Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Management Strategies

07:50 AM
Connect Directly

With Deadline Approaching, Regulators Call On Banks To Tighten Information Security Procedures

As the July 1 deadline for compliance with Gramm-Leach-Bliley's privacy provisions nears, regulators are calling on banks to tighten their information security procedures. Institutions that don't move fast enough could find themselves on shaky legal ground, observers say.

The federal bank and thrift regulatory agencies have adopted guidelines requiring financial institutions to establish an information security program to identify and assess risks that may threaten customer information; to develop policies and procedures to manage these risks; to implement and test the plan; and to adjust the plan for changes in technology and other factors.

That spells trouble for some banks, experts say. "Not only are the regulators going to be on their backs, but you're going to have deceptive acts allegations by states and private action lawsuits," said Sai Huda, CEO of, a San Diego, Calif.-based consulting firm.

In December, Fleet Mortgage, a mortgage servicing subsidiary of FleetBoston, got hit with a lawsuit accusing it of sharing customers' home mortgage account information with telemarketers in violation of company privacy policy. The suit, filed by Minnesota's Attorney General Mike Hatch, alleged that Fleet billed customers' mortgage accounts without their consent for memberships in "discount clubs."

Two weeks later, Fleet updated its policy to prohibit the sharing of nonpublic customer information with nonaffiliated third parties without prior consent. Fleet said the timing of the new policy wasn't related to the lawsuit. "This newly updated policy is the result of over one year of extensive, company-wide research into this critical issue," said Agnes Bundy Scanlan, chief privacy officer at Fleet (and the first to hold the title).

The new Fleet policy is stronger than is called for under Gramm-Leach-Bliley, which merely requires banks to allow customers to opt out of marketing programs. Other banks, such as Bank of America and Wachovia, have gone even further, banning outright the sharing of information with outside parties for marketing purposes. The banks concluded that the hassles of administering an opt-out program plus the public relations benefits accruing from an outright ban outweigh any marketing revenues, said Huda. "Some institutions are making the conscious decision to lose some revenues, that it's more important to maintain the customer relationship."

Wachovia prohibited the sharing of information even with its own affiliates, although that shouldn't hurt revenues, Huda said. "They probably weren't making that much money by sharing with affiliates."

The opt-out provision is but one of the issues facing banks. Another provision requiring the mailing of privacy notices is a potential public relations booby trap. "Some of the banks may not realize that this is an opportunity to communicate with customers and build trust. So some of the privacy documents will contain legalese," said Huda.

The issue is further clouded by a loophole in the regulations implementing Gramm-Leach-Bliley that exempts banks from the opt-out requirement when a third-party provides services on the bank's behalf and agrees to keep customer information secret. By simply calling their joint marketing agreements "service contracts," banks could thwart the intent if not the letter of the law, Huda said.

Still, the decision by some of the nation's largest banks to prohibit information sharing entirely says something about the impact of Gramm-Leach-Bliley's privacy statutes.

"There's a lot of implementation issues," said Huda. "You've got to do an inventory of what kind of information you have today, and how and what kind of sharing you do. Most banks haven't formally identified that."

Then there's the problem of honoring a customer's decision to opt out. "How are you going to make sure than when customers opt out that you actually do it? There's no way you can do that manually," Huda said.

The task of compliance is technically challenging, said Jennifer Barrett, privacy leader at Axciom, a Little Rock, Ark., software vendor. "Data is often fragmented and housed in disparate silos across the enterprise. Different lines of business don't always interact. Yet the institution must develop a privacy policy that comprises the depth and breadth of its corporate identity."

Axciom is touting its flagship customer relationship management product, AbiliTec, as a compliance aid. "AbiliTec is capable of quickly creating an accurate, single view of a customer," said Barrett, adding that this allows a bank to not only comply with the law but to improve customer relationships.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.