U.S. Bancorp's recent privacy settlement with the state of Minnesota contained some surprising provisions.
Two clauses offer the Minneapolis banking company potential escape routes from the agreement's harsher conditions. Under one, the Office of the Comptroller of the Currency may soften the 30-point agreement if it decides the deal puts U.S. Bancorp at a competitive disadvantage.
The other would let U.S. Bancorp merge its way out of the settlement's conditions. An acquisition worth $6 billion or more would release U.S. Bancorp and its successor from the agreement's terms.
Lee R. Mitau, U.S. Bancorp's general counsel, said the company sought a role for the Comptroller's Office. "The OCC has the expertise for regulating banks, and state attorneys general don't," Mr. Mitau said.
Eric F. Swanson, an assistant Minnesota attorney general, said his office is not ceding authority. "There are multiple players to be considered here, and the OCC is certainly an important one," he said.
The two loopholes aside, the state of Minnesota drove an extraordinarily tough bargain.
First, the most concrete provisions: a $3 million cash settlement, a vow to stop sharing customer data with affiliates upon the customer's request, and a pledge to repay customers who bought unwanted third-party products.
Mr. Mitau said the decision to cut the bank's ties to several telemarketing firms was easy. "We immediately said, 'To hell with it, we'll just get out of the business,'" he said. "It's not a big revenue source for us, and it was causing us reputational risk."
Minnesota's lawsuit charged the bank with violating several state and federal consumer privacy laws.
Beyond the headline-grabbing elements, the settlement also requires U.S. Bancorp to place simple "opt-out" forms in each of its 1,000-plus bank branches. Customers who fill out the forms and hand them to a teller must be shielded from data-sharing deals with either affiliates or third-party marketers.
The bank also accepted an extremely strict definition of "customer data."
If account holders say they do not want bank affiliates to market products to them, the bank may not give the affiliate their names, phone numbers, or 21 other pieces of personal information.
The agreement set a difficult test for U.S. Bancorp affiliates. To be considered an "affiliate," a firm must be 80% owned by the banking company. All other firms are considered third parties and subject to stiffer data- sharing rules.
For example, U.S. Bancorp is prohibited from letting third parties market nonfinancial services to bank customers, but bank affiliates are permitted to.
"It worked well from our view," said Mr. Swanson. "It made it a more pro-consumer settlement."
The agreement requires U.S. Bancorp not only to send annual privacy and opt-out notices to customers but also to use 14-point type in the document, leave it unfolded, and run it by the Comptroller's Office for approval.
If U.S. Bancorp agrees to settle with another state for more than $2 million, the bank must pay Minnesota an amount equal to the excess above $2 million. For example, if U.S. Bancorp pays $5 million to another state, it must pay Minnesota an additional $3 million.
Despite being tough, the settlement was probably better for U.S. Bancorp than a protracted, public battle over the sensitive issue of customer privacy. The two parties settled just three weeks after the lawsuit was filed.
"We are concerned that we have a public image now as a bad actor in this field," said Mr. Mitau, "and we think that's totally unjustified," He said many banks do far more marketing with third-party firms.
"But we're just trying to do the best we can in this situation," he said. "It was a good move to immediately drop out of this business."
When the settlement was announced, in fact, U.S. Bancorp used some public relations to convert its earlier shame into an advantage. In its own eyes, at least, the company moved from being a bit player in the cross- marketing game to an industry leader in the privacy movement.
Other banking companies appeared to agree. In recent weeks, Bank of America Corp., Wells Fargo & Co., and National City Corp. have revamped their privacy policies.
As to whether Minnesota plans to sue other banking companies, Mr. Swanson was cryptic. "I can't either confirm or deny whether we have investigations going," he said. "But we have a continuing strong interest in the issue."