The deadline for financial institutions to be in full compliance with the Gramm-Leach-Bliley Financial Modernization Act of 1999 is July 1, and most organizations say they have done everything they need to do by this point.
“I think all of the large institutions were really ahead of the curve. If anybody gets caught, it's going to be maybe a smaller financial institution that didn't fully appreciate the efforts they had to go through until too late in the game to get it done,” said Jennifer Barrett, chief privacy officer at database services firm Acxiom Corp., Conway, AR.
Acxiom, whose clients include many large financial institutions, has heard of a few organizations scrambling to reach compliance, though not many, Barrett said. GLB governs the practices of financial institutions regarding consumers' nonpublic personal information and how the organizations use and share that information.
By July 1, banks and other financial institutions are required to provide “clear disclosure … of their privacy policy regarding the sharing of nonpublic personal information with both affiliates and third parties,” according to the summary of GLB provisions. They also must provide “notice to consumers and an opportunity to opt out of sharing nonpublic personal information with nonaffiliated third parties.”
Such notices must be sent annually. The financial institutions will be subject to audits by the Federal Trade Commission, federal banking agencies, the National Credit Union Administration and the Securities and Exchange Commission as well as by the states.
Privacy notices have been flooding consumers' mailboxes for several months now, sometimes included with a bank statement or a credit card bill, sometimes sent as a separate mailing. Bank One, for instance, sent its notices in April and May at the rate of 1 million every business day, said company spokesman Thomas A. Kelly. Bank One, Chicago, has a credit card business with 50 million cardholders and a retail business with 8 million consumer banking customers.
“We chose to do a separate mailing rather than including it as a statement stuffer because we know that privacy is important to our customers and wanted to make sure they knew exactly where we stood on the issue,” he said. “We also included in our mailing some tips on how to protect your privacy.”
While the notices have been widely criticized as being unreadable because of the legal jargon in which they are written, at least one organization pointed out that the language is part of the legislation.
“The regulators mandated what the privacy notices had to say and sent out suggested language,” said Catherine Pulley, spokeswoman for the American Bankers Association. “The bank is sending a legal document. Unfortunately, sometimes when you're sending something that has to do with a legal issue, it isn't always clear.”
She pointed out that this is the first time these notices have been sent and consumer input may affect future versions of the privacy notices. According to survey results released by the ABA earlier this month, more than one-third of consumers have read their banks' privacy notices.
In a telephone survey of 1,000 consumers conducted in May, 36 percent of respondents said they had read the privacy notices from their financial institutions. Twenty-two percent received the notices but did not read them, 41 percent did not recall receiving the notice, and 1 percent were not sure.
The study did not address the number of consumers who had opted out of third-party data sharing, and it is unclear what the overall opt-out rate will be.
“As a whole, the industry has not seen huge numbers of people opting out,” Kelly said.
The next phase is sure to be the auditing of compliance by financial institutions. Though there are stiff penalties for noncompliance, Barrett does not expect a crackdown.
“The various agencies that audit these institutions are already asking questions,” she said. “I think that they will make it a priority to check on GLB compliance, but I don't anticipate too many penalties if the institution has made a good effort to comply.”
