As the July 1 deadline for compliance with Gramm-Leach-Bliley's privacy provisions nears, regulators are calling on banks to tighten their information security procedures. Institutions that don't move fast enough could find themselves on shaky legal ground, observers say.
The federal bank and thrift regulatory agencies have adopted guidelines requiring financial institutions to establish an information security program to identify and assess risks that may threaten customer information; to develop policies and procedures to manage these risks; to implement and test the plan; and to adjust the plan for changes in technology and other factors.
That spells trouble for some banks, experts say. "Not only are the regulators going to be on their backs, but you're going to have deceptive acts allegations by states and private action lawsuits," said Sai Huda, CEO of ComplianceCoach.com, a San Diego, Calif.-based consulting firm.
Two weeks later, Fleet updated its policy to prohibit the sharing of nonpublic customer information with nonaffiliated third parties without prior consent. Fleet said the timing of the new policy wasn't related to the lawsuit. "This newly updated policy is the result of over one year of extensive, company-wide research into this critical issue," said Agnes Bundy Scanlan, chief privacy officer at Fleet (and the first to hold the title).
The new Fleet policy is stronger than is called for under Gramm-Leach-Bliley, which merely requires banks to allow customers to opt out of marketing programs. Other banks, such as Bank of America and Wachovia, have gone even further, banning outright the sharing of information with outside parties for marketing purposes. The banks concluded that the hassles of administering an opt-out program plus the public relations benefits accruing from an outright ban outweigh any marketing revenues, said Huda. "Some institutions are making the conscious decision to lose some revenues, that it's more important to maintain the customer relationship."
Wachovia prohibited the sharing of information even with its own affiliates, although that shouldn't hurt revenues, Huda said. "They probably weren't making that much money by sharing with affiliates."
The opt-out provision is but one of the issues facing banks. Another provision requiring the mailing of privacy notices is a potential public relations booby trap. "Some of the banks may not realize that this is an opportunity to communicate with customers and build trust. So some of the privacy documents will contain legalese," said Huda.
The issue is further clouded by a loophole in the regulations implementing Gramm-Leach-Bliley that exempts banks from the opt-out requirement when a third-party provides services on the bank's behalf and agrees to keep customer information secret. By simply calling their joint marketing agreements "service contracts," banks could thwart the intent if not the letter of the law, Huda said.
Still, the decision by some of the nation's largest banks to prohibit information sharing entirely says something about the impact of Gramm-Leach-Bliley's privacy statutes.
"There's a lot of implementation issues," said Huda. "You've got to do an inventory of what kind of information you have today, and how and what kind of sharing you do. Most banks haven't formally identified that."
Then there's the problem of honoring a customer's decision to opt out. "How are you going to make sure than when customers opt out that you actually do it? There's no way you can do that manually," Huda said.
Axciom is touting its flagship customer relationship management product, AbiliTec, as a compliance aid. "AbiliTec is capable of quickly creating an accurate, single view of a customer," said Barrett, adding that this allows a bank to not only comply with the law but to improve customer relationships.