Privacy: The New Hot Button

The new economy has brought sweeping changes to all manner of businessu00e2u20ac”paper is out, digital is in, and information moves faster than ever through electronic distribution channels. With the pervasive use of data warehousing systems and more sophisticated marketing techniques, the massive volume of consumer data safeguarded by the banking industry has proven to be a valuable commodity. Indeed, some institutions, looking for ways to leverage this value, have transformed their customer data into income streams by sharing access with third-party marketers. But no sooner had banks realized the goldmine they were sitting on when the backlash from the public for such practices led to their undoing. Last year`s Gramm-Leach-Bliley Act addressed consumers` concern about privacy rights and mandated regulatory oversight on consumer data protection. States have turned up the heat as well.

Feet to the fire

Privacy is the latest bugaboo for an industry that has weathered plenty of storms. Spurred in part by consumers` awareness about the ways in which information is sliced, diced, bought, and sold to the highest bidder, the issue of privacy protection has reached fever pitch among consumer advocates and politicians. Some states are forging ahead in this arena loudly and publicly. Minnesota Attorney General Mike Hatch has taken center stageu00e2u20ac”filing his fourth lawsuit in two years in December against Fleet Mortgage Corp., a division of FleetBoston Financial. The suit alleges Fleet Mortgage shared customer information with telemarketers without authorization, a charge the bank staunchly refutes. Hatch and other activists are convinced they need to put teeth a law that was created to realize widespread financial reform. A year ago Hatch made headlines with a similar suit against Minneapolis-based U.S. Bancorp, which was settled for $3 million in June 1999. U.S. Bancorp`s CEO Jack Grundhoefer acknowledged at the time that such practices were industrywide; nevertheless, the attorney general`s action got results. Upon settling the suit, U.S. Bancorp took immediate steps to review its privacy policies and quickly announced the addition of a privacy czar to protect the interests of its customers. In the wake of the well-publicized settlement, another win with the Fleet Mortgage suit could create a domino effect in other states. Privacy, says Eileen Lyon, general counsel at Hawthorne Savings, a $1.7 billion federal savings bank in El Segundo, California, is “a hot button issue.” And anything that is a hot button with consumers and regulators is a top concern for directors, who have an overriding responsibility to ensure that privacy policies are in place and that they are adequately monitored. Though no directors have yet been named in a lawsuitu00e2u20ac”the fear of a class action always looms. In such cases, the directors` fiduciary duty extends beyond shareholders and investors, to the very customers who are entrusting the bank with valuable, personal information. Furthermore, the proliferation of information technology and the Internet have exacerbated the public`s worst fears. “Consumers are concerned,” Lyon says. “I myself am concerned about the privacy of my personal information. So I understand why this is a big concern for everyone.” It is an issue, moreover, that reaches beyond the boardrooms of financial services behemoths and into the Main Street offices of community banks everywhere. Banks of all sizes face their first test on privacy in the form of consumer protections built into the Gramm-Leach-Bliley Act. A complex package of regulations was devised to implement the act`s privacy provisions. Formally adopted last spring by the Federal Reserve, the FDIC, the OTS, and the OCC, the regulations took effect on November 13. They are to be phased in gradually, with a final deadline for full compliance of July 1, 2001. But regulators are eager to test the waters. OCC officials began last fall to query institutions under their supervision about the steps they were taking to prepare for full compliance. Bankers across the country are scrambling to make sure they will be ready to go. “Privacy is quickly overtaking other regulatory risk issues in prominence,” says Matt Schriner, a Minneapolis-based managing director at RSM McGladrey, an accounting and consulting firm. “The most important regulatory activity that banks engage in over the next 10 years could be developing and implementing plans and policies to comply with tough federal privacy laws.” But crafting the policies and procedures to meet those obligations is only the start. Compliance with rules to safeguard the personal privacy of actual and potential customers is likely to be a top priority for bankers over the next decade and beyond, Schriner says. Adds Lynne Barr, a partner with Goodwin Procter, a Boston law firm that advises banks on compliance matters: “I think people aren`t yet focused on the fact that this will be an ongoing compliance effort that requires all levels of personnel within a financial institution to be sensitive to privacy in ways they perhaps weren`t so sensitive before. “Bankers themselves know this,” she continues, “but it may come as more of a surprise to bank directors than to somebody who`s involved in operations on a day-to-day basis.”

Understanding the law

In a nutshell, Title V of Gramm-Leach-Bliley prohibits banks from sharing so-called nonpublic personal information about their customers with outsiders. If, for any reason, a bank decides it does want to share with a third party any of the personal information it has gathered, the law says, the bank must do two things. First, it must disclose to customers that it intends to pass along information about them. Second, it must provide each account holder the opportunity to “opt out,” thus forbidding the bank to share information about him or her. There are certain exceptions to the opt-out requirements, mainly involving day-to-day business operations like processing transactions, but they are limited. At the heart of the maelstrom surrounding this issue is the opt-out provision itself. Designed as a means to control the authorization of the release of data, the provision makes it the customer`s responsibility to contact the bank to bar any information sharing. Many states are pursuing a change in the law to require an “opt-in” provision, which would require banks to gain a customer`s written consent before information could be shared with third parties. No matter what a bank`s practices in the past, every board of directors is required by the act to prepare, adopt, and publicize a formal privacy policy. Thus, the law effects even community banks that have not in the past shared customer information and have no plans to do so. At a minimum, it requires they develop such a policy, send it out to existing customers annually, and show it to new customers at the time an account is opened or another relationship is established. Even banks that have developed Internet sites and may well have posted declarations of their privacy principles online must formalize those principles and bring them to the attention of customers who may not use the Internet. Concern over implementing privacy policies is mounting. As Neil Blakeman, vice president for internal audits and compliance at Century Savings Bank in Bridgeton, New Jersey put it: “We can`t possible conceive in advance of every situation that might arise” under the regulation. RSM MacGladrey is cautioning its clients not to rush toward compliance, citing a “folklore” of questions and unresolved ambiguities in the regulations that has emerged since they were released. “We don`t know what all the issues yet. That means it`s not a policy where one wants to be on the cutting edge,” says Schriner. Peter Hong, government relations specialist at America`s Community Bankers raises several key issues. Most pressing is the question of whether a single privacy policy notification per household will suffice or whether each account holder in a household must be notified separately. In the extreme interpretation, he questions whether banks will be required to send a separate notification for every account each customer holds. “We`re continuing to press the agencies for an answer on that,” Hong said in late December. If there is no clear answer, many banks might feel they must adopt the most conservative position, just to be on the safe side, even though such action will lead to a costly and wasteful flood of mailings that will irritate many customers.

The regulators` view

In general, regulators believe that banks are making satisfactory progress toward being in compliance by the deadline. “Our review has shown us that our industry is actually doing a good job to meet the compliance deadline,” says Richard Riese, director of compliance policy at the OTS, basing his comments on preliminary conversations its examiners have had with dozens of institutions since October. “People have taken to heart the guidance the regulators have offered,” he says. “We`re not finding any consistent major problem.” Anecdotal comments by OCC examiners suggest that smaller institutions may have made less progress than larger ones. “One thing we`ve seen bigger banks doing is testing their notices,” he says. “Some of these bigger banks have conducted focus groups and sent out notices to groups of customers, and they`ve learned some interesting things about how those notices are perceived. We think that if small banks could do that, they, too, would find it helpful.” It is extremely important to make sense out of the miasma of laws and regulations surrounding the privacy issue today. The oversight agencies have offered extensive written guidelines to help banks prepare for the compliance deadline. Senior management and boards of directors “are strongly encouraged to ensure that their institutions take all appropriate steps before the mandatory compliance date,” states the OCC bulletin.”There is a lot of information to absorb about privacy issuesu00e2u20ac”the trouble I`ve had is just to internalize it all and feel that I have considered all the ramifications,” Hawthorne Savings` Lyons says. “There is a lot writtenu00e2u20ac”it`s almost as if there is too much writtenu00e2u20ac”and not much good guidance about how to do it.” The regulators, for their part, express confidence that they are providing adequate information. Ken Baebel, assistant director for compliance policy at the FDIC, says the agencies expect to have formalized interagency bank examination procedures ready for distribution by the end of January. “That should be helpful,” Baebel says, adding that an interagency compliance guide would be published by the end of January, and made available on the FDIC`s website. “We`re trying to provide some very concrete suggestions, particularly on how institutions should approach it,” he says, “although, of course, the difficulty is that all institutions are dissimilar, and trying to make something that`s this big an idea apply to particular institutions is tricky.”

Constructing a privacy program

RSM McGladrey recommends a six-part approach to building and implementing a privacy program. First, Schriner advises convening a privacy team with representatives from every part of the bank, because the privacy issue reaches into every part of the bank`s operations. At Hawthorne Savings, this committee includes representatives from the lending group; the back-office operations group; and the technology, security, loan servicing, and finance departments. The committee, led by Lyons, has assessed the customer information collected in the bank`s various operations and what happens to that information. “The kind of information we get about customers comes into different departments for different reasons,” she says. “For example, the deposit side deals with customers on one level, but the loan people deal with them on another level. We might have a complete divergence of the two sides, because we`re not the kind of institution to have the kind of complete range of relations with our customers a commercial institution might have.” Once this “information-sharing inventory,” as Schriner calls it, is complete, the committee is ready for the third step: reviewing the bank`s strategic plan, including looking at the possibility that new products and services like online banking or investment advice will be offered in the future. Then a privacy policy must be developed that both meets Gramm-Leach-Bliley`s disclosure and opt-out requirements as far as the bank`s current operations are concerned and is sufficiently flexible to accommodate potential future changes. “You`ve got to look at what you`re going to do tomorrow and how it affects what you`re doing today,” Schriner says. He and others say it is well worth the effort to get the privacy policy right at the start, because it will be difficult to alter it once it is adopted. The fourth and fifth elements of McGladrey`s approach call for developing the privacy policy and putting in place the procedures to implement it. At the $130 million Metro Bank of Dade County in Coral Gables, Florida, Maria Elena Brito, vice president and compliance office director, says that her bank went to its outside services vendor, Bankers Systems, for help in preparing its privacy disclosures. Metro Bank also turned to computer consultants for help in modifying its computer systems to flag and monitor the accounts of people who exercise opt-out choices. Factoring in the cost of the additional outside services, Metro Bank was unlikely to spend more than $10,000 at the most implementing the new rules, including about $5,000 for the first annual mass mailing to customers in the first quarter of 2001, according to Brito.

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.