Putting a Positive Spin on Privacy

Flashback.

The year is 1999. The shackles imposed on banks by Depression-era laws like the Glass-Steagall Act are about to be removed by Congress, just as the Internet is finding its way into the mainstream business vernacular. Concerns over individual privacy, elevated by the rush of commerce to the Internet, are introduced into the congressional debate, and a new set of consumer financial privacy laws became the quid pro quo for industry deregulation.

Fast forward to 2002. Banks and other financial institutions so far have distributed more than a billion privacy notices in compliance with the Gramm-Leach-Bliley Act of 1999 (GLB), at a total cost in excess of $2 billion. The notices detail (often in tedious legal terms) each institution’s procedures for ensuring the privacy of customer information, and the right of individuals to stop any sharing of information about them with third partiesu00e2u20ac”a so-called “opt-out.” By most estimates, about 3%-5% of customers actually took an opt out.

Those who were most likely to opt out, however, were among banks’ most lucrative customers. In a report last December, Forrester Research estimated that consumers who took the GLB opt out last year controlled about $34 billion in assets.

Although personal privacy has taken a back seat to national security in the aftermath of September 11, there remains a strong undercurrent of public suspicion that banks are not attentive enough to consumer privacy concerns. Evidencing this notion, several states are considering or have enacted laws that impose more onerous privacy protections than GLB. In California, for example, lawmakers are considering a bill that would require banks to obtain explicit customer approval (a so-called “opt in”) before sharing information about them with affiliates or non-affiliates.

“It would benefit financial institutions to consider that there is an undercurrent of continuing concern about this issue,” says Lauren Weinstein, a Los Angeles-based privacy advocate. The flurry of disclosure pamphlets brought about by GLB did little to address this concern, Weinstein insists. “The sense is that banks did the minimum necessary to avoid legal repercussions,” she says.

Forrester’s research suggests banks could pay dearly for this, because many of the disaffected are affluent customers. “Today, 69% of consumers are highly concerned about privacy,” wrote Forrester analyst Kenneth Clemmer in reporting the research. “These privacy-concerned consumers are educated and experienced online, but they’re not convinced they’ll be protected by the Gramm-Leach-Bliley Act.”

Mary Beth Guard, an Oklahoma City-based banking attorney and executive editor of BankersOnline.com, understands.

“I’ve seen some opt-out letters that were just shocking,” says Guard. She observes that some bankers were downright annoyed at having to jump through regulatory hoops to explain policies for protecting customer privacyu00e2u20ac”policies that had been in place at banks alreadyu00e2u20ac”and that annoyance was evident in the “bitterness and anger” with which some disclosures were written, she suggests.

Rob Rowe, regulatory council with the Independent Community Bankers Association says many community bankers were perplexed by the GLB disclosure requirements. “Our members have always been very mindful of the need for customer confidentiality and privacy,” insists Rowe.

“There’s an implicit agreement between consumers and banks that information will be held privately. Customers know that if something goes awry the bank will take care of it,” explains Maggie Scarborough, a former banker who now heads up VisionSharp Strategies, an Ellicott City, Maryland-based consultancy.

“Privacy and the secure, proper handling of customer information is an issue that goes to the heart of the relationship between any business and its customers, regardless of size, market or industry,” said Kenneth D. Lewis, chairman and chief executive officer of Bank of America, at a privacy conference held in Washington in late March. “Our customers’ trust is ours to win or lose, and the stakes are high.”

Jim Harper, a Washington-based lobbyist and editor of Privacilla.org, an online privacy resource with a pro-technology bent, says Congress and the regulators missed the mark with GLB. “The Gramm-Leach-Bliley notice and opt-out requirements advance privacy very little at enormous cost to the vast majority of consumers,” insists Harper. “It’s really an antimarketing rule.”

Clearly, marketing was at the heart of the GLB privacy provisions. New and evolving database and computing technologies make it possible for banks today to slice and dice customer information and compose customer profiles instantly. Using these profiles, banks target marketing pitches to those individuals who are most likely to accept a message, rather than the old scattershot approach to marketing financial products and services.

Proponents say it’s a win-win situation. Yet some consumer advocates feared the practice could lead to widespread sharing of information and increased harassment of consumers by unwanted marketing solicitations. GLB rules stipulate that banks and other financial companies provide customers with yearly disclosures of the type of information they might gather and share with unaffiliated third parties and the individual’s right to request that information about them not be shared with those other firms. There are some obvious exemptions.

A lot has changed since 1999, however, and changes ushered in by the war on terrorism have cast privacy concerns in a new light. “The events of September 11 make it clear that privacy is not, and cannot be, an absolute right,” says Howard Beales, director of the Federal Trade Commission’s Bureau of Consumer Protection.

For bankers, this has meant disclosing more information about customer accounts to law enforcement groups investigating terrorist and money laundering activities, while simultaneously assuring regulators and customers that they’re doing all they can to protect the confidentiality of customers’ individual financial information. “It’s a difficult balancing act,” says Guard.

Nobody expects Congress to rescind the privacy provisions in GLB, and pending state initiatives (like the one in California) seem to guarantee ongoing public debates over privacy. Besides, experts note, the bulk of GLB compliance costs were upfront, e.g., systems development and integration and database creation to support customer opt-out decisions.

BankersOnline.com, in a survey report earlier this year, estimated the average financial institution spent $235,000 on technology initiatives related to customer privacy disclosures in 2001; the largest holding companies spent in excess of $800,000 on average. This year spending should decrease by one-third, according to the bankers
surveyed.

Beales, the FTC’s lead consumer protection advocate, hopes banks will spend more wisely this year on privacy disclosures that are sent in accordance with GLB and its regulatory dictates.

“I think there is agreement that in general the first round of GLB notices didn’t score very well in the ‘consumer friendly’ column. In part, that is because notices were too frequently seen as regulatory compliance documents, not consumer information documents,” he wrote in a March report detailing the FTC’s privacy agenda.

Beales balks at suggestions that regulators prescribe specific formats for privacy notices. He says that approach “risks homogenizing privacy choices, rather than differentiating firms that truly excel at providing privacy.”
Harper believes banks that take their customers’ privacy concerns seriously have little to worry about, and he urges banks to compete on the merits of their privacy policies. “Banks need to get out there and aggressively market privacy,” Harper says.

BofA seems to be taking that route. The megabank announced in March that it has given the National Consumers League an unrestricted grant for a public marketing campaign on identity threat. The campaign includes public service announcements, special websites, educational materials, and other resources. Identity theft is seen as a major privacy concern, and efforts to control it rank high on consumer protection agendas, both inside and outside of government. Credit card fraud, the most obvious form of identity theft, is believed to be a multibillion dollar a year drain on the U.S. economy, with banks taking some of the largest hits.

“As Americans with a shared stake in the continued economic strength of our country, we’re are all on the same team here. We just have to keep reminding ourselves,” says BofA’s Lewis.

Rowe of the ICBA worries that small community banks don’t have the resources to compete with large banks on privacy issues. “I just don’t know if it would work with community banks,” says Rowe of Harper’s suggestion.

Says Scarborough, the banker turned consultant: “To do so could be interpreted as an admission that maybe they haven’t been treating information privately.”

And lest we forget, trust does go to the heart of the relationship between bankers and their customers.