Will the consolidation of financial services companies create one-stop convenience for consumers?
That is what the new banking and brokerage giants are hoping, but their hopes of cross-selling financial products and services depends, in part, on their ability to use customer information to tailor their offerings.
Press coverage about online privacy issues has made consumers suspicious of companies that share too much of their information.
Pursuant to the Gramm-Leach-Bliley Act, the Federal Trade Commission on May 12 weighed in on the issue of consumer information practices in the financial services industry with its Privacy of Consumer Financial Information Final Rule.
The rule outlines a financial institution’s obligations regarding the protection of individual financial information.
The two primary groups affected by the rule are consumers and financial institutions.
Generally, consumers prefer to protect their information and control the ways companies use it. The act and the rule are designed to further this interest.
However, this objective can conflict with the business practices of many financial institutions that until now have enjoyed a certain level of freedom in collecting and using the financial information of their customers and others.
The act seeks to protect consumer financial information by placing certain restrictions and affirmative obligations on financial institutions.
Principally, the act requires a financial institution to provide its customers with notice of its privacy policies and practices. The act prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various disclosure and opt-out requirements, and the consumer has not elected to opt out of the disclosure.
In order to ensure proper compliance with the act, the FTC, as well as other banking agencies and regulatory authorities, issued regulations to implement the act’s requirements and restrictions.
Appropriately, the rule favors consumers on issues such as the scope of information covered, the scope of institutions regulated, the frequency of required notice and the opportunity for opting out of certain disclosures.
The number of transactions and, more significantly, the variety of institutions covered under the rule is notably broad.
The rule applies to information about individuals who obtain a financial product or service from a financial institution, where the product or service is used for personal, family or household purposes.
This includes a variety of activities, ranging from the traditional (lending institutions, insurers and investment advisers, among others) to the nontraditional (loan brokering and servicing, check guaranty, collection agency, credit bureau and real estate settlement services, tax planning, tax preparation and instruction on individual financial management, among others).
The definition of “financial institution” embraced by the rule is equally broad: any business engaged in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 or an institution that is significantly engaged in financial activities.
The FTC declined to provide a comprehensive list of what entities fall within this definition. It did, however, provide an abbreviated list that includes:
• A retailer that extends credit by issuing its own credit card directly to consumers.
• A personal property or real estate appraiser.
• A business that prints and sells checks for consumers.
• A business that regularly wires money to and from consumers.
• A check-cashing business.
• A business that operates a travel agency in connection with financial services.
The rule requires a financial institution to provide consumers with notice of its practices regarding information collection and use, and to give consumers reasonable opportunity to opt out of certain uses of their personal, nonpublic information.
The rule distinguishes between the customers of a business and consumers in general.
“Customers” must receive initial notice at the time of establishing a customer relationship, whereas “consumers” must receive initial notice only if the financial institution intends to disclose the consumers’ information to nonaffiliated third parties for purposes not authorized under any of the exceptions.
Consumers are individuals who obtain a financial product or service from a financial institution for personal, family or household purposes, but do not have a continuing relationship with the institution. Customers are consumers having a continuing relationship with a particular financial institution.
Customers, not consumers, must receive annual notice of the institutions’ information collection and use practices.
Both the initial and annual notices must be clear, conspicuous and accurate. They must describe the conditions under which a financial institution may disclose nonpublic personal information to nonaffiliated third parties and affiliates.
The notices can either be in writing or received electronically if the recipient agrees. It is not sufficient to place the notice only on a Web page, unless obtaining the product or service in question requires accessing that page.
The rule also provides details on the content of the notices, as well as sample language.
Both the initial and annual notice must include:
• The categories of nonpublic personal information the institution collects.
• The categories of nonpublic personal information the institution may disclose, either to affiliates or nonaffiliated third parties.
• The categories of affiliates and nonaffiliated third parties to whom an institution discloses information.
• The institution’s policies and practices with respect to sharing information about former customers.
• What information, if any, will be disclosed to service providers.
• The right to opt out.
• Any disclosures an institution is required to make under the Fair Credit Reporting Act.
• How an institution intends to protect the confidentiality, security and integrity of the information.
Similar details are provided regarding the opt-out notice.
The rule requires opt-out notices to include a statement that information may be disclosed that the right to opt out exists, the means by which an individual can opt out, the categories of information that may be disclosed, and the categories of nonaffiliated third parties to whom the information may be disclosed. The rule states if a consumer does not opt out initially, the right to opt out in the future is not forfeited. Furthermore, the right to opt out applies to consumers and customers and all information regardless of when such information is obtained.
Following the mandate of the act, the rule also describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties.
Since its publication, several private companies and trade associations have expressed opposition to the rule, lamenting its effects on long-standing business practices.
These companies have specifically criticized the provisions that serve to prevent the selling of “credit header” information. This information, including names, addresses, Social Security numbers and other personal details, is routinely sold by credit bureaus to companies for marketing purposes or to help debt collectors and private investigators locate people.
The rule’s definition of financial information prevents the sale of this credit header information without the permission of the individual. Of course, there are other complaints, primarily the financial investment required to comply with the rule.
Many institutions believe they are unfairly portrayed as the bad guys, scapegoats in the public crusade for privacy.
Some bank officials have pointed out that their bank has always treated consumer information as confidential. As such, these officials believe the rule will not change their practices.
Despite these opponents’ fears of onerous regulatory hassles, the rule may ultimately benefit them.
Given the current state of consumer interest in privacy, financial institutions should not underestimate the potential impact of perceived protection.
If consumers believe their information is safe, they will continue to do business with the various institutions, affecting not only those individual institutions but also all levels of e-commerce. However, only time and real world practice will determine the final effect of the rule.
The act, as well as the rule, were intended to take effect Nov. 13. However, in order to provide sufficient time for financial institutions to establish policies and procedures, and put in place systems to implement the requirements, the time for full compliance is optional until July 1, 2001.