New Consumer Financial Privacy Rules Effective July 1
GRAND RAPIDS — To share or not to share?
That’s the question financial services institutions have been pondering since Congress passed the Gramm-Leach-Bliley Act in November 1999.
Title V of the Act specifies new financial privacy regulations involving “nonpublic personal information” obtained from consumers through financial service activities or transactions and disseminated to unaffiliated third parties.
The act’s privacy provisions require that financial institutions, including banks, savings associations, credit unions, broker-dealers, investment companies, investment advisers and insurance companies, disclose in detail just how much of a customer’s confidential information will be used and how it will be used.
Although GLB Act compliance was originally slated for November 2000, the regulatory agencies, coming off the heels of Y2K and a number of other issues, didn’t feel comfortable that the implementation date could be achieved, explained Paul Osborne, a partner with the national accounting firm of Crowe Chizek.
All the federal bank regulators, including the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC), have already promulgated the rules. As the July 1 deadline closed in, Osborne talked to the Business Journal about what the new regulations mean to consumers and what compliance has involved.
Most financial institutions already have in place both ethics policies and defined procedures for sharing customer information, but nothing specifically that states with which companies they will or will not share information, Osborne observed.
For example, if a bank is solicited by a marketing company for a list of customers that have mortgages in excess of a certain balance, there is currently nothing specifically required by the regulatory agencies that would prohibit that type of information exchange.
The act gives consumers a voice in those matters.
“It’s basically an opportunity for you and I as consumers to balance our right for privacy with the financial institution’s need to share information for normal business purposes,” Osborne said.
“Now, the definition of ‘normal business purposes’ is sometimes skewed because if their ‘normal business purpose’ is using your information and selling it to a third-party, non-affiliated company in order to make money, then you have the right to say you’d rather not have the information shared.”
Under the new regulations, financial services organizations must notify a consumer at the start of the customer relationship, and at least once annually thereafter, as to its practices in regard to the disclosure or nondisclosure of information to financial non-affiliates. Financial affiliates, however, are not regulated under GLB.
GLB requires that financial service organizations disclose their sharing practices one of three ways:
- They do not share and do not intend to share.
- They are not currently sharing yet reserve the right to share in the future.
- They currently share and will continue to share.
In the first scenario, the organization must send customers a notice clearly stating they don’t share now and don’t intend to in the future.
In the second and third scenarios, they have to send a more detailed notice indicating with whom they will share information presently or potentially in the future.
In the latter two scenarios, the organization is required to give consumers the opportunity to “opt out.” By opting out, the consumer indicates that no confidential information may be disclosed to non-affiliated third parties that provide marketing support or financial products and services to the institution.
By now, most consumers have been inundated with privacy notices from the financial institutions with which they do business, Osborne added.
Some banks and financial services companies are looking at the compliance issue as a marketing opportunity.
As Osborne explained, for some it’s an opportunity to say to customers: “Hey, we don’t share, we’re not going to share, so why would you want to go to a financial institution that is willing to share?”
Then there’s the other side, which can say to customers: “Yes, we will continue to share because in doing so we can continue to offer you additional products and services. Therefore, we can provide you the most current services you can get in the financial community.”
In April, Bankers Systems, a national provider of compliance resources for financial institutions, released a data analysis of the sharing practices of more than 3,900 banks, thrift and credit union charters, as well as a sampling of finance companies.
The analysis revealed that the majority of banks and savings associations — nearly 69 percent — indicated they did not plan to share customer information with nonaffiliated third parties “outside of the exceptions.”
Those “exceptions” generally refer to information disclosures necessary to complete transactions or provide services.
Credit unions and finance companies showed a greater propensity to share.
More than 50 percent of the credit unions sampled said they would be sharing their members’ nonpublic personal information “in ways that would give rise to the need for disclosure and opt-out rights,” according to Bankers Systems.
Among credit unions, which are not-for-profit, sharing was commonly viewed as being in the best interest of members and also afforded opportunities for additional member services.
Similarly, Osborne said most of the credit union privacy notices he has seen are disclosing that they do share and will continue to share in order to expand service offerings to customers.
Slightly more than half of finance companies sampled by Bankers Systems indicated they either planned to share or reserve the right to share.
Asset size appeared to play a role in the decision whether or not to engage in third-party information sharing. According to the analysis, the larger the institution, the more likely it would share.
Of banks and savings institutions with more than $1 billion in assets, 63.5 percent disclosed that they currently share or plan to share, compared to 30 percent of banks and savings associations with assets under $1 billion.
In state-by-state comparisons, Michigan was one of two states in which the majority of institutions sampled were “sharing” institutions. In Michigan, 71.7 percent indicated they plan to share customer data. Utah came in second, with 69.2 percent of institutions planning to share.
In adhering to the new requirements, financial institutions have had to perform self-assessments of all their collection practices, Osborne said. His firm has assisted more than 30 companies in the process.
Every one to three years every financial institution gets a visit from a federal regulator, so beginning next month, regulators will be testing for privacy information as well.
Julie Smith, spokesperson for the Office of Financial and Insurance Services, Michigan Department of Consumer & Industry Services, suggested that compliance might already be a moot point in Michigan.
“We don’t foresee a problem with Michigan financial institutions missing the compliance deadline,” she said. “The privacy rules from the federal regulators for banks have already occurred and they’ve had some time to take a look at those, so those will not be a problem at all.”