July 28, 2003

Banks that create and maintain check image archives on behalf of their customers have control over a potentially valuable source of marketing information. But tapping into that information requires careful consideration of state laws and national laws such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).

According to W. John Funk, Esq., shareholder and director at Gallagher, Callahan & Gartrell, a Concord, N.H.-based law firm, the overlapping provisions of GLBA and FCRA do not necessarily prohibit certain types of data mining activity.

For instance, suppose a customer writes a check to an insurance company or a stockbroker, helpfully including a detailed notation on the memo line. "We believe it's perfectly permissible to use that type of information to market products and services to your customer," said Funk. "The Gramm-Leach-Bliley Act does not restrict how you can use your own customer information that you develop as a result of your relationship with your customer, provided that you inform your customers of your practices in your privacy notice."

Furthermore, information about the counter-party to a check transaction may fall outside the scope of GLBA provisions. "Under Gramm-Leach-Bliley, your legal duty is to your customers," said Funk. "To the extent that the check images contain information about persons who are not your customers, you don't have any legal duty under the Gramm-Leach-Bliley scheme as to how you treat that information."

FCRA also contains relevant exemptions. "It exempts the sharing of 'transactional or experience information' from the definition of what is a consumer credit report," said Funk. "It basically says that that type of transaction or experience information can be shared without the limits that are imposed by the FCRA."

"The information from checks fits within this exclusion," added Funk.

Nevertheless, banks would have to state its practices within its privacy notices to consumers, and provide opt-out provisions if any information were to be shared outside of the bank. "You want to make certain that your privacy statement is broad enough to encompass data mining that you might include in the future," said Funk.

There's also the open question of whether bank regulators would take kindly to data mining on check image data. "We haven't gotten an opinion yet," said Funk. "I'd expect that it might involve somewhat of a long deliberative process in dealing with the regulators in this practice area."

In the meantime, it might be safest to wait. "Privacy isn't an area that you mess with at all," said Frank Mukri, spokesman for the Office of the Comptroller of the Currency. "All the regulators - the Fed, the OCC, the FDIC - are really going to crack down if you cross that line."

Funk spoke at a Webcast sponsored by Orbograph, a Billerica, Mass.-based check recognition technology provider that works with AFS, Jack Henry and Wausau Financial.