Plenty of Thorny Issues to BebIroned Out in Privacy Rules

WASHINGTON - If depositors pay a fee to use another bank's automated teller machine, are they entitled to see that institution's privacy policy?

If a bank wants to sell its customers' names, addresses, and birth dates to a department store, should the customers be allowed to block it?

If an auto dealer accepts loan applications for a bank, which one - the dealer or the lender - should be responsible for disclosing the bank's privacy policy, and when?

These and many other questions confront the government lawyers charged with translating the new financial reform law into a comprehensive set of rules. The answers will dictate how banks, thrifts, credit unions, securities brokers, and other financial services companies operate for years to come.

Attorneys from eight federal agencies have five months to resolve myriad consumer privacy scenarios left up in the air by lawmakers. Proposed rules are expected to be issued for comment in January or early February. Final rules are due by May 12 and must take effect by Nov. 12. Congress, however, gave regulators leeway to extend that deadline - a move expected by many veterans.

"You've got a lot of agencies that have their hands in this," said John J. Byrne, senior counsel at the American Bankers Association. "I don't know how they'll set it up."

Neither do the rule writers. Interviews with government lawyers reveal they are still at square one; the turf battles that accompany most interagency rules are likely.

"The agencies are already divided on this," said David W. Roderer, a lawyer with Goodwin, Procter & Hoar in Washington.

"It's like building the Tower of Babel," said L. Richard Fischer, a partner at Morrison & Foerster in Washington.

To understand what government lawyers face, consider a bank that wants to sell its customers' names, addresses, and birth dates to a department store. Should it be required to check with customers first, or can it skip that step? The answer depends on whether the data are considered "public" or "nonpublic" personal information.

Under the Gramm-Leach-Bliley Act signed by President Clinton on Nov. 12, a financial institution that wants to share "nonpublic" information with a third party must first notify customers of the plan and give them a chance to block it. "Public" information, by contrast, may be traded without notification or consent. Bank lobbyists hope the term "public" will be interpreted broadly.

But agency lawyers are in for a challenge. After all, what makes information "public"? Is it the fact that the data can be found on the Internet or in public records such as bankruptcy filings or other court documents? That similar information may be bought from nonbank companies? That a private eye could track it down?

Birth dates, which can be obtained from motor vehicle records and other public sources, would meet some of these tests but not all, industry sources said. Names and addresses pose a thornier problem. Though both can usually be found in the telephone book or on the Web, the fact that a person is a customer of a particular financial institution cannot be discovered so easily.

Arguably, therefore, customer names and addresses should be considered nonpublic and subject to the tougher privacy standard.

Another term requiring definition by agency attorneys is the word "customer." Because the new law grants special privacy protections to customers, most bank lobbyists hope regulators will define the word narrowly.

That is far from certain, however. Take depositors who use another bank's automated teller machine on a one-time basis and pay a surcharge. Are they "customers" of the other bank, and therefore entitled to protections under its privacy policy?

Though Mr. Fischer called the idea "ludicrous," a government official deemed it possible. Under this scenario, ATM operators might have to post privacy policies next to their machines or have the policies scroll across the computer screen.

Government lawyers will also need to establish rules on the content, frequency, and delivery of customer opt-out notices, a subject on which the new law is vague. An opt-out notice will advise a customer of rights to block data sharing.

The worst-case scenario, Mr. Roderer said, would be a rule requiring banks to include a check-off box on every monthly account statement. "Lots of customers would do it," he said. On the other hand, he said, nothing in the law would explicitly prevent a bank from requiring customers to mail a letter at their own expense, even though just "one in four billion people" would opt-out under that system.

Government officials said comments made by lawmakers as the new law was being debated will provide guidance in gray areas.

"You look to see what you can do within the four corners of the statute," said one. Beyond that, lawyers pore over statements made Nov. 3 and Nov. 4 on the Senate and House floors for further hints on the intent.

Legally, however, the regulators have a lot of room to maneuver.

"You take stabs at these questions," a government official said. "I suspect we'll get a whole lot of public comment."

Comment and criticism. Privacy legislation will resurface next year in Congress, where advocates will blast any rule that appears too soft and opponents will squawk if the rule seems too strict.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER