Banks are asking federal regulators to make their privacy obligations under the Gramm-Leach-Bliley Act as simple as possible and to craft an interpretation of the law that will allow them to more easily manage the relationships between themselves, their marketing partners and their customers.
With the deadline for public comment on the proposed banking privacy regulations set for next Friday, a number of banks and banking groups already have submitted their comments, and several are expected to do so next week. Concerned citizens also have filed comments, including several who suggested that the federal government impose a complete ban on information sharing.
The privacy regulations are part of a new law that allows banks, insurance companies and securities firms to enter one another’s businesses. Each of the federal financial regulating bodies – the Federal Reserve, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Securities and Exchange Commission and the Federal Trade Commission – is responsible for coming up with an interpretation of the law that will dictate many of the details involved in how these financial institutions operate.
The regulators, which posted draft privacy provisions last month, will consider the public comments and hammer out their final interpretations by May 12, giving the financial firms six months to prepare before the law goes into effect in November. The agencies have pledged to work together to make their interpretations uniform in most respects.
Banks are concerned that they will lose a source of revenue if they cannot collect fees from renting their customer lists, and they also are concerned about the added costs involved in providing their customers with multiple privacy notices and opt-out forms.
The Financial Services Roundtable, a Washington group representing several of the nation’s largest financial institutions, said in its comments to the agencies that banks would like to be able to provide a single policy that can be applied to all financial products and services that they offer. Some smaller banks – including those that do not share their customer information with marketers at all – filed comments making similar requests, asking for the agencies not to require multiple privacy notices for different products offered to the same customer.
If the agencies allow banks to keep their privacy policies simple and general, the banks argued, they can use the same notices for multiple products and services and will not have to update the notices as often.
“Overly detailed disclosure requirements would force every financial institution to provide change-in-terms notices regarding its privacy policy to consumers frequently, perhaps each time the institution offers a new financial product or service to consumers, obtains information from a new source or establishes a marketing program with a new partner,” the Roundtable wrote in its comment letter.
Such multiple privacy notices would confuse customers and would be costly to implement, the Roundtable said. They also would restrict the ability of financial institutions to change marketing arrangements because of the cost of providing change-in-terms notices.
Charlotte Birch, a spokeswoman for the American Bankers Association, said the organization was planning to express similar sentiments in its letter to the agencies, which it expected to file on March 30 or 31.
Also of concern to financial institutions is the definition of nonpublic personal information. Gramm-Leach-Bliley places restrictions on how that type of information can be shared, but does not specify the meaning of the term. The Roundtable urged that the regulators define nonpublic personal information to exclude all public data such as names and addresses that can be readily obtained from other sources. The agencies said they were considering a definition of the term that would include any information given to the bank by the consumer, including names and addresses.
Another concern banks have, according to Birch, is that they not be required to monitor third-party re-use of customer information. Banks that do rent customer lists or make them available for such activities as check printing should not be responsible for ensuring that those lists are not then re-used for other purposes by those third parties.
“The law prohibits the re-use of information, and the regulation should not turn banks into a law enforcement agency to make sure that prohibition is abided by,” Birch said.
Meanwhile, all the financial groups also are keeping a close eye on the activity at the state level, as the federal legislation specifically allows for states to enact more stringent privacy protections.
Dan Michaelis, assistant vice president of corporate communications for the Securities Industry Association, Washington, said excessive state privacy legislation could negate the benefits that the Gramm-Leach-Bliley Act was seeking to produce.
“We support the different branches of an affiliate being able to share data for the clients’ benefit, which is really kind of central to the point of having this new age of financial supermarkets under one roof,” he said. “Part of the concern we have is that different state legislatures are going to pass their own privacy regulations. That really seems to be the big threat to Gramm-Leach-Bliley at this point.”
