The Office of Thrift Supervision on Tuesday became the first federal agency to issue guidelines explaining how financial institutions should protect information they collect about customers.
The policy statement, calling among other things for disclosures of how thrifts intend to use customer data, is fresh evidence that federal regulators are dissatisfied with the industry's efforts to set privacy standards on its own.
Last week acting Comptroller of the Currency Julie L. Williams warned national banks to do better at protecting customer privacy or face strict regulations. The OCC plans to issue its own guidelines this month.
Some industry leaders said that while financial institutions are doing much that the OTS urges, the agency is overreaching.
"It seems much broader than any current law requires," said Marcia Z. Sullivan, director of government relations for the Consumer Bankers Association. "It could create some significant problems."
Particularly troublesome, she said, was the OTS guideline asking thrifts to detail how a customer's information will be protected and what happens if a customer chooses not to allow information sharing.
Compliance with guidelines, while expected by regulators, is not mandatory. And no fines can be levied for violations of guidelines. Still, most experts said regulations carrying stiff penalties are likely if banks and thrifts do not do more to protect customer privacy.
The OTS said that when customers open accounts, thrifts should explain whether the information will be shared with affiliated or non-affiliated parties and what happens if the customer declines to provide the information. Thrifts should also describe the methods they use to ensure confidentiality and provide customers with a way to review the accuracy of the information.
Going a step beyond the Fair Credit Reporting Act, the OTS said customers should be allowed to nix thrifts' sharing of data with unrelated companies. The law's "opt-out" provision only covers information shared within a financial company. Information sharing with unaffiliated companies is mostly regulated by state laws.
Reaction to the new guidelines was mixed.
"I see it as more paperwork," said Eric Sandberg, president of the Texas Savings and Community Bankers Association. "When there is an abuse by somebody or a select group of people, the tendency is to use a sledgehammer to kill the fly rather than a flyswatter."
David E.A. Carson, chairman of People's Bank, Bridgeport, Conn., cautioned the government against choking off the flow of customer data. "It is the availability of information that makes credit easier to obtain by customers," he said.
America's Community Bankers president Paul A. Schosberg said the debate over customer privacy will dominate the coming decade, and acknowledged the industry has had mixed success. But, he added, "Banks should take the burden of self-regulation and of self policing and of protecting customers without waiting for the regulators to act."
Lindy J. Friedlander, senior vice president for corporate research and development at Washington Mutual Inc., said her thrift already gives consumers significant control over their personal data. For instance, the thrift lets customers opt out of cross-marketing programs and it never sells customer data to outside vendors.