In announcing a privacy settlement with Chase Manhattan Corp. earlier this year, New York Attorney General Eliot Spitzer said that new technology has put us in an "electronic fishbowl."
As banks wait for the final regulations governing the privacy provisions of the sweeping Gramm-Leach-Bliley Act (GLBA), state legislators and attorneys general are already taking action. The issue, and the intensity with which consumers and elected officials are rallying around it, are forcing banks to monitor their policies on consumer data with a watchful eye to new technology.
Many see the privacy issue as a paradox that will continue to unfold as new technologies emerge and become mainstream. "From customers' point of view, people love (online book merchant) Amazon because they know the books you bought and keep a record. Customers want a richer experience but have not come fully to grips with this," says D.R. Grimes, vice chairman and CEO of Net.B@nk, Alpharetta, GA. "People don't like the idea of (Web) 'cookies', but they don't want to enter information every time they go to the site."
In signing the GLBA into law on Nov. 12, President Clinton himself said he "did not believe the privacy protections go far enough." The seriousness of the issue and the ambiguity of the law are now spurring financial institutions to draft privacy policies and disclosures, while leaving them open to revision until regulations are finalized next month.
The American Bankers Association, for example, set April 20 as a deadline for all its members to have privacy policies up on their Web sites. But even in privacy sessions at the association's community banking conference in February, speakers noted that while it was important to get started on privacy policies early, there may be need for adjustments later on.
Some banks that already have carefully worded online privacy protections note that plans are in place to further tweak their policies once the final regulations have been approved.
"Our policy will become more explicit, it will include more details, as opposed to now where it's more general," says Robert Ellis, senior vice president and delivery channels manager with New Orleans-based Hibernia Bank. The $15 billion-asset bank does not share consumer data with marketers, but shares some data with affiliates and partner companies, such as mortgage insurance providers, which offer financial products the bank does not yet offer.
"Information is only shared with companies whose products we could bring in-house, and we are working toward that eventual goal of having these products in-house," Ellis says.
Refining the law
In general, the GLBA requires banks to give consumers an opportunity to "opt-out" of having their information shared with unrelated third-party companies for marketing purposes. In other words, whether consumers bank online or in person, they must be able to indicate to a bank that they do not want their information shared. It also requires that banks and financial institutions disclose their policies regarding the treatment of non-public personal information at the time of establishing a customer relationship and annually afterward. Non-customers who have provided personal information to a financial institution, such as people who applied for loans and were denied, must also be notified if an institution plans to share their information.
In implementing the act, financial regulatory agencies proposed rules on how to interpret the law, accepting comments until March 31. Final regulations are expected in May and could take effect in November.
Though the framework of the law is set in stone, the possible modifications in the proposed rules range from minor to potentially burdensome. One proposal the ABA sees as onerous is a requirement that banks police third parties' use of information, says John Byrne, senior counsel and compliance manager in the regulatory and trust affairs section of the ABA's government relations division.
For example, there is some data that banks must share with service providers in the course of business, such as providing names, addresses and account numbers to check printing companies. Although it is illegal for a third-party vendor to use that information for marketing purposes, some agencies are seeking comment on whether banks should be required to monitor those agencies' use of the data.
Other details still under debate include such questions as how to define "non-public personal information." In February an interagency working group that included the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corp. and Office of Thrift Supervision sought comment on two definitions of the term. The first construed it to mean any information provided by a consumer to obtain a product or service or conduct a transaction with a financial institution, even if the information is available from a public source. The second definition excludes information that is publicly available.
Similarly, although the GLBA states that privacy policies must be disclosed at the time a customer is acquired, the interagency council's rule would require banks to disclose privacy policies to consumers before they are contractually obligated for a product or service.
In other words, although the act set forth provisions governing privacy policies, "We are proposing what you have to say, when you have to say it, and how you have to say it," Anderson says. The Federal Trade Commission, National Credit Union Association, and Securities and Exchange Commission have issued similar proposed regulations.
But while many in the industry are wary of Gramm-Leach-Bliley, Federal laws are only half the battle. The law explicitly leaves room for states to pass even stricter privacy protections.
"On how to address (privacy) and how to voice concerns, the states pose a greater problem in the miles and the places where you'd have to travel to defend your point in every state," says Tyler Prochnow, attorney with Lathrop & Gage, Kansas City, MO.
Along with the Chase settlement, Attorney General Spitzer unveiled legislation that, among other things, prohibits banks and credit unions from disclosing personal financial information without "express prior written consent" of the customer, effectively creating an "opt-in" model. This is more stringent because it prohibits information sharing without a person's prior consent, whereas the opt-out model assumes information will be shared unless consumers explicitly bar an institution from doing so.
In California, State Assemblywoman Sheila James Kuehl is one of the sponsors of Assembly Bill 1707, which contains a similar opt-in proposal. Opt-out rules, she says, "put all the advantage toward the probability that financial information will be shared. When consumers submit information to an entity, I think they assume, maybe unrealistically, that their information will be used only for the purposes of that entity. This bill will ratify and reconcile the expectations of consumers."
Much like the federal regulatory agencies, Kuehl's bill also seeks to clarify the federal definition of non-public personal information. "We've changed that to personal information. In some contexts, your name and address are public because they are listed in the phone book, but not in the context of the value of your house," she says. "It's the context we're concerned about."
Growing attention on electronic privacy in prominent states such as New York and California makes it more likely that these trends will spill over to other parts of the country, some observers contend. The Washington State legislature is now considering a bill similar to the California proposal, and other states are expected to move on the privacy front. "New York and California are the acknowledged leaders in legislation, and things that happen in those states trickle down to the rest of the country," Prochnow says.
But should state bills pass into law, they will give banks compliance headaches. "Our branches are in Louisiana and Texas, and even though we are in two states it's tough to keep track of separate regulations. For banks with branches in many states it's a nightmare," says Ellis of Hibernia.
Bankers acknowledge they already feel pressured to go above and beyond the current law in the protections they offer to consumers. "There's no question it's going to get stricter," says Grimes of Net.B@nk. "There will be some good and some bad in that. It concerns me when the government, rather than the market, establishes what the standards are."
One of the surest signs of the mounting privacy pressure on banks is the uproar that has arisen over a form of financial aggregation known as screen-scraping.
First Union Corp. filed suit Dec. 30 in U.S. District Court in Charlotte, NC, against Secure Commerce Services, Princeton, NJ, doing business as Paytrust, alleging the company takes consumers' banking information from the Charlotte, NC, bank's Web site without its consent and stores the data insecurely.
The suit turns on the emerging practice of financial data aggregation, which, although of value to banks, also sounds alarms. "Customers have indicated they are in favor of the aggregation concept, and it's something we have to get to eventually," Ellis says. "But we've invested a lot in capturing the customer, and we are reluctant to release details to other parties."
In financial aggregation, customers' account information from different institutions is unified on one Web site. The benefits to consumers is that they are able to see all of their accounts in one view, says Matt Cone, chief marketing officer with Corillian Corp., Beaverton, OR, an online banking provider that last year began offering a financial aggregation product called OneSource. The system works through the Open Financial Exchange (OFX) standard to link with financial institutions, request information and deliver it to the Web site customers have selected as the venue from which they will view their information.
The controversy arises from a second method of gathering information in which customers provide their passwords and user-names to the aggregator, allowing it to log on and gather information from other institutions' Web sites on their behalf.
While controversial, Corillian and other aggregators maintain that through agreements and disclosure of passwords, customers have essentially provided the companies with limited power of attorney.
Says Cone, "It's doing what banks have for years provided to high net- worth individuals. In the past, you would have a private banker, and that person would review your paper statements and crank it into net reports. Now this is being done electronically."
Yet with a heightened responsibility to protect consumer privacy, banks worry that consumers aren't aware of the all the risks. "From a customer perspective, we think they aren't fully informed as to privacy implications of sharing information to understand that by giving information, companies are storing it on their site," says Gayle Wellborn, director of customer advocacy for First Union Corp., Charlotte, NC, noting that aggregator sites might not be as secure as banks.
"The implied relationships with financial institutions provide a false sense of security," she adds. "Aggregators are not regulated and are not under the authority of regulatory authorities like the OCC. They can chose to what degree they want to put security processes in place."
In addition to the Paytrust suit, First Union has issued a set of standards it will require aggregators to follow. The requirements allow the bank to review aggregator activities and address issues such as privacy, security, confidentiality of data and indemnification against losses. "We are working with each of them to asses their processes and identify potential gaps to ensure we are comfortable with the process," Wellborn says.
The battle against screen-scrapers can be fought not only legally, but technologically as well. Drawing on new software, banks can now prevent screen-scraping by moving the field where information is stored on their sites by a few pixels every day. For the user, there is no visible change in the Web site, but for the aggregator that must pull information from a specific place on a Web site, the movement of information can foil the attempt to extract data.
Companies whose business is selling data also have begun adding privacy protections to their products as extra features. Acxiom Corp., Conway, AR, whose databases provide information on 95% of U.S. households, has included no-solicitation flags in its InfoBase TeleSource product. The flags identify consumers who have indicated they do not want to receive calls or mail by signing up for the state-managed "do-not-call" list and Direct Marketing Association's Telephone Preference Service and Mail Preference Service lists.
Ameritech's telephone Privacy Manager, meanwhile, has been a hit with consumers. The product is used in connection with Caller ID and, for a monthly fee, helps consumers screen out calls from unknown callers. Drawing 190 media stories in its first two days of release, the product may have spurred an increase in the sales of Caller-ID, company officials say. In addition to an expansion to the full five states that Ameritech serves, the telco's new parent SBC plans to introduce the product in southern states as well. US West introduced an imitation called No Solicitation last year.
Such signals of public sentiment in favor of more privacy reinforce the ABA's advice to banks to create privacy plans geared toward the consumer, not the law.
"Part of what we are recommending is that banks don't just look at the regulations as simply 'comply with the new regulations and you are done.' Consumers are looking for a total commitment to privacy from all the institutions," Byrne says.