In a speech Wednesday on data-sharing practices, a top federal regulator said bankers should go beyond the letter of the law to maintain customers' trust and forestall new laws and regulations.
Julie L. Williams, chief counsel at the Office of the Comptroller of the Currency, said bankers should tell customers precisely what data they seek to sell, avoid giving credit card or account numbers to telemarketers, and voluntarily let customers block such exchanges.
"If customers are surprised and upset to learn that their bank has made available to third parties extensive information about their financial transactions -- information which they assumed was confidential -- they probably will not find it very satisfying to be told that the activities in question did not violate the Fair Credit Reporting Act," Ms. Williams told the California Bankers Association.
Wednesday's speech was by no means the first warning from regulators on banks' privacy practices. In July, for example, Comptroller John D. Hawke Jr. told a House Banking subcommittee, "It is the consumer's choice to give up or retain personal privacy, not the institution's."
But Ms. Williams' speech comes at a time when public policy debate over privacy rights is reaching a crescendo.
About 20 state attorneys general are investigating the data-sharing practices of some of the nation's largest banking companies with significant credit card operations, including Bank of America Corp., Chase Manhattan Corp., Citigroup Inc., Bank One Corp., U.S. Bancorp, Wells Fargo & Co., and other banks that were not identified.
State government sources said the probe, inspired by a Minnesota lawsuit against U.S. Bancorp in June, is in the information-gathering phase. None would say whether the banks were selected on the basis of their size, the frequency of customer complaints, or some other criterion.
But Vermont Attorney General William H. Sorrell -- whose office is coordinating the national effort, and who said he personally believes banks should be required to get customers' permission before sharing account data -- said he and his colleagues have their eyes peeled for possible violations of federal or state law.
"I don't think that it is crying 'Fire ' in the movie theatre when I say that 10 years from now, we may talk about the good old years of privacy in 1999," he said in an interview."Attorney generals and others are trying to stay abreast" of advances in data collection technology "and then to respond in accordance with what our current laws are," he said. If current consumer protection statutes prove insufficient, he added, attorney generals might push for even tougher laws.
"I think it's a great idea, and I encourage them to sue more banks," said Edward Mierzwinski, consumer program director at the nonprofit U.S. Public Interest Research Group. "We can wait until the cows come home for Jerry Hawke to do anything more than issue a few speeches."
The OCC itself has been conducting an informal survey of banks' data-sharing practices. According to Ms. Williams, a majority of the banks with big credit card operations have data-sharing deals with third-party marketing firms. Such banks typically charge a fee for use of the data, or claim 20% to 25% of the revenue generated by subsequent sales, she said.
On Capitol Hill, meanwhile, lawmakers debating financial reform are trying to iron out differences between the House and Senate over the legislation's privacy provisions. The bill passed by the House would require banks to notify customers about data-sharing arrangements with third-party telemarketers and give them a chance to opt-out. It would also prohibit banks from sharing customers' credit card or checking account numbers with telemarketers. The bill passed by the Senate contained few privacy provisions.