October 09, 2003

Getting Out in Front of Financial Privacy


Momentum towards stronger financial privacy for consumers in the United States has picked up a lot of steam over the last 30 days. While most welcome the change, some financial institutions are still tentative about the new direction, others are actively resisting it, and a few are not sure how to respond. But to strategic thinking institutions wanting to secure competitive advantage, we believe that now is the time to act-getting out in front of the financial privacy issue, leveraging their reputations for trust, and better serving their customers in the process.

How Did We Get Here?

The recent seeds for strengthened financial privacy were planted in 1999 when the U.S. Congress passed the Gramm-Leach-Bliley (GLB) Act. Conceptually, GLB relaxed the artificial walls between the banking, insurance, and security industries-effectively allowing a single entity to offer financial products from all three categories to customers. While not central to the act, significant financial privacy rules were also enacted, effective in 2001, that required that any financial institution that wanted to share non-public customer information with third parties to give customers an opportunity to opt-out, or block, their information from being shared.

The opt-out approach was a classic political compromise, of sorts, enabling individuals on the privacy fringe to limit how financial institutions use customer information, but was cumbersome enough to simply be ignored by most convenience-oriented customers. Significant in retrospect, GLB also gave states the right to enact even stronger financial privacy, if they saw the need and could muster the votes to pass such legislation at the state level. Several states have gone that extra mile-North Dakota, Vermont, New Mexico, and now California-to do so.

Of the state-level legislation enacted in the last few years, the just-signed California Financial Privacy law goes the furthest, extending to customers the ability to opt-out of information sharing among even affiliated companies (within the same holding company) and requiring financial institutions to have explicit customer approval, or opt-in permission, before sharing financial information with third parties. While most analysts have focused on the back and forth power struggle between partisans, in a practical sense the adoption of opt-in requirement means that strong financial privacy is the default in California beginning next July.

Financial services industry critics of privacy regulation say these state-level laws limit customer choice (by restricting the downstream offers of secondary products to consumers), increase cost (relative to revenue), and lack any consistency from state-to-state (which is true enough). Proponents say these are orthogonal arguments and are just the cost of adequately securing sensitive customer information.

In addition, federal regulatory agencies recently released for comment proposed guidelines that would require financial institutions to notify customers (under certain circumstances) if they discover unauthorized access to sensitive customer information, such as social security number, username, or password. California enacted legislation last year that effectively requires any such disclosure be communicated to any affected California citizens.

What Changed?

Why is "business as usual" in the financial services industry suddenly under assault on both the legislative and regulatory fronts? Simply stated, people are a lot more sensitive to privacy issues and abuses. This came through loud and clear in an April 2003 Harris Interactive survey of U.S. adults:

10 percent of those surveyed were "privacy unconcerned"

64 percent of those surveyed were "privacy pragmatists or people who are concerned about their privacy and want to protect themselves from abuse or misuse of their personal information by a government organization or a company"

26 percent of those surveyed were "privacy fundamentalist who believe their privacy is eroding and are trying their best to halt the process"
When 9 out of 10 bank customers say they are concerned about privacy, something very important is changing the marketplace. When one out of four customers identify themselves as "privacy fundamentalist", the genie is truly out of the bottle.

We suspect that what's really behind this dramatic shift in attitude-especially as it relates to financial services-is the dramatic increase in identity theft. Gartner reports that 7 million U.S. adults, or 3.4 percent of U.S. consumers, were victims of identity theft during the 12 months ending June 2003. The identity theft problem has become wide enough that many people, if not victims themselves, know someone else who has already been victimized.

It's also worth noting that the shift in attitude about privacy is not focused just on the financial services industry. The Health Insurance Portability and Accountability (HIPAA) Act of 1996 addressed many of the same issues with respect to sensitive medical records and personal health information.

Its Not Over Yet

While the changes to date have been dramatic, collectively we are still in the early stages of establishing a national policy in the U.S. towards financial privacy. Several large financial institutions are still publicly opposed to the recent California Financial Information Privacy Act and reserve the right to fight it through the court system. Others hope to lobby behind the scenes to influence the upcoming revision of the Fair Credit Reporting Act (FCRA) to overturn some of these state-level protections and to pre-empt local jurisdictions from enacting any broader financial privacy laws.

While it's hard to project the final outcome, it is clear that these efforts-if pursued-are flying in the face of what the average person wants and will likely paint financial service providers as anti-consumer. While not the end of the world, such a stance could erode much of the hard-won trust that financial institutions have earned from customers.

Unlike marketing costs, it's hard to place a direct monetary value on trust. Participants in other industries would love to have the same level of consumer trust as financial institutions. But they don't and they're not likely to ever earn it. Holding on to this trust will be especially critical as banks and other financial services companies move forward in the coming years to leverage new technologies and introduce new services. In the area of biometrics, for example, early deployments show significant cost savings for financial institutions-but achieving those benefits will require convincing consumers their personal biometric data is private, secure, and never available for sale or misuse.

Recasting the Problem as an Opportunity

Consumers are saying loud and clear they want and value strong financial privacy. Financial institutions should give it to them and take credit for it. Don't offer consumers financial products-offer them "privacy enhanced" financial products. Don't just provide strong financial privacy in four states-provide it universally across the institution's complete geographic footprint. Don't just give consumers the minimum privacy required by law-protect them in ways they wouldn't even dream about.

Easier said than done? Here are some ideas:

Privacy Policies. Explain privacy policies in everyday language that anyone can understand. Don't make the policy read like a contract addendum in six-point type; instead be real clear about not selling, renting, or sharing private financial information without explicit consumer consent.

Online Banking Site. Financial institutions could provide easy access to do-not-call registries and credit bureaus from their own online banking sites-and provide help and guidance to consumers wanting to utilize them. By helping customers proactive fight identity theft and frivolous direct marketing, institutions can reinforce the strong trusted reputations they already enjoy.

Credit Card Enhancements. Much like travel accident insurance is included as a credit card enhancement, financial institutions could provide identity theft insurance at no cost to the customer as another built-in card enhancement. There are distinct first mover advantages to making this move.
To the extent other financial institutions drag their feet-waiting until the last possible day to provide the minimum compliance required by law, and fighting even that in court-the savviest institutions will begin to provide strong financial privacy now, integrate it into their branding, and use it to differentiate themselves from competitors. As Harry Truman might say, the time has come to "get out in front of it and call it a parade."

And who knows, maybe privacy-concerned consumers will jump ship and move their business to privacy-friendly financial institutions. With strong financial privacy gaining momentum, what's for sale won't be my sensitive financial information-it will be my loyalty, my trust, and my business (and associated profits) to a financial institution that earns it.

Posted by graeme at October 9, 2003 07:07 AM | TrackBack

Where does one begin to start? "Over the last 30 days..."

This has been predicted and predictable. The security industry has been rendered irrelevant to the question of privacy by the demands of banks.

It is curious that in the last decade there was an explosion of interest in privacy enhancing financial products. So much so that we even have a name for it, financial cryptography.

What happened to all that energy? Well, unfortunately, it promised to lower costs dramatically, and that is something that scares the big financial players.

To be fair, one can understand their fears. Why put in place a system that lowers costs by 10-fold, thus inevitably resulting in a 10-fold fall in revenues? What board of what financial institution would sanely court the reduction in profits that results from saving so much money?

The retail finance system of the USA is built on the single brick of identity. Like no other, in the US, your meatspace true name rules your ability to walk into any store.

It is no suprise to financial cryptographers that this reliance on a single, pervasive, simple tool results in a single, pervasive, simple problem: identity theft.

One can rail against the institutional momentum that carried the USA down this path, but in a sense it is inevitable. Identity obviously made a lot of money. Consumers in the US accepted it (unlike elsewhere) because it gave them a lot of benefit.

How this gets unravelled ... or indeed if it gets unravelled, will be the great retail finance question of the next decade.

Posted by: Ian Grigg at October 9, 2003 10:05 AM