Opt-in Requirements Could Chill Cross-Selling

Regulation has been a driving force in defining privacy policies at banks, and privacy and marketing strategies have to be considered against the backdrop of that regulation.

Over the last decade, government privacy rules have expanded the scope of regulation by restricting the ability of banks to share information and creating more opportunities for customers to prevent the sharing of that information and its use for marketing. The Fair and Accurate Credit Transactions Act of 2003 (the FACT Act) gives consumers an opportunity to opt out of the use of information shared with affiliates for marketing purposes. In July, the federal banking agencies issued proposed regulations to implement the FACT Act. These rules are slated to go into effect in March 2005.

The FACT Act also reauthorized an earlier law that was set to expire last year, the Fair Credit Reporting Act (FCRA). This 1970 law was amended in 1996 to focus more on protecting consumer privacy involved with information-sharing with other businesses for marketing purposes. That law stated that banks could not communicate information normally found in a consumer report with affiliates or non-affiliated third parties. That includes credit worthiness, credit standing, credit capacity, character, general reputation, and personal characteristics, such as age and mode of living.

Under FCRA, however, banks were allowed to share information on transactions or experiences between the consumer and the bank with their affiliates and with non-affiliated third parties. Further, FCRA allowed informa-tion-sharing for some types of information beyond transactions and experience data, if the bank sent a "clear and conspicuous" notice giving customers an opportunity to opt out. If customers so chose, banks would not be able to share other information for marketing purposes.

Congress revisited privacy issues in 1999 in response to rising consumer concerns about the issue and the belief that customers might need more privacy protection with the growing integration of banks, insurance companies, mutual fund companies and brokerage firms under single corporate umbrellas. For these reasons, Congress adopted stronger privacy protections under Title V of the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999. Importantly, GLBA also allowed states to develop strong privacy protections — a decision that promised to make compliance more costly for large regional and nationwide banks that operate in many states. GLBA required banks to provide annual notices beginning in 2001 of their information-sharing practices with both affiliated and non-affiliated third parties. The law also required banks to give consumers the opportunity to opt out of all information-sharing with non-affiliated third parties. The opt-out, however, does not apply to affiliates. Nor does it apply to non-affiliated third parties that have a joint marketing relationship with the bank — thus providing regulatory relief to smaller banks, which lack the investment banking, insurance and mutual fund affiliates of some large banks.

A potentially more serious regulatory challenge emerged last year when California passed a stricter privacy law than the federal FCRA law, despite Congress's intent to preempt state laws.

Under the California Financial Information Privacy Act, known as SB-1, shorthand for Senate Bill number one, customers have to opt in to an agreement before banks can share customer information with affiliates. In this approach, a customer would have to affirmatively agree to information-sharing between affiliates before it could occur. After a California federal district court in June ruled that the California law was not trumped by the federal law, the law went into effect in July. Banks had to move quickly to opt out all California customers of information-sharing by affiliates, pending an appeal of the decision.

The California law imposes a strong barrier to the ability of banks to market across affiliates and should signal possibly serious problems ahead if privacy requirements become more difficult in the future. If banks have to ask customers to opt in to a system before they can share information and solicit across affiliate lines, it would deal a blow to cross-selling. The California opt-in provision may be overturned by a higher court, however. Federal banking agencies, led by the Office of Thrift Supervision, have filed an amicus brief supporting federal preemption of the California law.

For continuing coverage of the significant developments in this litigation, check BAI's Fraud and Identity Theft Center at www.bai.org/fraud.

— Robert Stowe England