The New Privacy Law
- As a part of this policy, the act establishes that banks have an "affirmative obligation" to respect their customers' privacy interests. Anyone who thinks that this mandate doesn't hold much water should look to the history of the Fair Housing Act. That law directs the federal agencies to take steps to "affirmatively further the purposes" of the act. Compare fair housing regulation in 1999 to fair housing regulation in 1968.
- Second, the regulatory agencies must establish standards that ensure the security and confidentiality of customer information. There is already a great deal of guidance from the regulatory agencies on customer privacy. The guidance ranges from policy positions regarding the importance of customer privacy to detailed guidance on what to include in a policy.
Banks should anticipate any further action from the agencies by implementing procedures already recommended for accessing and using information in its traditional forms and in electronic forms. Security measures - ranging from locking up files at night to encrypting data - should be detailed, specific, and complete.
- Third, banks must give customers an opt-out right to prevent institutions from sharing customer information with non-affiliated third parties. The opt-out is the key to any future latitude banks may have to use customer information. If opt-outs are clear, easy to use, and effective, banks may stem further restrictions on information use.
The Comptroller of the Currency has already made clear that tiny, hidden, or otherwise obtuse notices are not effective. This approach borders on unfair or deceptive.
To be effective, notices should be easy to identify and easy to read. And the opt-out should be easy to use. In short, from the customer's perspective, the opt-out process should be a "big easy."
- Fourth, financial institutions may not sell or transfer account numbers - such as credit card numbers and checking account numbers - to third party marketers. Account numbers should be treated by the institution the way they ask the customer to treat their PIN. Think about this any other way and you are headed for trouble.
In closely related provisions, the act provides that more protective state laws or laws that are not inconsistent with the federal law are not pre-empted by the federal law. This leaves states with the right and power to regulate privacy within their state. The federal law is thus far from the final word and may do little if anything to stop or deter activities already underway in states to regulate privacy. For this reason alone, banks should adhere to best practices and set a high industry standard. This is the only way to reduce the impetus for more laws.
The act also makes pretext calling - placing phone calls posing as a customer or as a person authorized by the customer to obtain information from the bank - illegal.
Making pretext calling illegal won't be any more effective than your institution's ability to catch pretext callers. So this topic should be given attention in your policies, procedures, and training. Training and tools should ensure that staff taking calls has the knowledge to recognize pretext calls and the skill to handle them without violating customer privacy.
- Finally, the act directs the federal regulators to study information sharing with affiliates. This study could form the foundation of future privacy law or regulation. But when there is a study, action is further down the road. This gives you time to do it your way - right!
It will probably be some time before we see specific regulations or guidance under the new law. This is not a valid reason to wait. This is the time that financial institutions should jump onto the compliance bandwagon and set the standards rather than wait for them to come out. This is also a time when waiting for a final rule will communicate a negative attitude toward compliance - something no bank can afford to do.
- If you don't have a policy yet, get on it. If you have one, review it and bring it up to date. Make sure it is good enough for tomorrow.
- Create a privacy library. Compile information on privacy laws in each state in which your bank does business. Set up a tracking system for developments in state legislatures and courts.
- Meet with staff that supervises any telephone-answering or response function. Discuss how to identify and prevent pretext calling.
Copyright © 1999 Compliance Action. Originally appeared in Compliance Action, Vol. 4, No. 13 & 14, 11/99
First published on 11/01/1999