Privacy Concerns Reset Marketing Boundaries
BY CHARLES KEENAN
As security concerns proliferate, customer privacy returns as a front burner issue.
Regulators and consumer activist concern over banks' procedures and policies regarding customer privacy has heightened in the past year. Well-publicized security breaches raise new questions about how financial institutions and their providers are protecting customer data. The emerging "best practice" at many institutions now means going beyond the letter of the law to offer consumers more choice and stronger privacy protections as a competitive advantage. It's not just about protections and security but appeasing customers and using privacy as a marketing differentiator. Such measures incluclearer privacy statements, consumer education and tighter control over third-party alliances.
Privacy is a serious issue. Failure to protect customer data has resulted in a number of security breaches recently, leading to financial losses for customers in some cases.
The initial incidents are bad enough: banks that fail to adequately protect the privacy of their customers face lawsuits and heightened regulatory scrutiny. But the cost goes far beyond that. By not sufficiently protecting data, banks are putting their reputations on the line.
Banks already are spending large sums of money on privacy issues - an average of $2.7 million each for the 25 largest banks in 2004, the latest figures available from the Elks Rapids, Mich.-based Ponemon Institute. That includes the costs of staffing a privacy office, developing policies and procedures, employee training and technology investments.
Security breaches also have made banks more careful about sharing information with third parties. While financial institutions still look to mine the gold from customer databases, they face greater challenges in ensuring customer trust and securing the data. In recent well publicized incidents, several financial institutions have lost data tapes in transit.
But banks also face increasingly sophisticated threats from the Internet, such as phishing, where fraudsters build facsimile Web sites to collect information from unsuspecting customers, and keylogging, where criminals use software to capture a customer's key strokes and passwords.
How do financial institutions conduct effective marketing outreach while guarding their customers' information? Banks that can answer that question will stand apart from the pack.
Regulatory guidance provides a starting point for the discussion. But experts urge banks to go beyond what's required to adopt a best practices approach - which may in itself provide the competitive edge that every marketer desires. "Privacy is still largely viewed by banks as a compliance and regulatory issue, and not as a differentiator to be leveraged by marketing," says Peter Reid, a portfolio strategist with the security and private services group at Electronic Data Systems Corp., of Plano, Tex.
"But a good privacy policy can be leveraged to help create differentiation for a financial institution."
Richard Purdue, vice president and privacy manager at Cincinnati-based Fifth Third Bancorp agrees. "The more that consumers view you as an institution that cares about and respects their privacy, the more you will be ahead of the game from a competitive standpoint."
Security Issues
Over the past decade, government privacy rules have expanded the scope of regulation by restricting the ability of banks to share information. Some of this regulation came about in the wake of reported abuses of customer privacy that surfaced in the late 1990s.
U.S. Bancorp of Minneapolis, for example, was investigated for sharing customer information with a Connecticut-based telemarketing company, including customer names, marital status, occupation, Social Security numbers, birth dates, homeownership status, transactions, account balances and credit limits. The telemarketer, Member Works Inc., sold 70,000 U.S. Bancorp customers a range of products from telephone service to travel packages, according to the bank. Federal investigators charged that the telemarketer automatically withdrew payments from checking accounts without written customer authorization.
In 1999, U.S. Bancorp paid $3 million to settle claims filed by Minnesota Attorney General Mike Hatch while insisting it had done nothing wrong. In 2000, the bank also reached a settlement on a number of class action lawsuits filed in federal court, in which it agreed to pay small claims to those who felt they had been harmed.
New regulations enacted in the wake of this and other such incidents created more opportunities for customers to prevent the sharing of their information and its use for marketing purposes. For example, the Fair and Accurate Credit Transactions Act of 2003, or FACT Act, gives consumers an opportunity to opt out of banks sharing their information with affiliates for marketing purposes. Banking and thrift regulators and other federal agencies are expected to issue more guidance early this year on the sharing of information among affiliates.
"Banking agencies are much more concerned," says Gilbert T. Schwartz, a partner with the Washington, D.C. law firm Schwartz & Ballen. "When the examiners are coming in, they are looking to make sure the institutions have state-of-the-art procedures and policies in place and employees are protecting the information."
Security concerns have increased the pressure as a recent spate of lapses by banks or their solutions providers underscored the industry's vulnerability. ChoicePoint, a credit and personal information company in Alpharetta, Ga., told 145,000 customers last February that criminals may have gained access to their names, addresses and Social Security numbers. In an incident that generated enormous media attention, 40 million credit card numbers were compromised by CardSystems Solutions, an Atlanta-based payments processor. Bank of America Corp., Citigroup Inc. and Wachovia Corp. all reported lost or stolen customer data last year. Some of the breaches resulted in fraud.
More recently, People's Bank of Bridgeport, Conn., announced in January that an unencrypted tape containing data on 90,000 customers was lost during transport by United Parcel Service to the credit bureau TransUnion The tape included names, addresses, and Social Security and checking account numbers.
This increased attention to security issues may have made banks more reticent to talk about privacy. Of 15 banks approached to talk about privacy management for this article, only two agreed to an interview. Those who commented acknowledged the importance of the issue.
"The risks have changed," says Campbell Tucker, director of the privacy office at Wachovia in Charlotte, N.C. "There are more concerns about the possibility of fraud. There is also enhanced reputational risk. So the industry as a whole is more diligent than it might have been 10 years ago."
Security and privacy are separate issues. But they tend to overlap since a security breach can lead to unauthorized disclosure of customer information. "You can't have a great privacy perception and a poor data security perception," Purdue says. "They have to go together. If you don't have excellent privacy procedures, you are not going to be perceived as a trusted institution."
Even before some of the more publicized breaches last year, research showed slipping confidence among consumers regarding bank security of their personal data. Slightly less than one-third of respondents to a Ponemon survey based on 2005 data rated their banks "high" or "very high" in guarding account data, access codes and account numbers, down from 38% a year earlier, according to the research firm.
This lower level of trust could lead to more marketing roadblocks for banks down the road. "To the extent that there continues to be concern over information breaches, customers are going to demand more control over their information," says Purdue of Fifth Third. "That, in turn, may lead to additional restrictions on what you can do with customer data."
Karim Toubba, vice president of product management and corporate strategy at Ingrian Networks, a security solutions provider based in Redwood City, Calif., says the banking industry is becoming more cautious in its approach to customer information. "Banks have been very good at mining consumer information in the past," Toubba says. "But with the heightened awareness, banks are much more reticent to give out the information and provide it for use in broad marketing campaigns to third parties."
Privacy Statements
Best practices are evolving as financial institutions strive to maintain and build consumer trust, while continuing to tap into the vast marketing potential of their databases.
One critical step is keeping consumers informed, typically via the legally mandated privacy statements. "One of our biggest roles should be educating the customer, so they understand what the industry is doing and what we are doing to protect their information," Purdue says. "Education is one of the main initiatives the industry needs to take for people to understand that we do in fact take the responsibility seriously."
Fifth Third ranked third among the 25 biggest retail banks nationwide in terms of how much consumers trust the bank, according to the 2006 Ponemon survey (National City Corp. and U.S. Bancorp tied for first).
As required by law, Fifth Third sends out privacy statements on an annual basis. But it also reviews the statement each year to improve its clarity and usefulness to customers. The Gramm Leach Bliley Act of 1999 specifies the legal wording required in these statements, but also allows banks to include summaries written in plain English.
For its privacy statement last year, Fifth Third moved its description of opt-out policies for telephone calls and written materials to a more prominent position. "To make it easier for people, we said: 'Hey, if you don't want to get this stuff, here's how to avoid it,'" Purdue says.
Banks are being advised to re-evaluate what information they are willing to share with third parties. In fact, banks might be better off asking their vendors to hand over promotional materials, and mail them directly to their customer base, rather than rely on others to handle the task. "Given the concern a lot of institutions have with protecting information, we are going to see a lot fewer of them sharing information with third parties," says attorney Schwartz. "It has been a very beneficial exercise in terms of consumers because institutions have become very sensitive to ensure that this information is protected."
Underscoring the consumer concern, about 36% of consumers would be willing to switch banks for increased protection, according to a survey of 1,000 consumers last year by Unisys Corp., a technology services company in Blue Bell, Pa. And 36% said they would pay additional bank fees for better protection.
Third-party Scrutiny
One impact of all the consumer and regulatory concern is that marketing partners are coming under increased scrutiny. "We have to be very careful to perform due diligence on vendors to make sure they have procedures to protect data we may share with them," says Wachovia's Tucker. "We need to make sure we give the solutions provider only the data they need to do their job, as opposed to the data that may be convenient."
For example, banks working with mail houses need to be as selective as possible with data handed over for mailings. "The convenient thing might be to give the entire file, which includes the customer's Social Security number, their balances, credit scores, other things," Tucker says. "Yet the mail house probably doesn't need all those things to create the mailing."
Banks also need to have the right contract in place so they can go back and monitor how the solutions providers handle data. "It's all with a view towards making sure you don't have a situation where a solutions provider mishandles data," Tucker says. "It's your reputation that is affected. You can't outsource compliance. We'll still be responsible for mistakes at the solutions provider regardless of what the contract says."
Banks are urged to also have strong procedures in place to comply with national and state do-not-call laws, and legislation such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.
For example, Tucker says Wachovia follows strict procedures for scrubbing customer lists with internal and external opt-out lists. The challenge is how to be certain that the lists are scrubbed within the time frames set by each law so that marketing departments aren't given stale leads by the time they actually make a call or e-mail, Tucker says.
Purdue notes that customers have been losing trust in bank e-mail in recent years because of spoofing and phishing schemes that make the medium less effective as a marketing tool. This has many banks such as Fifth Third turning to tailored messages on their Web sites. The messages are secure and are sent to customers from a central server. When customers log on, banks use the captive time to make more sophisticated pitches. Fifth Third, for example, can display messages relevant to a customer's needs, such as certificate of deposit offers or lines of credit.
"Rather than blasting out 200 million e-mails with one message, if I can identify you as a customer, then I can use the Web site as a way to market specific preferences to you directly," Purdue says.
Banks are also urged to focus on contingency planning in case of a security breach. "You better have a plan on the shelf ready to go to advise you what to do," Schwartz says. For instance, a bank may offer free credit monitoring to those customers whose data has been compromised. This is one means of thwarting identity thieves' attempts to open accounts in victims' names.
Bottom line, financial institutions should have a clear idea of where they draw the line, says Duncan MacDonald, a consultant and former general counsel of Citigroup Inc.'s Europe and North America card businesses.
"Banks should have very strict policies about who they are going to be selling their lists to," MacDonald says. "Banks on their own ought to live up to their fiduciary duty to their customers to just say, 'We're not going to step over that line.' "
Questions or comments about this article? Post them at the Banking Strategies blog.
Mr. Keenan is a freelance writer based in Brooklyn, NY.