WASHINGTON Six months ahead of deadline, most big banking companies have started complying with landmark consumer privacy protection requirements or are poised to do so.
Some have decided to get ahead of lawmakers and federal regulators by voluntarily adopting stricter data-sharing standards.
Such decisions and the logistics of compliance are proving to be arduous.
They are sweating blood over their privacy policies, said L. Richard Fischer, a partner at the Washington law firm of Morrison & Foerster who is advising numerous banks, insurance companies, and securities firms on how to meet the new standards. They are spending not hundreds, but thousands of person-hours putting these things together. The exposure from a reputation standpoint, the exposure from a risk standpoint, makes every word critically important.
Indeed, controversies over handling customer information have generated negative headlines. For example, FleetBoston which is expected as early as today to make an announcement involving its privacy practices was sued last month by the Minnesota attorney general, who charged that a FleetBoston mortgage unit improperly shared account numbers and other confidential data with telemarketing companies.
Federal regulations were issued last year to implement the privacy provisions of the Gramm-Leach-Bliley Act of 1999. The regulations require financial companies to send annual notices explaining how they use customer data and offering customers a chance to block sharing of their information with third-party marketers. (The regulations provide exceptions for banks to share data with contracted service providers, law enforcement, and for other limited business reasons.)
The regulations technically took effect Nov. 13, but federal officials delayed enforcement until July 1 to give firms ample time to comply with the complex rules.Over the past month Bank of America, Citigroup, First Union, SunTrust Banks, Wells Fargo, and Wachovia began posting the new policies on their Web sites and dropping millions of customer notices in the mail. Most of these institutions have chosen tri-fold brochures prescribed by regulators and have started mailing them to customers in monthly, quarterly, or yearend statements.
Though the look of the notices is similar, their content varies widely. You will see quite a range of privacy policies, Mr. Fischer said.
Privacy law experts have said that the primary decision for financial institutions is whether they will share customer information outside of their corporate family.
Bank of America and Wachovia decided not to share any customer information with third parties. That freed the companies from having to provide a chance to opt out.
There is nothing for Wachovia customers to opt out of, said Beverly Wells, executive vice president of retail financial services for the Winston-Salem, N.C., banking company.
However, to offer their customers the products and services of other companies, Bank of America and Wachovia are marketing these products themselves, directly to their customers, instead of through a third party.
On the other hand, First Union, SunTrust, and Wells Fargo have decided to share information about their customers with outside companies. Those companies in turn solicit the banks customers to sell financial products and services, such as credit cards and insurance. As required by law, the banking companies have provided customers with a mechanism usually a toll-free phone number, e-mail address, and mailing address to block that information from being shared.
Most of the institutions that have announced their new privacy policies give customers opportunities to block more information than the law requires. For example, some institutions, including First Union and Bank of America, give customers a number of choices on how the bank may contact them for marketing purposes.
Going above and beyond the law we recognize that our customers may have preferences about how we let them know about products and services, so were giving them more choices about how we contact them, a First Union spokesman said. A customer in the past could say only, I dont want to be contacted for anything, he said. Now, First Union customers canstill opt out of all bank marketing, or, for example, chose to be contacted only by mail but not by phone or e-mail.
Though Gramm-Leach-Bliley does not limit the sharing of customer data among affiliated companies, the regulations under the Fair Credit Reporting Act were recently revised to correspond with the financial reform law. Those regulations require institutions to give customers an annual instead of the previous one-time opportunity to block such nontransactional information as customer income from being shared with bank affiliates.
However, Fair Credit does allow transaction information, such as account balances, to be shared. Otherwise, the same customer service representative could not give a customer his checking, credit card, and mutual fund balances, or allow a customer to pay his credit card bill at the bank branch.
Officials there said they had other reasons than trying to stay ahead of any future privacy laws. From a marketing perspective, the company decided that it was beneficial not to have to explain the difference between affiliates and third parties to customers, some of whom might see the differences as legal hairsplitting, said Mark Rogers, SunTrust group vice president and marketing information manager.
As a practical matter, SunTrust, which does not have a credit card affiliate, does not have the same business needs to share information across the corporate family.
Several major banks started mailing privacy notices late last year. (First Union began Dec. 7.) In doing so, they undercut an argument that industry representatives used last spring in seeeking to delay the rules effective date. The argument was that financial companies could not be ready to mail the privacy notices by yearend.
Some banks had also warned that privacy notices could be overlooked by customers more interested in holiday cards and celebrations. The resulting deluge of privacy notices mailed in December in the midst of the normal holiday mail crush would overburden consumers at a time of year when this type of notice is likely to get little attention, Thomas J. Ryan, a lawyer for American Express Co., wrote in a comment letter to regulators.Bank of America privacy executive Robin K. Warren said the company began mailing its 66 million notices Jan. 1 and will continue mailing through April. Company officials decided to mail six months in advance of the deadline because we had the policy in place; it wasnt a change in our practices, so we were ready to go, Ms. Warren said.
We felt like we wanted to be out front in letting our customers know what were doing, she said. Beyond that, some of our lines of business may give customers only an annual statement.
Like most banks, Bank of America is including its privacy policies as inserts in statements.To ensure that Bank One notices are not overlooked among marketing materials usually enclosed with statements, the Chicago company is preparing a four-page booklet prominently marked important privacy notice that will be separately mailed to its 55 million customers in April and May.
Were sending it separately so well be sure customers will read it, said Julie F. Johnson, the companys chief privacy officer. She noted that each customer will receive only one notice, no matter how many accounts he or she has with Bank One, which is considered by many to be a technological feat. Most institutions said customers with multiple accounts will get multiple notices.
Compliance means much more than just mailing the notices.
The big banks have climbed a mountain since last year in just finding out the complexity of their data use, said JoAnn Barefoot, an Ohio-based bank consultant and former deputy comptroller of the currency.
The biggest learning experience we had was uncovering how many areas of the company were touched by this activity. It was broader and more expansive than what we had anticipated, said Mr. Bussard of SunTrust.
That included indirect auto lending, mortgage brokers we buy mortgage loans from, student loans made through a placement office, our marine lending business all of those customers have to be notified on an ongoing basis, said his colleague, Mr. Rogers.
Ms. Johnson of Bank One described the process as a cultural change.
She said the company is changing its account-opening processes, creating new technology to cross-match all customer accounts so that customers will get only one mailing. The company is reviewing all of its contracts, revising forms, and training employees, she said.
Though theres a school of thought that customers would like it if you promised you never made secondary use of their information, she said, the reason many have not actively publicized their policies is that most banks want to have the opportunity to use that data pretty freely.
Industry experts said banks will have to explain the value of their policies to the customers or risk losing them.
Its up to the institutions that decide to continue to share information to explain clearly how they are doing it and why, said John Byrne, senior counsel at the American Bankers Association. There will be tremendous benefits for customers, but its up to the institution to explain it.