Hovering over the financial services industry for almost a year, the deadline for Gramm-Leach-Bliley privacy compliance will soon descend. By the time bankers scratch July 1 off their calendars, close to 50,000 financial institutions will have mailed up to 4 billion privacy notices, at a cost of between $1 million and $2 million just to print and post the new policy.
For financial institutions that share nonpublic customer information with outside parties-excluding the exceptions allowed in the law-the deadline has already passed; banks, thrifts and credit unions needed to mail their notices by early May to give customers enough time to opt out of such data-sharing, and themselves enough time to honor the requests.
But banks that don't share personal customer data beyond the "corporate family" can still slip their notices into the mail.
Fortunately, banks had a jump start, especially in complying with the data protection clauses in the law, which require safeguards for customer records and due diligence in selecting and monitoring outside service providers.
"Banks are in a great position," said Paul Reymann, president of U.S. operations for San Diego-based Compliance Coach, a regulatory resource and training consultant for the financial services industry. Reymann, a former senior policy analyst at the Office of Thrift Supervision, said, "Real estate brokers, mortgage brokers and other types of financial institutions that aren't traditionally regulated have a lot of work ahead of them. Information security is a whole new area they haven't been involved with before, but banks have. The difference now is they have a regulation over their heads."
High-profile cases such as Minnesota-based U.S. Bancorp's $4 million settlement with the state attorney general's office for selling customer account numbers and consumer credit information to telemarketers, and a similar lawsuit against Chase Manhattan in New York serve as reminders that customers do not take privacy and security breaches lightly. Last December, Minnesota attorney general Mike Hatch sued Fleet Mortgage, a subsidiary of FleetBoston, on grounds that it illegally shared mortgage-loan numbers with telemarketers, allowing them to bill customers' loan accounts for products never ordered.
"In every one of those cases, the focus was on the financial institution that did not keep its promise to its customers," said L. Richard Fischer, a privacy law expert and partner in the Washington office of Morrison & Foerster, to a packed audience at BAI's recent Audit Compliance Electronic Security conference in New Orleans.
"Under federal law and the laws of virtually every state, that's an unfair and deceptive practice. Right now there are probably 30 class actions on privacy grounds," said Fischer.
In February, 32 plaintiffs brought an $81 million lawsuit against Bank of America in U.S. District Court in Baltimore, alleging that the $672 billion conglomerate sold thousands of unauthorized consumer reports to outside parties. The action stems from claims that Bank of America employees acquired the reports from a credit agency and sold them to third parties.
No matter how seriously banks take privacy compliance, adapting their disparate financial systems and lines of business-with data often lodged in separate silos across the institution-posed a bit of a challenge. Banks have long had the ability to store and fetch huge quantities of customer information and connect it to operational systems that support loans, savings and investment products. But they've had to retool technologies geared to cross-selling and build new tracking systems to support customer choice, a task acquisitions and mergers further complicate.
New banks had an obvious advantage over established institutions when it came to complying. Formed at the same time as the Gramm-Leach-Bliley privacy provisions, online Juniper Bank built privacy into its system from the bottom up. "We were very much aware of the Gramm-Leach-Bliley requirements and a lot of the technical difficulties involved," said Larry Drexler, de facto privacy chief and staff counsel at Juniper. "We understood what we would be required to do before we started business. One of the great technical challenges our competitors face is how to put the cow back in the barn and deal with all that information sharing. "
Juniper's customers can create their own privacy profiles online, clicking on the types of products they'd like to receive offers for and the way they'd like the bank to contact them-by e-mail, mail or phone. "We don't have disparate systems," said Jeff Milne, information security officer at Juniper. "It's all in the same database, built into a centralized data repository."
Most banks didn't have it that easy.
Cleveland-based KeyCorp set to work on privacy compliance last fall. Like the Y2K crunch, "this is one of those things with a hard end date," said Robert G. Rickert, executive vice president and chief technology officer at KeyCorp.
Key's first priority was to build a database of opt-out customers. It then modified what Rickert calls its "customer-facing" systems so that tellers and call center personnel, for example, would know whom not to solicit. "We had to change the way we do direct mailings to introduce this new step in the computer run," he said.
The technical changes then had to translate into training. "We've built a lot of our systems to enable cross-selling, and that's in conflict with some of the privacy requirements," Rickert said. "We're wrestling with making sure that our employees don't inadvertently rely on their past behavior."
Painful as the technology challenge was, said Rickert-who puts its cost at between $5 million and $10 million-it could have been worse. Each time $84 billion KeyCorp went through a buyout or merger-Society Corp. and Erie County Bank, to name two of the many-it integrated its systems. "We only run one version of Hogan.When you've got to make changes for privacy, if you've got 10 versions of Hogan, that's obviously a lot more work than to change it one time."
Other banks have also benefited from integrating their systems. About four years ago Atlanta-based SunTrust, in what it calls SunTrust Southeast-its Tennessee, Georgia, Alabama, Florida footprint-consolidated most of the systems so that it had one for deposits, and one for commercial loans and installment loans. When the $101 billion bank merged with Crestar a few years ago, it operated dual systems until May 2000, when it collapsed those systems, with the exception of an installment loan system, which the bank is converting now, said Mark Rogers, marketing information manager at SunTrust. "That's the only system we have that is two legacy systems performing the same function."
Like KeyCorp, SunTrust sought a way to get information about its do-not-share customers to its front-line employees, information it held in its marketing database. "By the year 2000, such information became more complicated to track," said Rogers.
To communicate information to its employees, the bank incorporated it into its customer relationship file system, or CRF, which most employees had access to. "It's easy for people in the company to screen out any sharing," said Rogers. All the bank's databases feed off it. Incorporating the two provided "some consistency across the board, as opposed to having one set of customers flagged one way in one system and not on another," said Cliff Bussard, direct marketing manager at SunTrust.
"If a customer opts out through any of our channels, through the Internet, an e-mail, the call center, a branch," Rogers continued, "the customer relationship group now gets that information and flags the customer. In the past, marketing did that, but it's actually more of an operational task."
With between 30 and 40 source systems for its accounting information, M&T Bank in Buffalo faced the challenge of making sure customers who chose to opt out were opted out of every system. The regional bank's data mart software gathers information from all its systems, so all the customer data comes together in one place. "But it's not linkable," said Lynn O'Connor, assistant vice president for retail marketing at M&T, which means "a lot of people in the bank don't have access to the opt out information. If you've opted out, how does a customer contact area know you've opted out? We need to be able to feed that opt-out information back into all customer contact areas."
M&T's solution: "We had to put a front-end mechanism in place for the customers to opt out and build a second database to store the privacy information and send it to the main database each month," O'Connor said.
Coming up with a design in a short amount of time while the policy committee was still putting together the privacy statement posed another difficulty. "We didn't want to overdesign something and make it overly complicated, but the privacy group had to understand that our systems don't all talk to each other," O'Connor said.
To integrate the data from multiple source points, "we ended up matching names and addresses, key information off each system and putting it into a database," said O'Connor. "If a customer wants to opt out, they can type in an account number to say what account. The system recognizes your account number and links all the people associated with it. And we find all the accounts you own. We create a mini database from all our systems and apply it against the larger database."
TOOLS TO COMPLY BY
In addition to regearing current systems, banks can also opt for new software aimed at taking some of the sting out of Gramm-Leach-Bliley compliance.
Acxiom, a direct mail data integration specialist in Little Rock, Ark., released new versions of its AbiliTec software in February. Operating like a search engine, AbiliTec identifies common data, such as a name and address, and assigns it a unique numerical identifier, or link. The link can be used to match records across distinct business lines and databases, providing a unified view of a customer. Acxiom said several large banks, which it declined to name, have used AbiliTec to help maintain their lists of opt-out customers.
"If a customer requests that you opt them out, to honor that you have to be able to find where you have information on that customer," said Jennifer Barrett, privacy leader at Acxiom, adding that AbiliTec not only keeps banks in compliance but improves customer satisfaction by helping banks implement customer choices.
The tool fulfills the Gramm-Leach-Bliley requirements, but also gives the bank the flexibility to give customers more choices. They can opt out of some product offers but not others. The software can also be adapted to accommodate future changes in privacy law. AbiliTec has already incorporated the new regulations around the Fair Credit Reporting Act that will likely be added to the privacy policies by next year.
Network Controls International (NCI), launched Privacy Act Compliance (PAC) in March. Like AbiliTec, PAC helps financial institutions unify customer information that may be splintered among various silos across the bank. It also claims to improve customer relationships. "PAC brings the customer data together," said Drew Lamparello, vice president of product marketing and management at NCI in Charlotte, N.C. "Banks need to be able to store customers' wishes in an organized fashion to manage the opt-out response."
Computer Sciences Corporation originally developed its Web-based privacy compliance software with an Italian bank, and launched it in the United States in March. Part of El Segundo, Calif.-based CSC's Hogan customer information system, the tool is "very user defined," said Donna Ewing, manager of Hogan products customer support at CSC. "We've talked about how no one understands or interprets the bill the same way. So we decided to give banks the flexibility to determine what they want their opt out options to be."
The tool allows up to nine choices for opting out. For example, a bank customer might choose to opt out of telemarketing but not mail marketing, or opt out of telemarketing for loans but not for deposits. "We polled eight or 10 domestic banks and asked what options they would choose, and they were all different," said Ewing. "That's why we gave them this flexibility."
CSC originally designed the tool to meet the tighter privacy requirements of the European Union. "We built it to a much stricter standard so if the U.S. decides to get stricter, we're covered," Ewing said.
Bankers Systems, a St. Cloud, Minn., compliance products and research firm that serves 83% of U.S. banks and other financial institutions, has developed PrivacyStateWise, an Internet tool that monitors state-specific financial privacy issues. The product is targeted for large banks that operate in many areas.
"If they have customers in 10 different states, they need to be aware of those laws," said Peggy Wilson, director of business communications at Bankers Systems.
A SHAKY COMPLIANCE
Banks might be Gramm-Leach-Bliley ready by July 1, but that doesn't mean they should bask for too long in the sun. They could still get hit by a variety of legislation requiring opt-in provisions or restraints on affiliate data sharing, such as that proposed by Sen. William Nelson, D-Fla. Sen. Nelson and Sen. Richard Shelby, R-Ala., have each sponsored bills to prevent financial institutions from selling their customers' Social Security numbers. President Bush's recent approval of new medical privacy rules augurs further changes for financial privacy law.
In many cases, Gramm-Leach-Bliley collides with more restrictive state laws, which take precedence over the federal law. Three states have adopted opt-in measures; they would require banks to get a customer go-ahead before sharing private financial information with affiliates.
Large, multinational financial institutions could also risk lawsuits under the European Union's more stringent privacy laws. Europe's data privacy law prohibits exchange of customer data from European Union countries to countries whose privacy laws are less restrictive. The "safe harbor" rules, designed to help U.S. companies meet the European requirements, excludes financial institutions.
"The problem is likely to arise for banks that do business across borders, and who have gathered information about German or British or French customers but who do their data processing in the United States," said Stewart Baker, an expert on privacy and computer security and partner in the Washington law firm of Steptoe & Johnson. "If they integrate that data into their databases, they are potentially in violation of European data protection laws because they are exporting data about Europeans to the United States, which the Europeans have deemed sort of the black hole of Calcutta for data protection.
"The Europeans have not been willing to treat Gramm-Leach-Bliley as adequate for their purposes."
And the Internet, of course, increases the liability potential even more. "You're going to get business from a variety of countries," said Baker. "The jurisdictional question in Internet banking is a tricky one. Cyberspace is a place where numerous countries assert control, and you have to be more sensitive to compliance issues on the Internet than in the brick and mortar world. That's going to be a big deal for bankers."