Banks and regulators work together to improve the policies that protect personal information.
The ink was hardly dry on the Gramm-Leach-Bliley Act when consumer advocacy groups and some regulators began criticizing financial institutions for dragging their feet on the law's privacy provisions. Some two-and-a-half years later, the issue shows no signs of abating.
In December, USAction, a national consumer organization, issued a report saying that bank privacy notices are confusing and misleading, and fail to comply with the law. USAction graded the privacy notices sent out by the 15 top credit card-issuing banks according to clarity of message, depth of content and ease with which a recipient could exercise privacy rights. Three banks were given an "F", six a "D" and none better than a "C."
USAction and other consumer groups have called on Congress to enact stronger financial privacy regulations, including not allowing banks to share information without consent ("opting-in"). They have also asked the federal agencies that regulate privacy notices, including the Federal Deposit Insurance Corporation and the Federal Trade Commission, to ensure that privacy notices be clear and understandable.
Despite the claims and protestations of USAction and other watchdogs, many financial institutions do not see the need for increased privacy regulations. Indeed, industry-sponsored focus groups and consumer surveys have consistently reported a high rate of consumer satisfaction with the notices. According to a survey by Star Systems, a payments processing network, 61 percent of consumers rate their financial institutions as good or excellent at communicating privacy policies.
The discrepancy between consumer groups and banks on the privacy issue is attributable to a lack of communication between the two, according to bank officials.
"I don't think there are substantive conversations going on," said Julie Johnson, chief privacy officer at Bank One. "There is a real disconnect between what our consumer surveys are saying and what advocacy group surveys are saying."
Financial institutions see themselves as making a best-effort attempt at complying with the law and addressing customer concerns regarding privacy. "What we did was draft a policy to comply with the law and we went to real customers and asked them to approve the notices," said Robin Warren, privacy executive at Bank of America. "We've asked the banking regulators whether they have received complaints about the notices and they haven't, so the process is not entirely broken."
Contrary to what consumer advocacy groups are saying, no evidence exists that consumers are agitating for privacy law reform, according to Warren. "Consumer behaviors and actions do not correspond to the consumer advocacy group beliefs about consumers."
Noted Johnson, "Consumers are not calling for more privacy information. If they had, we would have responded."
Advocacy groups say the reason consumers aren't more vocal about privacy is they haven't been given enough information to make an informed decision. Financial institutions say it's because consumers trust them with sensitive information. "Consumers trust their financial institutions. That is part of the reason they chose those institutions in the first place," said Warren.
Consumer groups and financial institutions are also at odds over whether the law goes far enough. Consumer groups would like consumers to be given the right to opt-in, or specifically consent to information sharing. A number of bills aimed at opt-in and other increases in privacy restrictions have been introduced in Washington. "Consumer advocacy groups want the law changed altogether, and they are going to continue to criticize the notices until the law changes," said Bank One's Johnson.
Banks and advocacy groups agree that education, or the lack of it, is a big part of the problem. With the law nearly three years old, many consumers still lack an understanding of the regulations surrounding use of their personal information.
Consumers need to be educated regarding privacy issues before they can make an informed decision, Warren said. "Privacy notices are driven by legislation and regulation. Consumers need to be educated and become more savvy so they can tell us what they want to know about privacy."