Like preparation for Y2K, many bankers are working to ensure that privacy regulation compliance deadlines do not catch their institutions off guard.
Among the requirements of the regulations, which are part of the federal Gramm-Leach-Bliley Financial Modernization Act, is that individual customers be given notification of a financial institution’s privacy policy and the ability to opt out of information sharing. Many Massachusetts institutions are already gearing up for what experts say will cost the industry $1 per customer notification, which could add up to millions in the commonwealth alone.
Financial institutions have until July 1, 2001, to comply with the privacy guidelines for GLB, the Financial Modernization Act of 1999. However, most have already formed committees and begun the process of assessing what customer information goes where, both within the company and beyond to affiliated and non-affiliated third parties.
“Most banks are planning on sending out their [privacy] policies between now and the first quarter [of 2001],” said Tanya Duncan, director of federal regulatory and legislative policy for the Massachusetts Bankers Association.
According to Duncan, the only real change from what the majority of upstanding banks have done in the past is the disclosure that must be given to customers.
“We are the industry that has protected consumer privacy and has a long-standing history of doing that, and they just want to reconfirm that to their customers,” Duncan said.
In the privacy policy disclosure, the institution must convey whether non-public information is shared with non-affiliated third parties as well as the choice to opt out of any information sharing to those parties.
“Protecting our customer privacy isn’t really a new thing for us. We’ve always considered it very important,” said Kevin Shea, audit director and compliance officer of the $3.4 billion-asset Eastern Bank. A committee representing 12 departments within the bank was formed quite some time ago and has been meeting regularly, Shea said. “We’ve gone through and identified all the areas that we share information with … vendors, third party marketers. We’re in the process now of drafting our notification we’re going to send to our customers. We’ll be sending in the first quarter of 2001,” he said.
The notification must be sent annually, regardless of whether the customer received one the prior year. “We haven’t really come up with an estimate; there will definitely be a cost involved,” Shea said.
Part of that cost stems from how the disclosure is to be presented. “Under the regulations, it needs to be a separate document but it can go in the envelope with the statement,” Shea said. So, if statement stuffers are an alternative, the bank will probably take advantage of it, he said.
In addition to the notification, the bank is developing a training program for all employees who have customer contact. “It’ll be fairly extensive. We’ve got a 49-branch system and those people are going to need to be articulate [on the privacy policy],” Shea said.
With preparations for compliance being made, now would be a good time for financial institutions to ensure they have monitoring systems in place to detect attacks on computer systems, said Rebecca Whitener, co-founder of Fiderus, a consulting firm for strategic security and privacy solutions based at Research Triangle Park, N.C. Ensuring the physical safety of customer information is a must, she said.
Assessing policies and practices and drafting a plan can be overwhelming to banks with a small staff, so many are hiring outside consultants and attending seminars on privacy, said Duncan.
“That’s where we come in. We’ve been very active with small banks, guiding them, helping to determine the regulations and conducting workshops … We are helping banks in terms of education and give them some of the tools they need. In terms of actually writing the policy, some of them are working with consultants,” said Duncan.
But banks don’t have just one privacy requirement to worry about, according to Tom Scalavino, vice president of compliance at the $2 billion-asset Compass Bank. Banks have to comply with the GLB, the Right to Financial Privacy Act, the Electronic Fund Transfer Act, the Children’s Online Protection Act and the Fair Credit Reporting Act. And that’s just on the federal level, not considering what the state may pass.
“There were some conflicting issues between the GLB and Fair Credit Reporting Act. The GLB refers to opt-out provisions for non-affiliated third parties and mentions nothing about affiliated parties. However, the Fair Credit Reporting Act says if you are going to share information with your affiliates, you must give the customer the opportunity to opt out. So, in this case, we will probably give our customers the option for both,” he said.
Compass has also been active in pursuing the privacy disclosure notification far in advance of the deadline.
“It is costing some time. Primarily it’s time to have a privacy task force [in place] … It’s going to be an expense we didn’t have to incur before,” said Scalavino, who maintains that Compass did not wait for federal regulations before ensuring its customers’ privacy.
“It’s not that there are too many regulations, but out of our own ethical standards we do strive to maintain confidentiality. It gets blown out of proportion and then they force regulations upon us,” he said.
Opting Out
But according to consumer groups like the U.S. Public Interest Research Group, which cites alleged consumer information privacy abuses such as by a suit brought against USBank by the state of Minnesota for selling information including social security numbers and checking account numbers, without such regulation, consumers aren’t aware of their rights.
But Ed Mierzwinski, consumer advocate with the Massachusetts PIRG in the Washington, D.C., office, sees it differently. “We will be encouraging consumers to opt out. It is our strong view that there is no difference at all between an internal affiliate transaction share and one of these third-party shares. We think the law ought to be amended by the new Congress,” he said.
Shea said he isn’t worried that customers will opt out to a large extent because the bank has worked hard to protect customer information in the first place. “This isn’t really new news to our bank or most banks. It will reinforce the trust the public will have in the banking system,” Shea said. But Scalavino foresees a possible problem with the opt-out option. “Once you say ‘block me out,’ electronically right now you’re going to be blocked out of everything,” he explained. Customers who opt out may not realize their own bank offers a particular service they see another bank advertising. “We might get complaints the other way – ‘how come bank X offers this product and you do not?’ We can’t choose and select which ones we block,” he said.
There are distinct advantages to being on these lists, Scalavino said. “If we can explain those benefits, that’s fine. If the customer still wants to opt out, we’re going to listen to them.”
Saying customers may miss out on product opportunities is erroneous, according to Mierzwinski.
“We’re not against any sharing that has to do with your existing account,” Mierzwinski said. “[But] my bank never offers me a lower-priced credit card; other banks do. My bank wants to keep me at the highest rates possible.
“The banks whine that GLB is too complicated. It’s only complicated because of them.”
GLB affects not only banks, but those organizations that fall under the definition of “financial institution,” which includes mortgage brokers and lenders. Banks have been traditionally bound to a higher level of privacy requirement than other financial institutions, said Whitener of Fiderus. GLB places on these non-bank institutions the same regulations to which banks are subject, she said.
“The implementation of privacy is on par with Y2K. Probably not as costly, but as far as time and some of the resources that are involved. [Employees] from the board and the trustees to the security and cleaning personnel will be affected by the [legislation] and will have to understand clearly what the policy is,” said Duncan.
To ensure banks are taking the proper steps toward the compliance deadline, federal agencies like the Office of Thrift Supervision are checking up on them. The OTS recently announced it will ask banks, during regular inspections, to show what measures are being implemented and has issued a compliance checklist.