Two years ago, most financial institutions did not have chief privacy officers. Two years ago, Gramm-Leach-Bliley, with its groundbreaking privacy protection provisions, had not yet become law. Perhaps most significantly, two years ago, it was still possible to turn on a news or talk show, or open a general-interest magazine, and not encounter a feature on privacy or identity theft.
What a difference two years makes. Privacy is now solidly and centrally on the business agendas of most financial institutions, and certainly of those that wish to be major players in the consumer marketplace.
Just as financial convergence looks finally poised to take off - and pay off - consumer privacy concerns are casting a longer and darker shadow than ever before over cross-marketing and cross-sales. The stakes are clearly high.
Speaking of the logistics and business decisions involved in compliance, Joan P. Warrington, a former Citigroup Inc. general counsel who helped draft that company's privacy policy, said that new privacy requirements are raising "a lot of anguished operational issues."
Against this backdrop, American Banker today begins a weekly series called "Managing Privacy." Our goal is to take a 360-degree look at the business issues surrounding financial privacy.
The series, which will run through the summer and fall, will examine what companies are doing to meet their new regulatory obligations, as well as some of the unintended consequences of the new rules. It will also look at the various nuances implied by the term "privacy," which seems to mean different things to different constituencies.
The Internet and other sophisticated technologies have made privacy a hot-button issue in all parts of society. As reports about hacking, identity theft, and other data intrusions proliferate, every popular news outlet has weighed in on the topic, with most of them offering tips on how to protect oneself. The surge in consumer interest has helped jolt regulators, lawmakers, and corporate executives into action.
A survey of Fortune 1,000 executives by KPMG LLP found that addressing privacy issues is "now among the top priorities of corporate executives and almost universally expected to get bigger," with 55% of respondents saying they expect high-profile lawsuits against financial services providers.
"When Matt Lauer is talking about this on the 'Today' show, you know it's a big deal," said Mozelle Thompson, a commissioner at the Federal Trade Commission, speaking at an Ernst & Young Webcast conference on privacy last month. "This issue is not going away."
The FTC says it is taking a hands-off approach - for now. "Industry self-regulation has the chance to set the ground rules," Mr. Thompson said. "I think it's a tremendous opportunity for them. What's been disappointing to me is that they don't realize the opportunity."
Financial services companies say they are doing their best to comply with the laws, but they acknowledge that the management of privacy is taking a toll on budgets and business routines. Lawyers and chief privacy officers are busy parsing the terms of arrangements with partner companies and analyzing computer systems to make sure data do not accidentally stray. Vendor companies complain that the growing tangle of regulation has made bank clients hypersensitive and turned contract negotiations into lengthy legal struggles.
"There seems to be an ever-increasing drumbeat for privacy protection, yet there is not ever-increasing evidence of abuse," observed Brian W. Smith, a partner in the Washington law firm Mayer, Brown & Platt and former general counsel at MasterCard International. "I think there's a certain frustration on the part of the financial services community that they haven't even had a chance to demonstrate that they are doing a good job before people come to criticize their job as inadequate."
Ms. Warrington, the former Citigroup lawyer who is now a partner at Morrison & Foerster in New York, is among those who predict more lawsuits on the issue. She pointed to a suit brought by the Minnesota attorney general against the mortgage unit of FleetBoston Financial Corp. The company said in its privacy policy that it only shared the minimum amount of information necessary about a customer, but the attorney general asserted that Fleet was sharing more than the minimum, according to Ms. Warrington. The case, she said, shows how differing standards and semantical interpretations can cause disputes.
The July 1 deadline for notices "is just the end of phase one," Ms. Warrington said. "Basically banks are being asked to really do even more policing than they already do, and this will spread to all financial institutions."
One of Ms. Warrington's colleagues, Oliver Ireland, a former associate general counsel at the Federal Reserve Board of Governors, said the definition of privacy is a moving target. "A lot of different things are going under the umbrella of privacy right now, and it clouds the issue," he said. "GLB is more an anti-direct-marketing law - don't call me - as opposed to privacy."
Mr. Ireland, who has helped craft opt-out notices for several institutions, said that "perception is far worse than the reality" in terms of the public's concern over financial privacy but that banks nonetheless have only themselves to blame.
"GLB was a reaction in part to the fact that banks were a little slow in focusing on this issue," he said. "The result is that they have had a package of legislation that may cost people an enormous amount of money to comply with."
Charles Wendel, who heads the New York firm Financial Institutions Consulting, said the operational hindrances posed by the new rules will hurt cross-selling efforts and "relationship banking," in which people are offered products and prices based on their history with the institution.
"The concept behind relationship banking is that you can collect a tremendous amount of information about customers, share it, and exploit it," he said. "The rules are evolving and becoming more byzantine, and it's frustrating to the line managers."
As banks strive to branch out - into new lines of business, new partnerships, new delivery channels - they will increasingly find themselves bumping up against privacy rules, experts said. Issues of data-sharing and data protection will crop up everywhere, from policies about wireless account access and account aggregation to cobranding arrangements and outsourcing deals.
Mr. Thompson of the FTC said that companies have an "interesting and important opportunity" to find long-lasting policy solutions. "They should take that seriously. They should grab it, and they should run with it," he said.
From Our Archive
