The Scramble to Comply With GLB
The short-term reality is that financial institutions have had to work hard to conduct thorough reviews to be in compliance by the July 1 enactment date. Extensive time is being taken to verify that contracted marketing partners also are in compliance and are taking necessary security precautions.
With the deadline approaching, financial institutions are finalizing extensive organizationwide processes and practices needed to be in compliance. The Office of the Controller of the Currency states in its Privacy Laws and Regulations publication, "Banks must have delivered copies of their privacy policies to their customers and, as appropriate, provided them with a reasonable opportunity to opt out of certain information-sharing arrangements between the bank and nonaffiliated third parties before such information sharing occurs."
Notification to multiple divisions. When customers notify a bank that they do not want to receive marketing solicitations or have their customer data shared, the Gramm-Leach-Bliley Act obliges the institution to carry out that request across the other divisions of that company. Often banks work on completely different systems for customer relationships such as credit cards, checking accounts and mortgages. It is a challenge to implement opt-out instructions across multiple parts of a company.
Most credit card issuers for 10 years or more have offered opt-out to remove from promotions those customers who do not want to be solicited either by direct mail or through telemarketing. Now the added concern is providing customers with the opportunity to avoid having their relationship data shared by other affiliates within their organization. Some institutions simply state in their privacy policies that they do not share data with internal affiliates or external marketing partners.
Some insurance companies take the road of staying independent even within much larger organizations.
Internal modeling is now the rule. In marketing cross-sell/third-party programs, financial institution practices tightened even before Gramm-Leach-Bliley to limit the data being provided to support contracted marketing programs. In recent years banks have limited contracted partner access to targeted files broadly based on modeling conducted internally. Some marketing companies such as insurance companies have never been entirely happy with this practice, but they have learned to live with it.
Often the remedy is to append data onto a mailing file to target a list further and reduce acquisition costs.
Inspections of financial institution vendors are tight. Credit card third-party campaigns are usually conducted by contracted marketing partners that typically offer programs such as insurance, merchandise and travel offers. Banks need to maintain high levels of scrutiny of these programs and verify how their partners and vendors use and safeguard the limited data they are given.
Typical due diligence processes have been expanded to include annual on-site data audits completed much like a financial review of a new customer. Important points to consider when evaluating the precautions taken by marketing program suppliers include contract status, use of subcontractors, transfer points of data, data center procedures, workstation access, virus protection, building access procedures and intrusion protection from the Internet.
Telemarketing needs close management. Telemarketing, always a closely managed activity, is receiving high priority for scrutiny. Financial institutions need to inspect their vendors and marketing partners for procedures being taken to keep data secure over networks of call centers. Typically, the procedure for banks to follow is to allow usage only of the minimum amount of information to a telemarketing vendor for the call to be placed and for orders to be billed.
Sufficient monitoring to hear representative samples of calls is an important part of telemarketing management. Evaluations should ensure that presentations and sales verifications are not shortcutting script legal requirements.
Though consumer advocates initially thought Gramm-Leach-Bliley was soft on privacy, the looming implementation of the requirements has been taken seriously.