but it allows the sale of encrypted numbers, which amounts to the same thing as selling the account number itself. "The encrypted number goes back to the bank. They decode it and charge the account."

Gramm-Leach-Bliley also makes an exception for joint marketing agreements, which Mr. Cox called a gigantic loophole.

Mr. Hidy said U.S. Bancorp's souped-up privacy rules were created before Gramm-Leach-Bliley was passed. Moreover the company's new management team is taking a forward-looking approach to customer care, he said.

"It's not a passing of judgment of how it was done in the past," he said. "We think of how we will do things in the future."

From Our Archive

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.