By Russ Jones
Momentum towards stronger financial privacy for consumers in the United
States has picked up a lot of steam over the last 30 days. While most
welcome the change, some financial institutions are still tentative about
the new direction, others are actively resisting it, and a few are not
sure how to respond. But to strategic thinking institutions wanting to
secure competitive advantage, we believe that now is the time to actgetting
out in front of the financial privacy issue, leveraging their reputations
for trust, and better serving their customers in the process.
How Did We Get Here?
The recent seeds for strengthened financial privacy were planted in 1999
when the U.S. Congress passed the Gramm-Leach-Bliley (GLB) Act. Conceptually,
GLB relaxed the artificial walls between the banking, insurance, and security
industrieseffectively allowing a single entity to offer financial
products from all three categories to customers. While not central to
the act, significant financial privacy rules were also enacted, effective
in 2001, that required that any financial institution that wanted to share
non-public customer information with third parties to give customers an
opportunity to opt-out, or block, their information from being shared.
The opt-out approach was a classic political compromise, of sorts, enabling
individuals on the privacy fringe to limit how financial institutions
use customer information, but was cumbersome enough to simply be ignored
by most convenience-oriented customers. Significant in retrospect, GLB
also gave states the right to enact even stronger financial privacy, if
they saw the need and could muster the votes to pass such legislation
at the state level. Several states have gone that extra mileNorth
Dakota, Vermont, New Mexico, and now Californiato do so.
Of the state-level legislation enacted in the last few years, the just-signed
California Financial Privacy law goes the furthest, extending to customers
the ability to opt-out of information sharing among even affiliated companies
(within the same holding company) and requiring financial institutions
to have explicit customer approval, or opt-in permission, before sharing
financial information with third parties. While most analysts have focused
on the back and forth power struggle between partisans, in a practical
sense the adoption of opt-in requirement means that strong financial privacy
is the default in California beginning next July.
Financial services industry critics of privacy regulation say these state-level
laws limit customer choice (by restricting the downstream offers of secondary
products to consumers), increase cost (relative to revenue), and lack
any consistency from state-to-state (which is true enough). Proponents
say these are orthogonal arguments and are just the cost of adequately
securing sensitive customer information.
In addition, federal regulatory agencies recently released for comment
proposed guidelines that would require financial institutions to notify
customers (under certain circumstances) if they discover unauthorized
access to sensitive customer information, such as social security number,
username, or password. California enacted legislation last year that effectively
requires any such disclosure be communicated to any affected California
Why is "business as usual" in the financial services industry
suddenly under assault on both the legislative and regulatory fronts?
Simply stated, people are a lot more sensitive to privacy issues and abuses.
This came through loud and clear in an April 2003 Harris Interactive survey
of U.S. adults:
- 10 percent of those surveyed were "privacy unconcerned"
- 64 percent of those surveyed were "privacy pragmatists or people
who are concerned about their privacy and want to protect themselves
from abuse or misuse of their personal information by a government organization
or a company"
- 26 percent of those surveyed were "privacy fundamentalist who
believe their privacy is eroding and are trying their best to halt the
When 9 out of 10 bank customers say they are concerned about privacy,
something very important is changing the marketplace. When one out of
four customers identify themselves as "privacy fundamentalist",
the genie is truly out of the bottle.
We suspect that what’s really behind this dramatic shift in attitudeespecially
as it relates to financial servicesis the dramatic increase in identity
theft. Gartner reports that 7 million U.S. adults, or 3.4 percent of U.S.
consumers, were victims of identity theft during the 12 months ending
June 2003. The identity theft problem has become wide enough that many
people, if not victims themselves, know someone else who has already been
It’s also worth noting that the shift in attitude about privacy is not
focused just on the financial services industry. The Health Insurance
Portability and Accountability (HIPAA) Act of 1996 addressed many of the
same issues with respect to sensitive medical records and personal health
Its Not Over Yet
While the changes to date have been dramatic, collectively we are still
in the early stages of establishing a national policy in the U.S. towards
financial privacy. Several large financial institutions are still publicly
opposed to the recent California Financial Information Privacy Act and
reserve the right to fight it through the court system. Others hope to
lobby behind the scenes to influence the upcoming revision of the Fair
Credit Reporting Act (FCRA) to overturn some of these state-level protections
and to pre-empt local jurisdictions from enacting any broader financial
While it’s hard to project the final outcome, it is clear that these
effortsif pursuedare flying in the face of what the average
person wants and will likely paint financial service providers as anti-consumer.
While not the end of the world, such a stance could erode much of the
hard-won trust that financial institutions have earned from customers.
Unlike marketing costs, it’s hard to place a direct monetary value on
trust. Participants in other industries would love to have the same level
of consumer trust as financial institutions. But they don’t and they’re
not likely to ever earn it. Holding on to this trust will be especially
critical as banks and other financial services companies move forward
in the coming years to leverage new technologies and introduce new services.
In the area of biometrics, for example, early deployments show significant
cost savings for financial institutionsbut achieving those benefits
will require convincing consumers their personal biometric data is private,
secure, and never available for sale or misuse.
Recasting the Problem as an Opportunity
Consumers are saying loud and clear they want and value strong financial
privacy. Financial institutions should give it to them and take credit
for it. Don’t offer consumers financial productsoffer them "privacy
enhanced" financial products. Don’t just provide strong financial
privacy in four statesprovide it universally across the institution’s
complete geographic footprint. Don’t just give consumers the minimum privacy
required by lawprotect them in ways they wouldn’t even dream about.
Easier said than done? Here are some ideas:
- Privacy Policies. Explain privacy policies in everyday language
that anyone can understand. Don’t make the policy read like a contract
addendum in six-point type; instead be real clear about not selling,
renting, or sharing private financial information without explicit consumer
- Online Banking Site. Financial institutions could provide easy
access to do-not-call registries and credit bureaus from their own online
banking sitesand provide help and guidance to consumers wanting
to utilize them. By helping customers proactive fight identity theft
and frivolous direct marketing, institutions can reinforce the strong
trusted reputations they already enjoy.
- Credit Card Enhancements. Much like travel accident insurance
is included as a credit card enhancement, financial institutions could
provide identity theft insurance at no cost to the customer as another
built-in card enhancement. There are distinct first mover advantages
to making this move.
To the extent other financial institutions drag their feetwaiting
until the last possible day to provide the minimum compliance required
by law, and fighting even that in courtthe savviest institutions
will begin to provide strong financial privacy now, integrate it into
their branding, and use it to differentiate themselves from competitors.
As Harry Truman might say, the time has come to "get out in front
of it and call it a parade."
And who knows, maybe privacy-concerned consumers will jump ship and move
their business to privacy-friendly financial institutions. With strong
financial privacy gaining momentum, what’s for sale won’t be my sensitive
financial informationit will be my loyalty, my trust, and my business
(and associated profits) to a financial institution that earns it.
Initial Publication Date: August 29, 2003