After Congress returns from its August recess, there won't be much to prevent the Check Clearing Act for the 21st Century, known as "Check 21," from making its way through a joint conference committee. "They'll work out the minimal differences," predicts Michael Flood, senior analyst for banking in the regulatory advisory services group at KPMG LLP (New York).
Still, questions remain around what banks can do with their customers' check images. Tapping into that information requires careful consideration of state regulations and national laws such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with reputational risks.
According to W. John Funk, Esq., director at law firm Gallagher, Callahan & Gartrell (Concord, N.H.), the overlapping provisions of GLBA and FCRA do not necessarily prohibit certain types of data mining. Funk spoke at a Webcast sponsored by Orbograph (Billerica, Mass.), an imaging technology provider.
But it might be advisable to hold off until regulators weigh in on the subject. "Privacy isn't an area that you mess with at all," says Frank Mukri, spokesman for the Office of the Comptroller of the Currency. "All the regulators-the Fed, the OCC, the FDIC-are really going to crack down if you cross that line."
GOOD TO KNOW?
Here's the issue: Can a bank mine the data on a person-to-person check when only one of the parties involved is a bank customer? "We believe it's perfectly permissible to use that type of information to market products and services to your customer," says Funk. "The Gramm-Leach-Bliley Act does not restrict how you can use your own customer information that you develop as a result of your relationship with your customer, provided that you inform your customers of your practices in your privacy notice."
Furthermore, information about the counter-party to a check transaction may technically fall outside the scope of GLBA provisions. "Under Gramm-Leach-Bliley, your legal duty is to your customers," says Funk. "To the extent that the check images contain information about persons who are not your customers, you don't have any legal duty under the Gramm-Leach-Bliley scheme as to how you treat that information."
FCRA also contains relevant exemptions. "It exempts the sharing of 'transactional or experience information' from the definition of what is a consumer credit report," says Funk. "It basically says that that type of transaction or experience information can be shared without the limits that are imposed by the FCRA."
"The information from checks fits within this exclusion," adds Funk.
Given the appropriate privacy notices and opt-out provisions, such data might even be shared with outside parties.
But it's an open question as to whether bank regulators would take kindly to data mining on check image data. "We haven't gotten an opinion yet," says Funk. "I'd expect that it might involve somewhat of a long deliberative process in dealing with the regulators in this practice area."
What's more, once restrictions are clarified, banks will have to convince regulators and bank examiners that they do not misuse check image data. For example, even if banks are prohibited from using the preprinted address on deposited checks, the information might still be visible to bank employees with access to the image archive. That would call for access controls, security logs and oversight measures in order to prevent unauthorized use of any protected personal information.