A Hot Issue
Information privacy - information about the consumer - is one of the hottest growing areas in regulatory compliance. It has captured the attention of Congress and has already led to significant reforms in the Fair Credit Reporting Act.
Invasions of privacy - or what the consumer feels is an invasion -make great stories. The stories capture the hearts and attention of Congress. Congress tends to capture the attention of the regulatory agencies. When that happens, the industry is the next to know.
Computers and the Internet bring new dimensions to the issue of customer privacy and the misuse of information. Competitive marketing has driven many businesses to get access to and use consumer information in new and aggressive ways.
These changes are the fuel on the consumer information protection fire. The banking industry will need to take proactive steps in order to prevent additional regulation. And if additional laws and regulations develop, they will be onerous.
The only way the industry can have a real voice in the direction that information privacy takes is to self-regulate. The American Bankers Association has taken an important step to lay the foundation for this kind of self-regulation. On July 21, 1997, ABA announced that its Board of Directors had approved a set of privacy principles for ABA members and their customers.
The principles are not earth-shattering. They simply establish a logical and fair approach to the use and protection of customer information.
- The principles begin with recognizing the customer's expectation of privacy This entails being sensitive to how customers want or don't want their information to be used or shared. The ABA also recommends making information about privacy protection or information about financial privacy available to customers.
- Second, the principles recommend that institutions only collect information that is useful to the customer's interests and the institution's business interests. The principles recommend against collecting information that is not needed.
- Third, maintain accurate information. This means keeping it updated and complete. Not only is this important for business purposes, it can have compliance significance as well. For example, maintaining current information on customers may help to support an effective CRA database. Of course, current information is invaluable for marketing purposes and for product development.
- Fourth, limit the access of bank employees to information. How, when, and for what purpose information may be used is an essential component of a compliance policy. Effective limitations on information use can also prevent inappropriate use that embarrasses or angers the customer. Most important, policies and procedures on information use are important for compliance with the Fair Credit Reporting Act, the Bank Secrecy Act, and similar laws.
- Fifth, establish security procedures to protect information. This includes protections from unauthorized use both from inside and outside the bank.
- Sixth, place restrictions on when and how account information can be disclosed. Although the bank can disclose information on its own experience with the customer to third parties without becoming a credit reporter, the information should only be released when a legitimate business purpose has been established. The ABA principles provide the customer's request, either as a direct request or by initiating the transaction, as a touchstone for releasing information. ABA also recommends following the new FCRAs "opt out" procedures before releasing information about customers to third parties.
- Seventh, when sharing customer information with third parties, take steps to ensure that the third party has adequate customer information privacy policies and protections. Customers expect this kind of protection from banks, not only when dealing with the bank, but also when information is sold to or shared with a third party. Failure to impose this kind of protection could easily be seen by customers as a betrayal.
- Finally, share the institution's privacy policies with the customer. Knowledge is power. That principle disclosure - underlies many consumer protection laws from Truth in Lending through Truth in Savings. Sharing information about the bank's information protection policies helps the customer to know exactly what to expect - and what not to expect.
These principles are sound. They are fair and they are a good business practice. Although generally applicable to any aspect of the business of banking, these principles should get special attention in sensitive areas including reporting and use of credit information and the sale of bank deposit and non-insured investment products. How banks use their customer's information and how banks treat their customers will have a great deal to do with how many customers banks have in ten years.
- Find out whether your bank has a customer information policy. If you have one, review it by these ABA recommended standards. If your bank doesn't have a policy, begin working on one.
- Review how your bank compiles and stores data on customers. Determine whether there is a central customer data base that can be updated with current customer information. If not, consider making a recommendation for one. Support the recommendation with additional uses such as marketing and CRA analysis.
- Develop a consumer information brochure on customer information and information privacy. This could include information about the FCRA as well as information about your bank's policies.
- Schedule an educational meeting with your credit reporting service. This is an opportunity to learn about their privacy protections (such as what they do with information you provide to them) as well as to discuss ways to work together.
- If your bank is part of a holding company, organize a working group on customer information privacy. Discuss how to coordinate the use and sharing of information while maintaining adequate privacy protections and compliance with FCRA.
Copyright © 1997 Compliance Action. Originally appeared in Compliance Action, Vol. 2, No. 10, 8/97
First published on 08/01/1997