Many financial institutions and their trade associations, such as the American Bankers Association, have submitted their opinions concerning the interpretation of the regulations that will govern the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act, the sweeping banking modernization regulation set to take effect Nov. 12.
Comments were to be submitted to various agencies such as the Office of the Comptroller of the Currency, the Federal Reserve System’s Board of Governors and the Securities and Exchange Commission.
I had a chance to review the ABA’s commentary and helped support KeyCorp’s position, and I believe the enactment of Title V will be delayed. More importantly, certain regulations could see favorable clarification for the financial services industry, while still providing consumers with the proper safeguards of their financial information.
One aspect of the law that will not change is that all financial institutions will have to employ customer notification and information-sharing opt-out privileges. However, just think of the systems banks will have to access, coordinate, merge and test to ensure that every one of their customers receives notice. Then, they will have to contract with a printer, a production or lettershop partner — not engaged by a host of other banks, credit unions and investment brokerage houses — to ensure 100 percent notification. What about customers who respond? Banks will have to create adequate fulfillment mechanisms for responders and train customer service employees, staff and management. It would be in the best interests of the governing bodies to recommend extending the deadline for complying with notification and opt-out beyond the Nov. 12 target date.
Definition of Nonpublic Personal Data
The act defines nonpublic personal information as “personally identifiable information.” The proposed rules state that personally identifiable financial information is “any information provided by a consumer.” The act does not define the term “personally identifiable financial information.” I believe the significance of the definition is completely lost. The regulators have chosen to ignore the word “financial” and have chosen to include otherwise public information, like name, address and phone number, as financial in nature, simply because a customer supplied that information to a financial institution.
Certain information should not be deemed “financial” because it is derived from a consumer at a financial institution. The point here is that there is a wealth of publicly available information from a host of sources like phone directories and public databases, as well as information provided freely by consumers. This information should not be treated differently when handled by financial institutions than when handled by other groups. The meaning of the phrase should be clarified to keep the definition of financial information relevant to what is meant to be financial in nature.
Limits on Sharing Account Numbers
Responses to this provision should seek to clarify when and what information may be legally shared with third parties. Many financial institutions offer third-party products and services to their own customers, who receive relevant offers for products or services not normally obtainable by any other means. If customers decide to opt out of a bank’s information sharing practices, then they will not be solicited for these third-party offers.
More recently, financial institutions have gotten used to not sharing account numbers with third parties. They have created safety mechanisms that provide for account number sharing for billing purposes and then only after a customer accepts a product offer. Furthermore, a majority of banks have extended encryption techniques to customer account numbers. Unfortunately, the current ban on sharing customer account numbers for marketing purposes extends to encrypted account numbers as well.
The current definition of “personally identifiable information” cannot logically seek to imply that encrypted account numbers are in any way personally identifiable. Therefore, it is in the agencies’ best interests to clarify account number information sharing with third parties. As long as financial institutions maintain all the other necessary, lawful requirements, such as joint marketing agreements and confidentiality provisions with third parties, they should be allowed to perform information sharing in either one of two ways:
* Share encrypted account numbers for marketing purposes with third parties — provided the third parties return all nonresponders and are only provided the decryption codes of customers who agreed to the product offer.
* Share customer account numbers with third parties for billing purposes after customers agree to the product offer. This second option maintains the understanding that financial institutions do not share account numbers for marketing purposes.
By May 12, federal agencies will outline their final regulations that apply to how Title V privacy provisions will be applied. These are just a few examples of the industry’s comments. Let’s all hope for favorable review, some common sense and the likelihood that, given financial institutions' suggestions, consumers will benefit from information sharing practices while still being protected from information misuse.