Members of Congress bickered at length over privacy provisions before passing the Gramm-Leach-Bliley financial modernization bill last fall. And even though the bill has become law, the debate is far from over. Federal banking regulators released proposed privacy regulations this month, but Massachusetts legislators are pushing a more stringent version for Bay State banks.

Brighton Democratic Sen. Steven Tolman and Mattapoisett Democratic Rep. William Straus filed H. 4994, which would require customers to sign a form allowing their banks to share the information. The Banks and Banking Committee earlier this month delayed action on the bill until June so they can review federal regulations. The Straus/Tolman bill follows a bill filed by Lt. Gov. Jane Swift last year, which includes tougher rules for banks and would strengthen the state’s identity theft law.

The federal law provides that state law will supersede it if the state regulations provide for more consumer protection. That could result in a patchwork quilt of varying laws across the country, creating new challenges for the banking industry. Just in New England, divergent state privacy laws would create headaches for interstate banking companies like Peoples Heritage Financial Group or FleetBoston. And not only banks, but other financial institutions like mutual fund firms, insurance companies and brokerages will face the hurdles.

One of the biggest difficulties, not only for banks but any financial services firm that’s operating multistate or nationally, is to have a series of different laws, said David Floreen, senior vice president of the Massachusetts Bankers Association. The extra operational costs are very significant.

It is also unclear how the state would track financial companies that do business in Massachusetts for compliance with the law.

Other New England state legislatures are examining privacy but none has filed bills, said Dale I. Zelony, director of legislative services for the Community Bank League of New England. She predicts that most of the states will look at laws, except New Hampshire, which has fewer consumer protection laws.

It is clear that just like Y2K was the issue last year, privacy will be the issue this year, particularly because it’s an election year, Zelony said.

The financial modernization bill broke down the Glass-Steagal law, making it easier for banks to enter other lines of business like insurance and mutual funds. The gains banks made with the passage of the law could be negated if privacy rules make it too difficult for them to offer new products, Floreen said.

Privacy has become a bigger issue for banks as they have become increasingly reliant upon cross-selling and electronic delivery channels. Consumers have become more sensitive to how their personal information is used as they conduct transactions on the Internet. In addition, high-profile crimes by hackers have highlighted the need for tight security of personal information.

It is hard to argue against privacy protection, Zelony said, but the provisions in H. 4994 would have serious ramifications for businesses. Massachusetts Attorney General Thomas Reilly has thrown his support behind the state bill, in part because he finds the federal regulations too lax.

At the end of the day, the privacy provisions contained in the [Gramm-Leach-Bliley] act are softer than had been hoped, said Assistant Attorney General Pamela Kogut. One of the chief concerns is that the federal bill contains an ‘opt-out’ instead of an ‘opt-in’ approach to financial privacy.

Lined up in support of H. 4994 are Lt. Gov. Swift and the Massachusetts Association of Insurance Agents.

Industry Opposition
The roster of industry groups opposed to the legislation includes the Massachusetts Bankers Association, the Community Bank League of New England, the Massachusetts Credit Union League and a number of insurance associations. The Retailers Association of Massachusetts also went on record against the bill.

The state bill could hinder community banks the most, since many market products to customers through third-party arrangements, industry groups said. Community banks usually share information with third parties to market products and services like insurance policies or mutual funds. They may also share information in the course of business by contracting with check printers, reporting to credit bureaus or selling loans in the secondary market.

National banking trade groups favor the more lax federal legislation recently released by regulators. The MBA and the Community Bank League have yet to weigh in on the regulations. The federal rules would require that financial institutions allow their customers to opt out of having their information shared with other firms, instead of the tougher opt-in clause proposed in the state bills. The opt-in clause would make it harder for banks to use the cross-marketing abilities they gained with the passage of financial modernization.

If banks are required to have consumers opt-in, you need a certain critical mass to make marketing efforts worthwhile and they may not get it, Zelony said. Philosophically they don’t mind asking the question, it just may preclude some opportunities and loss of service [to] some of their customers.

Many consumers do not take the time to read their bank statements, and are not likely to fill out a form and return it to the bank, Floreen said.

You can send out a form and say ‘sign this form and we’ll send you $100,’ and I bet 99 percent of people wouldn’t send it back, he said. It would just not be cost effective for a community bank to mount the kind of campaign necessary to get people to opt in.

Institutions would be required to give their customers notice of their privacy policies and practices at least once a year. Banks and credit unions can only share customer information with nonaffiliated third parties if they provide notice to the customers and an opportunity to opt out. Banks do not have to provide an opportunity to opt out when the nonaffiliated third party will perform services like marketing for the bank. However, the third party must contract to keep customer information confidential.

The comment period on the proposed rules lasts through March 31. The regulations will become effective on Nov. 13. Federal Deposit Insurance Corp. spokesman Stephen Katsanos said the agency has received few comments on the rules so far, but will likely receive more feedback near the end of the comment period.

The agency received a flurry of comments last year after it released a proposed Know Your Customer rule. Critics of the rule said it amounted to an invasion of customer privacy.

Privacy’s a big issue, Katsanos said. As people become more and more comfortable with things like the Web, they think more about this.

It’s also an issue that knows no borders. The Washington Post reported last week that U.S. companies, including banks, that collect personal information of Europeans may be required to follow Europe’s strict privacy regulations. In Europe consumers can view and change any information collected about them and can veto the sharing of the information with third parties.