Privacy Under Scrutiny
By Jo Ann S. Barefoot
To keep critical customer information flowing,
privacy policies are effectively necessary — even if not legally
required.
The banking industry is being thrust into a wild new world of privacy controversy. Though it will take years to explore and tame this jagged terrain, it is already clear that banks need to set up serious governance systems for privacy risk management. Why? Consumer privacy issues threaten to compromise the use of information technology that is at the very center of e-commerce and customer relationship management, two arenas that are crucial to banking's future.
|
Related
Charts
|
A variety of developments underscore the gravity of the situation. Congress is considering a bill that would require banks to disclose privacy policies and permit customers to "opt out" of certain uses of their data. Meanwhile, class action litigation is pending in a number of states, sparked by Minnesota's suit this summer (since settled) against U.S. Bancorp for selling customer information despite promises not to do so.
The European Union also is negotiating with the United States over a rule that data on European citizens cannot flow to countries that inadequately protect privacy — including, in the EU's opinion, the United States. And numerous other privacy protection actions are underway: at federal, state and local agencies; in litigation; in industry forums; and in market-leveraging policies adopted by big technology companies such as Microsoft Corp. and IBM Corp.
These episodes drive home the point that privacy touches a central nerve with people. It is intertwined with core feelings about fairness and freedom and self. And there are no easy solutions. The complexity of the issue overwhelms legislative and regulatory bodies, which will tend to respond in a disjointed way that causes as many problems as are purportedly solved. Also, the privacy controversy is developing so fast from almost a non-issue a year ago to weekly headline news now that keeping pace will be a huge challenge.
The rub for banks is that they will not be able to safeguard customer privacy completely without undermining the most exciting innovations in banking. These innovations promise huge benefits, both for customers and providers. But to capture them, financial services companies and their customers will have to make some critical tradeoffs. When the stakes are so high, nothing can be left to chance, which is why banks must immediately begin developing comprehensive approaches to the privacy issue.
There are at least four focal points of privacy risk. One hot issue concerns information transmitted over the Internet, whose value is maximized only if providers can use the data they gather on people's interests and purchases. Another is third-party relationships, where partners access customer information in the act of handling bank referrals. A third issue is computerized credit scoring, a process that streamlines underwriting but also can be arbitrary. A fourth area, data mining and customer relationship management, unsettles some people because it involves the extensive collection and use of sensitive customer information.
There are a number of key steps that banks can begin taking now to deal with privacy risks. Institutions should make sure they are complying with the Fair Credit Reporting Act, which likely will be enforced more stringently in the future. They should prepare themselves to cope with a broad requirement to let customers exclude their records from internal usage and external sharing arrangements. Relationships with third parties should be reexamined with information usage issues in mind. Where feasible, voluntary privacy protection steps should be taken, so as to avoid legal mandates and controversy. And privacy consciousness must become ingrained in the banking culture.
Quicksand
Since the birth of the consumer movement, banks have contended with an ever-growing accumulation of protective laws and regulations. But they have never seen anything like privacy, which quickly has become a dominant concern. The risks attending a consumer issue have never been so severe, while the positive opportunities — for banks and customers alike — have never been so enticing.
Solutions will be hard to come by. The two most conspicuous areas of privacy risk are the Internet and technology-driven uses of customer data, both enables of the most profound changes coming to financial services. Banks will not be able to safeguard customer privacy completely without undermining the most exciting innovations in banking. These innovations will yield huge consumer benefits but also demand privacy tradeoffs.
The consumer and business value of these new approaches will be so compelling that the market will simply have to move toward them: competition will demand it. As these market forces move inexorably forward, customers will want the positive offshoots, such as improved financial services and lowered prices. At the same time, they will complain about loss of privacy.
The complaints will generate politics, regulation and litigation. Government "solutions," in turn, will create huge problems because they will evolve piecemeal, often without a good understanding of the underlying issues. They will produce high costs, high risks, confusing and conflicting mandates, a volatile regulatory climate and many other unintended consequences.
Privacy risks will coalesce in four major areas:
The Internet. The hottest arena of controversy will be electronic commerce and online banking. Internet privacy risks range from security — from hackers and unauthorized use — to questions about the intended uses of data by companies offering Internet-based services.
Internet companies are acutely aware that this infant marketplace, for all its burgeoning growth and profound potential, could be strangled in its crib if the consumer decides it is not a safe place to transact business. A few high-profile cases of customer harm could set back e-commerce by years, depriving consumers as well as clobbering the companies that are betting their futures on it.
Amazon.com got a taste of privacy risk this summer. After months of glowing publicity regarding its trail-blazing role and progress in bringing happy consumers into e-commerce, Amazon found itself attacked for compiling and disclosing data on customer reading habits. To the embarrassment of some parties, it publicly listed the books most frequently purchased by certain affinity groups, including the employees of specific companies. One well-known company's best seller was a book critical of its CEO, while another large firm's employees seemed quite interested in reading about sex. Amazon's assurance that the lists were disclosed in the spirit of "fun" did not dispel the unease of critics, some of whom had never realized that their own purchase information might be tracked and used.
Of course, Amazon.com is by no means alone in wanting to capitalize on information about online customer activity. Such information will be used by all companies offering services on the Internet, including banks. That usage is a key to the Internet's power, for consumers and businesses alike. The ability to collect and analyze patterns of consumer searches and purchases enables providers to tailor products, to find customers who may be interested in particular products, and to package and price services optimally for each customer.
Such reconnaissance unlocks the power of the "segment of one," the one-to-one marketing approach to customizing services. Inexpensive and inclusive, electronic marketing brings buyers and sellers together, matching attractive products and services with the people who likely want them. Costs are so low that the consumer ends up with both better and cheaper services than would be possible the old way. But the approach only works if Internet companies can use the data they gather on what people are interested in and what they buy.
Third-party relationships. Banks are beginning to design Web sites that connect customers to online partners; some that provide attractive products themselves; others that search for products on the terms that customers specify and at the best prices available anywhere. The Internet today truly is a "web" of inter-related companies that form complex alliances that share and refer and serve each other's customers. In many of these arrangements, it may not even be clear to the customer just which entity he is dealing with as he moves from the gateway site to the others to which it is linked.
If customers come to a bank Web site, they — and their lawyers — will surely hold the bank responsible if privacy problems arise, even if the bank's third-party partner commits the offense. The Internet will be a nexus for these kinds of issues.
However, vulnerability to third-party actions is by no means limited to Internet scenarios. Today, banks share data in a wide variety of ways. Customer privacy questions attend outsource service arrangements, joint ventures, co-branding and affiliate marketing, broker and dealer relationships, sales of lists and customer data, and vendor arrangements of all kinds.
As an example of the hazards, one privacy czar at a large bank recounts how he discovered, at the eleventh hour, that the institution's purchasing department was about to sign a deal in which a printing company would agree to provide discounts in exchange for access to the bank's internal data on customers who use the product involved. Needless to say, this proposed arrangement was quashed!
Credit scoring. Another seedbed of privacy exposure is the growing reliance of banks on credit scoring and data modeling for risk management, marketing and risk-based pricing. These days, such techniques are used from cradle to grave in the credit process. There are applications in market segmentation and customer targeting, underwriting, sophisticated risk management systems and relationship-based pricing. Banks use scoring and modeling techniques to help determine levels and types of service to offer, and they even use them in shaping collections strategies.
Increasingly, these scoring innovations involve intensive collection and analysis of data on customers and prospects. But customers may object that the process invaded their privacy when the resulting decisions by the bank are not to their liking.
Data mining and CRM. The next step after expanded use of credit scoring is full blown "customer relationship management," or customer-centric approaches to banking. Banks are using data warehouses, flexible new middleware and internal Web-based Intranets to link disparate databases on customers, comprehend relationships and then approach each client as an individual. This shift from a traditional, product-silo focus to customer-centered management will take time, but its competitive power makes it inevitable.
As technology permits low-cost, virtually unlimited gathering and analysis of data, it unlocks the potential to improve every aspect of banking. Banks will be able to customize products to attract and keep their best customers. They will be able to target product offers with keen precision to those who will want them; to reach customers through highly efficient channels (including the Internet); and to deliver products the way each customer wants.
Further performance enhancements include the ability to risk-assess customers with unprecedented accuracy, both at the outset and over time; to understand which customers are most profitable and what would make others more so; and to price offerings based on risk and profitability. Information technology also will help banks better understand customer attrition patterns and improve retention, and to monitor trends on a real-time basis and make timely course corrections.
This will result in better products at better prices for consumers as a whole. However, many individual consumers will be adversely impacted in some way. And all will find that this revolution in banking involves extensive collection and use of personal information, both from internal bank sources and from external sources such as data vendors and Internet partners. Privacy controversy is inevitable.
Most banks today are far from using full-blown CRM systems, but most are moving fast to link databases for better cross-selling, relationship management and profit analysis. Most are already sharing data extensively with vendors and partners, if not actually selling it. Every time a piece of customer information is put to one of these uses, it raises potential privacy issues.
Managing Privacy Risks
Privacy, then, presents banks with the worst-of-all-worlds risk scenario — high exposure to damage, and no clear rules for how to avoid it. But there are a number of steps that managers can take to protect their institutions and keep the risks at manageable levels.
The most basic step is to assure compliance in the one area where there are set rules today, and that is the Fair Credit Reporting Act. The FCRA prohibits banks from sharing some types of information among their own affiliates unless they disclose to customers that they plan to do so and permit customers to "opt out."
Until recently, the banking agencies were prohibited from examining for FCRA compliance unless they received a complaint or discovered an alleged FCRA violation themselves. Pending legislation would lift this restriction. If expanded discretion is granted, examiners will be motivated to exercise it, what with privacy skyrocketing to the top of the consumer issues agenda and senior regulatory officials making speeches on their commitment to protect consumers.
It is likely that most banks have not been closely scrutinized by examiners in this area and that many institutions may not even know how well they are complying with the current opt-out requirement. Therefore, an immediate internal assessment of FCRA compliance should be a top priority, followed by any necessary measures to get into shape.
Another step is preparing for a broadened opt-out mandate. The FCRA requirement to let customers opt out is a mini-version of what is likely to be the next big privacy mandate: a requirement to let customers opt out of data use and sharing, generally. As this issue of the magazine goes to press, legislation is pending that would require banks to disclose an opt-out choice and to implement customers' wishes. The bill would exempt some types of information-sharing, but it generally would enable customers to restrict much of their information to uses relating to the banking service they are buying.
Even if current legislation does not pass, some form of this mandate is likely. Its main provisions would likely echo the European Union privacy rules (in much weaker form), as well as many state laws, voluntary codes of conduct adopted by growing numbers of U.S. banking and business groups, and the "encouragement" of American regulators. Either on account of formal legal requirement or informal pressure, banks are likely to implement the opt-out — and soon.
While the right to opt-out sounds reasonable, many banks are not geared to implement it. Systems must assure that specific data on one "opt-out" customer does not move into another database, for example, while assuring that other customer records continue to flow. That is difficult to manage strictly within the bank, not to mention in relations with third-party partners and vendors. And there are numerous practical questions that as yet have no answers.
What if a customer does not opt out when opening an account but then does so later on a second account, after some information has already been shared? What if customers want to opt out for some uses of data and not others, or some types of data and not others? How will regulations cope with the infinite variety of questions that will arise over definitions about types of data and types of business arrangements that will call for different handling?
And what will happen if the mandate is crafted, not as an opt-out, but rather as an opt-in, meaning that banks first must obtain explicit permission from customers before making use of information about them? Banks will lose the benefit of customer inertia, which under the opt-out schematic would leave most data available. Instead, they will have to seek affirmative permission to use information. In this country right now, which banks are ready to articulate to customers the value proposition for such use?
With or without legislation, bank information technology departments should assess their ability to alter and block customer information flows through the full spectrum of data-sharing arrangements.
Meanwhile, legal, compliance and audit staffs should address third-party risk. Banks must assure that vendors and partners protect customer data accessed through the bank relationship. Third parties must be prevented from sharing data with their other partners, selling it, misusing it, or leaving it unprotected. And contracts are not enough. Banks must monitor the practices of their partners and assure not only that they can, but also actually do implement promised protections. If privacy failures occur and a bank is anywhere in the picture, that bank can count on being included in any subsequent litigation and publicity.
It's also a good idea to take voluntary steps that will proactively address issues while decreasing the odds for damaging publicity and outside intervention. Whenever risks are high and rules are ambiguous or absent, banks need a risk-management strategy aimed at staying off defense. Once a company's blood is in the water over a consumer controversy, a rule-less environment makes it easy for critics to inflict costs, such as litigation expense and reputation and brand-name damage.
When the law does not cover the issue, the bank is hamstrung by an inability to defend itself by arguing that it complied with the law. Because of this, most banks are voluntarily adopting pro-consumer privacy policies, even before mandates require them. These policies generally disclose to customers how the bank would like to use their data, voluntarily offer the opt-out choice, and perhaps give customers access to their own data and/or bank contacts.
Customers increasingly are looking for these kinds of policies. Major Internet players are demanding them of partners and customers. Industry groups and government agencies are strongly encouraging them, at least partly in lieu of more draconian regulation. We are approaching a point at which privacy policies will be effectively necessary, even if not legally required. Therefore, banks that have not yet adopted them should consider doing so.
However, a word of caution: the U.S. Bancorp litigation mentioned earlier was not mainly based on non-compliance with privacy law, but rather on the bank's alleged failure to live up to its own, voluntarily-disclosed privacy policy. The key charges were fraud, contract law violation and unfair and deceptive practice. Had the bank not voluntarily made promises to customers about privacy, most of the litigation would not have had a basis.
Banks with voluntary privacy policies need to make a reality check: can they actually do what they say? The potential disconnect between what marketers and compliance people want to tell consumers at the front end, and what systems actually do at the back end, is loaded with risk.
Finally, banks need to build privacy-conscious cultures. The unmapped risks around privacy cannot be managed as a compliance task. Rather, banks must "bake-in" a sensitivity that thinks through privacy issues before — not after — the fact. More basically, banks that want to win the gold rush for customers empowered by Information Age choices will have to offer privacy safeguards that gain and keep consumers' trust.
Ms. Barefoot is a partner with KPMG Barefoot Marrinan, Columbus, Ohio.