Privacy Rules The Consumer's Perspective

Topic number one at the CAC's meeting was the drafting of new regulations to implement the privacy provisions in FinMod. As with many new rules, the regulation-writing process involves more hair-splitting than attention to principles.

The committee working on privacy discussed two key issues: providing notice to joint account holders; and what information should be considered publically available.

David Ramp, Assistant Attorney General of Minnesota (remember the privacy lawsuit against USBank?) discussed concerns that the law contains an exception that could "swallow the rule." Section 502(b) permits sharing certain information with non-affiliates for business purposes even where the customer has elected to opt out. This section permits the bank to share customer information with non-affiliated third parties, such as a marketing firm, for the purpose of selling the bank's products. The exception does not apply to the general sale or sharing of information for any other uses.

Ramp is concerned that there is a "tremendous financial incentive" to fall within the exception. The availability of the exception turns on whether the product is "financial." He advised the Board that the rule should provide clear standards for this definition. Ramp expressed concerns that a broad definition would enable financial institutions to use this exemption for the types of information uses that Congress intended to prohibit.

Some members also questioned whether the rule could be bypassed by using or sharing an account identifier other than the account number. Both of these concerns are based on the assumption that financial institutions will look for technical loopholes to enable them to use customer information for bank profit.

In other discussions of how to split hairs - what could or could not be done under the rule - there was a concern was that the burgeoning technical abilities to use customer information constitute a constant temptation to find ways to evade the rule for profit. Whether banks actually do this may have a direct impact on future rulemaking and new laws.

There were several interesting suggestions made. Daniel Morton, Senior Counsel of The Huntington National Bank, suggested that the Board define "financial" by referring to bank and holding company powers. This would make any product offered by the bank or holding company subject to the rule.

Robert Elliot, retired Vice Chairman of Household Finance, suggested that the rule should focus on empowering customers rather than anticipating and trying to prevent harm.

Disclosures
The committee as a whole urged the Board to deal effectively with the issue of clear and conspicuous disclosures. Ramp objected to the tendency he sees for banks to bury opt-out disclosures by placing them in the nether regions of the agreement.

The typical disclosure he sees begins with the "platitudes" about how the bank values the customer and the customer's privacy. However, the important information dealing with the customer's actual rights and options is placed much later in the document and put in smaller type.

Ramp went on to say that he believes the opt-out question is secondary to other bank practices. For example, he sees a difference between selling account information and using credit history information to pre-screen customers.

Joint Account Holders
When more than one person is on the account, who should receive the opt-out notice? Should it be joint or should each account holder receive the notice? And what if one but not the other account holder opts out? What can the bank do with the information about the account in that case?

If these questions aren't enough, consider the customer who holds more than one account in a bank. Should that customer receive an opt-out notice for each account or one single opt-out? What may the bank do if the customer opts out on one account but not others?

Ramp supports the one-notice concept. A single notice would focus on the customer and the customer's desire for privacy rather than on the much more complex account relationship. Morton, a banker, agreed that the notice and opt-out procedure should be "person-related rather than account-based."

Publically Available Information
There was an interesting discussion - but no recommendations - on publically available information. One approach to defining publically available would be to limit the definition to information that the bank actually acquired from public sources. This would mean that even though the appraised property value could be obtained from public records, the information that the bank obtained through its appraisal would not be publicly available information.

If the agencies were to broaden the definition to include any information that could be obtained publically, what steps should a bank take to determine whether specific information is publically available? For example, should a bank be required to determine whether a customer has a listed or unlisted phone number?

Watch for how the agencies treat these issues in the final rule.

What should banks do with this? Hairsplitting notwithstanding, there are steps banks can and should take to make individual privacy a reality and regulatory burden less so. There will be regulations and these will be based at least in part on consumer concerns. After all, that's why the law was passed in the first place. But banks can take some steps to make the goal of privacy a reality.

First, don't lose sight of the basic principles behind this law. Information about individuals belongs to the individuals. They share their personal information when it is necessary to obtain a product or service, such as a loan from a bank. Their reasons for sharing the information are only to obtain the product or service. They did not give the information to the financial institution to have it put to any profitable use the institution thinks up. Although some banks may have used customer information for the bank's profit, the reality is that the information never belonged to the bank in the first place - it belonged to the customer.

Second, financial institutions offer very few products and services that don't rely fundamentally on some evaluation of the consumer - and therefore the consumer's information. This is the business purpose for which the information is shared. The only other use by the bank that the consumer might expect would be the maintenance of the account and the consumer's interests in it. Going beyond the customers' expectations and using the information for purposes that are not on the customers' wish lists is asking for trouble.

Finally, consider the new privacy rules as an opportunity to build trust - the customers' trust in the bank. Develop policies and implement practices that protect the privacy of your customers.

ACTION STEPS

Prepare now to advise - and keep advising - everyone in your bank to consider the consumer's perspective in every proposed use of customer information. Don't grow a culture of hairsplitting the rules to justify profitable but questionable uses of information.
Request your attorneys to develop model clauses for use with third parties such as service providers and marketing firms that require them to maintain protections for bank customer information and that prohibit them from making any other use of the information.
Audit any entity using customer information to ensure that they stay on the script and do not use information inappropriately or illegally.
There is an inevitable tension between the goal of marketers to sell and the bank's obligation to protect its customers' privacy. Think of ways to strike the best balance in your bank. And think of how you can effectively control this process.
Find out how your bank stores, retrieves, and uses customer data. Think about how the suggestions made by the CAC would work in your bank. Describe any technical problems in your comment letter.