| Privacy
Under Scrutiny
By Jo Ann S. Barefoot
To keep critical customer
information flowing, privacy policies are effectively
necessary — even if not legally required.
The banking industry is being thrust
into a wild new world of privacy controversy. Though it
will take years to explore and tame this jagged terrain,
it is already clear that banks need to set up serious
governance systems for privacy risk management. Why? Consumer
privacy issues threaten to compromise the use of information
technology that is at the very center of e-commerce and
customer relationship management, two arenas that are
crucial to banking's future.
A variety of developments underscore
the gravity of the situation. Congress is considering
a bill that would require banks to disclose privacy policies
and permit customers to "opt out" of certain
uses of their data. Meanwhile, class action litigation
is pending in a number of states, sparked by Minnesota's
suit this summer (since settled) against U.S. Bancorp
for selling customer information despite promises not
to do so.
The European Union also is negotiating
with the United States over a rule that data on European
citizens cannot flow to countries that inadequately protect
privacy — including, in the EU's opinion, the United
States. And numerous other privacy protection actions
are underway: at federal, state and local agencies; in
litigation; in industry forums; and in market-leveraging
policies adopted by big technology companies such as Microsoft
Corp. and IBM Corp.
These episodes drive home the point
that privacy touches a central nerve with people. It is
intertwined with core feelings about fairness and freedom
and self. And there are no easy solutions. The complexity
of the issue overwhelms legislative and regulatory bodies,
which will tend to respond in a disjointed way that causes
as many problems as are purportedly solved. Also, the
privacy controversy is developing so fast from almost
a non-issue a year ago to weekly headline news now that
keeping pace will be a huge challenge.
The rub for banks is that they will
not be able to safeguard customer privacy completely without
undermining the most exciting innovations in banking.
These innovations promise huge benefits, both for customers
and providers. But to capture them, financial services
companies and their customers will have to make some critical
tradeoffs. When the stakes are so high, nothing can be
left to chance, which is why banks must immediately begin
developing comprehensive approaches to the privacy issue.
There are at least four focal points
of privacy risk. One hot issue concerns information transmitted
over the Internet, whose value is maximized only if providers
can use the data they gather on people's interests and
purchases. Another is third-party relationships, where
partners access customer information in the act of handling
bank referrals. A third issue is computerized credit scoring,
a process that streamlines underwriting but also can be
arbitrary. A fourth area, data mining and customer relationship
management, unsettles some people because it involves
the extensive collection and use of sensitive customer
information.
There are a number of key steps that
banks can begin taking now to deal with privacy risks.
Institutions should make sure they are complying with
the Fair Credit Reporting Act, which likely will be enforced
more stringently in the future. They should prepare themselves
to cope with a broad requirement to let customers exclude
their records from internal usage and external sharing
arrangements. Relationships with third parties should
be reexamined with information usage issues in mind. Where
feasible, voluntary privacy protection steps should be
taken, so as to avoid legal mandates and controversy.
And privacy consciousness must become ingrained in the
banking culture.
Quicksand
Since the birth of the consumer movement,
banks have contended with an ever-growing accumulation
of protective laws and regulations. But they have never
seen anything like privacy, which quickly has become a
dominant concern. The risks attending a consumer issue
have never been so severe, while the positive opportunities
— for banks and customers alike — have never
been so enticing.
Solutions will be hard to come by. The
two most conspicuous areas of privacy risk are the Internet
and technology-driven uses of customer data, both enables
of the most profound changes coming to financial services.
Banks will not be able to safeguard customer privacy completely
without undermining the most exciting innovations in banking.
These innovations will yield huge consumer benefits but
also demand privacy tradeoffs.
The consumer and business value of these
new approaches will be so compelling that the market will
simply have to move toward them: competition will demand
it. As these market forces move inexorably forward, customers
will want the positive offshoots, such as improved financial
services and lowered prices. At the same time, they will
complain about loss of privacy.
The complaints will generate politics,
regulation and litigation. Government "solutions,"
in turn, will create huge problems because they will evolve
piecemeal, often without a good understanding of the underlying
issues. They will produce high costs, high risks, confusing
and conflicting mandates, a volatile regulatory climate
and many other unintended consequences.
Privacy risks will coalesce in four
major areas:
The Internet.
The hottest arena of controversy will be electronic commerce
and online banking. Internet privacy risks range from
security — from hackers and unauthorized use —
to questions about the intended uses of data by companies
offering Internet-based services.
Internet companies are acutely aware
that this infant marketplace, for all its burgeoning growth
and profound potential, could be strangled in its crib
if the consumer decides it is not a safe place to transact
business. A few high-profile cases of customer harm could
set back e-commerce by years, depriving consumers as well
as clobbering the companies that are betting their futures
on it.
Amazon.com got a taste of privacy risk
this summer. After months of glowing publicity regarding
its trail-blazing role and progress in bringing happy
consumers into e-commerce, Amazon found itself attacked
for compiling and disclosing data on customer reading
habits. To the embarrassment of some parties, it publicly
listed the books most frequently purchased by certain
affinity groups, including the employees of specific companies.
One well-known company's best seller was a book critical
of its CEO, while another large firm's employees seemed
quite interested in reading about sex. Amazon's assurance
that the lists were disclosed in the spirit of "fun"
did not dispel the unease of critics, some of whom had
never realized that their own purchase information might
be tracked and used.
Of course, Amazon.com is by no means
alone in wanting to capitalize on information about online
customer activity. Such information will be used by all
companies offering services on the Internet, including
banks. That usage is a key to the Internet's power, for
consumers and businesses alike. The ability to collect
and analyze patterns of consumer searches and purchases
enables providers to tailor products, to find customers
who may be interested in particular products, and to package
and price services optimally for each customer.
Such reconnaissance unlocks the power
of the "segment of one," the one-to-one marketing
approach to customizing services. Inexpensive and inclusive,
electronic marketing brings buyers and sellers together,
matching attractive products and services with the people
who likely want them. Costs are so low that the consumer
ends up with both better and cheaper services than would
be possible the old way. But the approach only works if
Internet companies can use the data they gather on what
people are interested in and what they buy.
Third-party
relationships. Banks are beginning to design Web
sites that connect customers to online partners; some
that provide attractive products themselves; others that
search for products on the terms that customers specify
and at the best prices available anywhere. The Internet
today truly is a "web" of inter-related companies
that form complex alliances that share and refer and serve
each other's customers. In many of these arrangements,
it may not even be clear to the customer just which entity
he is dealing with as he moves from the gateway site to
the others to which it is linked.
If customers come to a bank Web site,
they — and their lawyers — will surely hold
the bank responsible if privacy problems arise, even if
the bank's third-party partner commits the offense. The
Internet will be a nexus for these kinds of issues.
However, vulnerability to third-party
actions is by no means limited to Internet scenarios.
Today, banks share data in a wide variety of ways. Customer
privacy questions attend outsource service arrangements,
joint ventures, co-branding and affiliate marketing, broker
and dealer relationships, sales of lists and customer
data, and vendor arrangements of all kinds.
As an example of the hazards, one privacy
czar at a large bank recounts how he discovered, at the
eleventh hour, that the institution's purchasing department
was about to sign a deal in which a printing company would
agree to provide discounts in exchange for access to the
bank's internal data on customers who use the product
involved. Needless to say, this proposed arrangement was
quashed!
Credit scoring.
Another seedbed of privacy exposure is the growing reliance
of banks on credit scoring and data modeling for risk
management, marketing and risk-based pricing. These days,
such techniques are used from cradle to grave in the credit
process. There are applications in market segmentation
and customer targeting, underwriting, sophisticated risk
management systems and relationship-based pricing. Banks
use scoring and modeling techniques to help determine
levels and types of service to offer, and they even use
them in shaping collections strategies.
Increasingly, these scoring innovations
involve intensive collection and analysis of data on customers
and prospects. But customers may object that the process
invaded their privacy when the resulting decisions by
the bank are not to their liking.
Data mining
and CRM. The next step after expanded use of credit
scoring is full blown "customer relationship management,"
or customer-centric approaches to banking. Banks are using
data warehouses, flexible new middleware and internal
Web-based Intranets to link disparate databases on customers,
comprehend relationships and then approach each client
as an individual. This shift from a traditional, product-silo
focus to customer-centered management will take time,
but its competitive power makes it inevitable.
As technology permits low-cost, virtually
unlimited gathering and analysis of data, it unlocks the
potential to improve every aspect of banking. Banks will
be able to customize products to attract and keep their
best customers. They will be able to target product offers
with keen precision to those who will want them; to reach
customers through highly efficient channels (including
the Internet); and to deliver products the way each customer
wants.
Further performance enhancements include
the ability to risk-assess customers with unprecedented
accuracy, both at the outset and over time; to understand
which customers are most profitable and what would make
others more so; and to price offerings based on risk and
profitability. Information technology also will help banks
better understand customer attrition patterns and improve
retention, and to monitor trends on a real-time basis
and make timely course corrections.
This will result in better products
at better prices for consumers as a whole. However, many
individual consumers will be adversely impacted in some
way. And all will find that this revolution in banking
involves extensive collection and use of personal information,
both from internal bank sources and from external sources
such as data vendors and Internet partners. Privacy controversy
is inevitable.
Most banks today are far from using
full-blown CRM systems, but most are moving fast to link
databases for better cross-selling, relationship management
and profit analysis. Most are already sharing data extensively
with vendors and partners, if not actually selling it.
Every time a piece of customer information is put to one
of these uses, it raises potential privacy issues.
Managing
Privacy Risks
Privacy, then, presents banks with the
worst-of-all-worlds risk scenario — high exposure
to damage, and no clear rules for how to avoid it. But
there are a number of steps that managers can take to
protect their institutions and keep the risks at manageable
levels.
The most basic step is to assure compliance
in the one area where there are set rules today, and that
is the Fair Credit Reporting Act. The FCRA prohibits banks
from sharing some types of information among their own
affiliates unless they disclose to customers that they
plan to do so and permit customers to "opt out."
Until recently, the banking agencies
were prohibited from examining for FCRA compliance unless
they received a complaint or discovered an alleged FCRA
violation themselves. Pending legislation would lift this
restriction. If expanded discretion is granted, examiners
will be motivated to exercise it, what with privacy skyrocketing
to the top of the consumer issues agenda and senior regulatory
officials making speeches on their commitment to protect
consumers.
It is likely that most banks have not
been closely scrutinized by examiners in this area and
that many institutions may not even know how well they
are complying with the current opt-out requirement. Therefore,
an immediate internal assessment of FCRA compliance should
be a top priority, followed by any necessary measures
to get into shape.
Another step is preparing for a broadened
opt-out mandate. The FCRA requirement to let customers
opt out is a mini-version of what is likely to be the
next big privacy mandate: a requirement to let customers
opt out of data use and sharing, generally. As this issue
of the magazine goes to press, legislation is pending
that would require banks to disclose an opt-out choice
and to implement customers' wishes. The bill would exempt
some types of information-sharing, but it generally would
enable customers to restrict much of their information
to uses relating to the banking service they are buying.
Even if current legislation does not
pass, some form of this mandate is likely. Its main provisions
would likely echo the European Union privacy rules (in
much weaker form), as well as many state laws, voluntary
codes of conduct adopted by growing numbers of U.S. banking
and business groups, and the "encouragement"
of American regulators. Either on account of formal legal
requirement or informal pressure, banks are likely to
implement the opt-out — and soon.
While the right to opt-out sounds reasonable,
many banks are not geared to implement it. Systems must
assure that specific data on one "opt-out" customer
does not move into another database, for example, while
assuring that other customer records continue to flow.
That is difficult to manage strictly within the bank,
not to mention in relations with third-party partners
and vendors. And there are numerous practical questions
that as yet have no answers.
What if a customer does not opt out
when opening an account but then does so later on a second
account, after some information has already been shared?
What if customers want to opt out for some uses of data
and not others, or some types of data and not others?
How will regulations cope with the infinite variety of
questions that will arise over definitions about types
of data and types of business arrangements that will call
for different handling?
And what will happen if the mandate
is crafted, not as an opt-out, but rather as an opt-in,
meaning that banks first must obtain explicit permission
from customers before making use of information about
them? Banks will lose the benefit of customer inertia,
which under the opt-out schematic would leave most data
available. Instead, they will have to seek affirmative
permission to use information. In this country right now,
which banks are ready to articulate to customers the value
proposition for such use?
With or without legislation, bank information
technology departments should assess their ability to
alter and block customer information flows through the
full spectrum of data-sharing arrangements.
Meanwhile, legal, compliance and audit
staffs should address third-party risk. Banks must assure
that vendors and partners protect customer data accessed
through the bank relationship. Third parties must be prevented
from sharing data with their other partners, selling it,
misusing it, or leaving it unprotected. And contracts
are not enough. Banks must monitor the practices of their
partners and assure not only that they can, but also actually
do implement promised protections. If privacy failures
occur and a bank is anywhere in the picture, that bank
can count on being included in any subsequent litigation
and publicity.
It's also a good idea to take voluntary
steps that will proactively address issues while decreasing
the odds for damaging publicity and outside intervention.
Whenever risks are high and rules are ambiguous or absent,
banks need a risk-management strategy aimed at staying
off defense. Once a company's blood is in the water over
a consumer controversy, a rule-less environment makes
it easy for critics to inflict costs, such as litigation
expense and reputation and brand-name damage.
When the law does not cover the issue,
the bank is hamstrung by an inability to defend itself
by arguing that it complied with the law. Because of this,
most banks are voluntarily adopting pro-consumer privacy
policies, even before mandates require them. These policies
generally disclose to customers how the bank would like
to use their data, voluntarily offer the opt-out choice,
and perhaps give customers access to their own data and/or
bank contacts.
Customers increasingly are looking for
these kinds of policies. Major Internet players are demanding
them of partners and customers. Industry groups and government
agencies are strongly encouraging them, at least partly
in lieu of more draconian regulation. We are approaching
a point at which privacy policies will be effectively
necessary, even if not legally required. Therefore, banks
that have not yet adopted them should consider doing so.
However, a word of caution: the U.S.
Bancorp litigation mentioned earlier was not mainly based
on non-compliance with privacy law, but rather on the
bank's alleged failure to live up to its own, voluntarily-disclosed
privacy policy. The key charges were fraud, contract law
violation and unfair and deceptive practice. Had the bank
not voluntarily made promises to customers about privacy,
most of the litigation would not have had a basis.
Banks with voluntary privacy policies
need to make a reality check: can they actually do what
they say? The potential disconnect between what marketers
and compliance people want to tell consumers at the front
end, and what systems actually do at the back end, is
loaded with risk.
Finally, banks need to build privacy-conscious
cultures. The unmapped risks around privacy cannot be
managed as a compliance task. Rather, banks must "bake-in"
a sensitivity that thinks through privacy issues before
— not after — the fact. More basically, banks
that want to win the gold rush for customers empowered
by Information Age choices will have to offer privacy
safeguards that gain and keep consumers' trust.
Ms.
Barefoot is a partner with KPMG Barefoot Marrinan, Columbus,
Ohio.
Copyright © 2003 by Banking
Strategies, published by BAI.
back
to top |
