WASHINGTON - Backing off earlier, stricter interpretations, federal regulators on Thursday said banks may be able to sell some customer data and still comply with privacy protections enacted in the Gramm-Leach-Bliley Act of 1999.
Moving to implement rules scheduled to take effect Nov. 13, the Federal Reserve Board and the Office of the Comptroller of the Currency proposed two ways to define publicly available customer information that would not be subject to the act's privacy protections.
Under the first option, information about customers that is available in publicly accessible media such as phone books and government records would be protected only when a financial institution obtained it as part of a customer transaction, for example, opening a checking account.
The second option, which would be easier on banks, would not protect any customer data that is already publicly available. Diverging from earlier drafts of the plan, the Fed said it prefers this option.
"I like the fact that they have suggested that information is 'publicly available' if it is available from a public source," said John Byrne, senior counsel and compliance manager for the American Bankers Association.
Mr. Byrne expressed concern that, according to the Fed's interpretation, simply the fact that an individual is a customer of a bank may be protected. That would mean a bank could not sell its customer lists to unrelated companies without first getting a customer's approval.
"We have to hash that out, but I do like the direction they are going in," Mr. Byrne said.
The proposal suggests that a bank would have to give a customer the opportunity to prohibit the disclosure of so much as a telephone number if the release of the number revealed that the customer had a relationship with the bank.
"The agencies seem to be in agreement that a customer list is nonpublic personal information, and I think a lot of people will be surprised to hear that," said Gilbert T. Schwartz, a partner in the Schwartz & Ballen law firm here.
Eight federal agencies must craft rules to enforce a controversial section of the Gramm-Leach-Bliley Act that allows consumers to bar the sharing of their "personally identifiable financial information" with unaffiliated third parties. This information may be shared freely among affiliated companies.
The act also requires financial institutions and other types of firms to disclose their privacy policies with regard to sharing consumer information with affiliates as well as unaffiliated third parties.
In addition to the Fed and the OCC, the other agencies writing privacy rules are the Treasury Department, the Federal Deposit Insurance Corp., the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, and the Federal Trade Commission.
Regulators have been meeting frequently since the passage of the act in November in an attempt to craft common rules.
In a speech Thursday, Fed Governor Laurence H. Meyer said that the difficulty in enforcing the privacy provision was more practical than theoretical.
"Most important, our objective is to devise disclosure requirements and consumer opt-out procedures that protect consumer privacy without overwhelmingly burdening financial institutions or consumers," he said.
The second difficulty, he said, is getting eight regulatory agencies to agree on the terms of the rule by May 12, the deadline for a final rule set by Congress. Mr. Meyer said debate has focused on the process for allowing a consumer to opt out of information sharing and the way in which bank's privacy disclosures must be presented.
Comments are due to the Fed and the OCC by March 31.