FINANCIAL SERVICES
Is It Any of Your Business?
Consumer Information, Privacy, and the Financial Services Industry
March 23, 2000
Remarks of Christopher C. Gallagher*
at a public forum hosted by the Federal Deposit Insurance Corporation, Arlington, Virginia
Good morning.
I am honored to share the podium with this distinguished panel at such a significant event. The subject today is privacy. My assignment is to provide further context for today's discussion. I am trained to approach the issue solely as a lawyer, but I am tasked today to deal with the more fundamental social issues surrounding our subject.
This issue is hot. Indeed, I expect that like me, each of my fellow panelists began preparing for today some weeks ago, when we were well ahead of the informational curve on this topic. By this week, it has been all any of us could do just to keep up with the daily deluge of books, white papers, controversies and articles about privacy. And where else but in this new information economy could you hear privacy pronouncements from seven regulatory agencies, the President of the United States, countless publications and pundits, while at the same time watching DoubleClick's dramatic case study, all in the last few weeks?
And even though our subject matter is very current, it is not a fad. Indeed, it promises to occupy our collective attention for years to come. Why? Because privacy concerns as a social, political and economic issue are not merely a symptom of the new economic paradigm — they are its inevitable result.
Privacy is, and will continue to be, a pressing and prominent issue because it sits squarely at the intersection where something very near and dear to each of us — our personal identity — collides with the operating efficiencies and economies relentlessly driving this new information age.
At the bottom line, the neocortex in our human brain — what separates us from the rest of the animal kingdom — has been evolving for 400,000 years, while we confront technologies evolving at warp speed, totally unrestrained by the physical constraints that have traditionally moderated the process of evolution. Some may view this as a benefit. Others mourn the loss of security within their personal space. In any case, there is no turning back. The collection, utilization, manipulation and distribution of information about everything, including each of us, will continue. The technology enables it. The economics of the new age demand it. And nothing can contain it.
Why? Because...
New and revolutionary principles lie beneath this evolutionary change. Moore's Law states that processing capacity doubles every 18 months with no increase in cost. Accordingly, the processing of information about everything, including each of us, will continue to be cheaper, faster and better — the mantra of the new economy. Metcalfe's Law, which repeals age-old economic laws of value, states that as the number of facilities connecting us with one another increases, their value also increases. Multiplicity, not scarcity, creating value is a significant change. Consider the fax or the Internet itself. The more nodes on the network, the more valuable is each node.
Now combine this exploding processing power and expanding connectivity with the transaction cost principles of economist Ronald Coase, who has correctly theorized that as the costs of accessing needed information diminish, firms whose business model has been to fill that information gap (banks come to mind) will be bypassed, or as folks in the book-selling and travel agency businesses have learned, "middlemen" will be "Amazoned."
The process of bypassing intermediaries moves commercial focus to mass customization, with its targeting of individuals as unique participants in the new economy — one-to-one marketing. But successful and efficient execution of such marketing requires the collection and processing of information about you, information that you have controlled your whole life; personal information by which we each define ourselves in different ways to different people.
Lots of people know a lot about you, but only you know the complete picture. That's how we each control our own identities. Now, as the new economics of cheaper, faster and better technologies collapse the barriers of space and distance and simplify the monumental task of watching, accumulating and identifying patterns in everything we do, this personally-managed definition of ourselves is no longer safe within our own exclusive grasp. In short, unless we choose to be a recluse, others can, and therefore must, know as much about us as we do ourselves. A frightening thought really...
Until very recently, a statistical majority, the "privacy pragmatists" so-called, have been quite comfortable with the personal information flow used to make life more convenient and shopping more efficient. But now these folks are feeling less secure. Most recently, polls show a new majority favoring laws to regulate the way personal information is collected and used. Indeed, over 60% of us are "very concerned" that information gained while we are on-line will be used to give us unwanted information. And a whopping 87% of those who use the Internet are "worried" about that usage and their privacy. Trends toward personal discomfort, therefore, are on the rise. That rise will continue. Yes, we all share private information, even with strangers, but we do so face to face, where personal cues give us confidence and control. But as our awareness about today's distanced data-gathering, surveillance and profiling elevates, and that awareness is intensified by the web, public concern and public clamor for protection will rise with it. The real benefits of data mining and surveillance, including lower costs, higher efficiencies, convenience and protection against fraud will be harder to see and likely will be buried beneath accelerating demands for change. Elected officials will respond. And that's where we come in. What do we tell them? What policies should they adopt?
Indeed, it is by now very clear that the business model on the Internet is not to pay for content but to get it free. We all enjoy this luxury, but someone has to pay for it. Like television, radio and magazines, that someone is the advertiser. If we expect this wealth of useful information to continue to expand, we must accept the notion that the advertising funding it will have to be effective, and that will require personal targeting.
Some basic facts...
On-line advertising, mostly banners that fund the web sites that we all enjoy, is ignored routinely 99% of the time. Two billion dollars in expenditures in 1998 became four billion last year. This exponential growth continues. But if this business model is to work, the average click-through rate of 1% is not enough. In short, "directed" or "targeted" marketing (depending on the rhetoric you like) isn't merely a convenience, it is a necessity. It will be employed by all retailers, especially providers of financial services, whose products clearly are commodities and whose customers — now given almost infinite choice — are as football coach Bear Bryant described his favorite linemen; — "agile, mobile and hostile."
In the years to come, expanding choice, competition and commodification will compress profit margins. Three percent of auto purchases are now made on the web, but more than 50% are preceded by the access to the web and its valuable information. That commoditizes car buying and also flattens profits.
Not all banks are Internet banks, but no bank can reasonably expect to operate beyond the competitive and margin-compressing influence of pricing and product information now available. And so, financial services providers, with their commoditized products, have no choice but to bundle services and products to customize their relationships with their customers. And information about present or prospective customers is the key to efficient and effective execution of that strategy. As long as someone else's services or products are just a click away, customer retention is possible only if you can know all there is to know about that customer — and you retain that person's trust. But "there's the rub," as Hamlet said. How can financial services providers find and keep their customers, maintaining enough information to custom-serve them conveniently and cost effectively, and still retain their trust? With rapidly evolving technology and slow-moving change in our human personality on a collision course, that question has to be a matter of concern to them and all of us, because the successful and competitive operation of our banking system is now a matter of safety and soundness.
Should government intervene? And if so, how much more?
The Federal Trade Commission's fair information practices set forth in 1997 are still the basis for any sound response to the policy implications of the information-privacy dilemma.
- Notice
- Choice
- Access
- Security, and
- Enforcement;
are still the way to manage this apparent conflict. But this doesn't mean that these essential elements must be assured by statute. Indeed, each of them is legally in place now if one layers GLB over other laws already in effect. One of today's questions should be are these laws enough, and if not what will make them more effective.
So let's just list some basics to outline the legal framework.
1. You are all aware that Brandeis and Warren said 110 years ago that privacy meant the right to be let alone, and building on that right, tort law recognizes the invasion of privacy as a cause of action.
2. We all know that "privacy" is not mentioned in the Constitution, but that courts have nonetheless declared its presence. "Democracy" isn't mentioned either. It also is protected by our Constitution. Moreover, just as many now assert that individual property ownership is "essential" to democracy, individual privacy probably is as well. But making privacy a right pushes this process into the courts. Courts will protect it, but should this important social issue be left to the judicial process?
3. We all know the content of the emerging privacy regulations under Title V of Gramm-Leach-Bliley. What we do not know is whether these regulations are a landmark culmination or just a threshold to more legislation. We know the rules are serious and should reasonably expect that banking regulators competing with the FTC will enforce them. So statutory rules are now in place. There may be more, at state and federal levels. Today we'll ask whether we now need more. How much more?
4. We also know the issue will be political, but even that process is less predictable than usual. The privacy issue doesn't easily break out into traditional conservative and liberal positions. Conservatives generally love law enforcement but hate government intrusion into markets and individual freedoms. Liberals, on the other hand, generally want to curtail police power but love to see government step in and solve problems, especially where those solutions are perceived to protect individual freedom.
And if, by the way, you listened carefully to what was just described you heard a match in these two descriptions. Both liberals and conservatives worry about protecting individual freedoms. This concern is the common ground creating a base for political pressure. Legislative action is inevitable.
How should we who influence policy respond to these developments?
There are choices.
A. What about doing nothing? There are those who say that this is all old hat. Why all the fuss?
But saying that this personal profile information has been used for years will not work. DoubleClick executives tried that argument early in their recent crisis. But the assertion that something has been going on for years and therefore should be allowed to continue, will not work if the process considered is abhorrent when discovered. Consider learning that the servers in your local restaurant never wash their hands, but that's been the case for years! You will probably bring a sandwich to work.
We all know that personal information should be shared with doctors, partners, advisors and even the police in order to promote the public safety. And whether or not we like it, financial information has now been placed in that same tight zone of personal privacy, and thus its sensitivity is shared with the likes of medical and sexual orientation information. There are real communitarian reasons applicable to this issue to allow our personal information to be shared with others, but efforts to remove privacy from that special treatment zone are not likely to succeed. Accordingly, the sharing of personal financial data implies an intimacy level that in turn requires trust. Providers of financial services may or may not be pleased about this development, but it is real and it is significant, and I believe unchangeable.
B. How about fighting back? Why not use technology to protect us?
Encryption clashes with our national security. Digital certification can work and anonymity is possible on the Internet, but counter-surveillance technologies are expensive and complex. And anyway, people whose VCR's are still blinking will not be confident about the use of privacy protection devices requiring competence to operate. So a privacy "arms race" pitting consumers against commercial interests cannot work, and will not resolve the privacy conflict
C. What about self-regulation?
The FTC in 1997 and now Title V have appropriately signaled the end of self-regulation as a solution. Industry trade groups, especially the ABA, have tried and they are making headway, but those efforts alone are not the answer. Self-regulation in this new competitive economy can't work unless it is practiced by everyone. It won't be.
D. What about Gramm-Leach-Bliley?
Significant change has happened. GLB requires that financial services providers preserve and protect our personal information, that they publish their privacy policies and practices. Transparency can, and I think will, have a profound impact on the financial services market. We now know that with privacy public awareness results in public reaction, as DoubleClick has recently found out. The harsh lessons of the DoubleClick affair will not be lost on those who want to keep their customers and maintain their market capitalization. Indeed, secure and smart handling of personal information must be a part of any successful financial services provider's offering of products and services.
That is why I think the most important question of the day is really whether we should give this new process time to do its job rather than layering more government requirements on top of what is now in place. So before we throw all these issues open for debate, I would like to express a personal view. Call it another "Third Way," effecting change by using government to leverage market conduct.
The lessons to be learned from DoubleClick have been noted. Customer choice and elasticity will force purveyors of financial services to offer them with privacy protection and security that will satisfy consumers newly educated by the macro-impact of current publicity and the micro-impact of Title V. We need to give this process a chance to work.
Keep in mind that the blinding pace of change that tends to threaten us can also work in our behalf. As providers of financial services comprehend the depths of our concern as individuals about controlling the distribution of our personal information, they will rapidly respond. And although there may be a gap between the intensity of our concerns and the effectiveness of their response, delay will be short. I commend to each of you StartFree.com, the offering of a free Internet service committed to limited advertising and a guaranteed consumer privacy policy. It became operable just two days ago. Markets are responding.
But why wait at all, you ask?
Because each of us here today is well aware of the many social and economic benefits flowing from this emerging information technology. Of course, this subject can be demagogued and statutory remedies feel good, but as it was with fees on ATM's, given an opportunity, a highly-competitive market will sort itself out and it will find the right balance, especially if we here today can find ways to work together.
So let us now begin today's deliberations and by the time the conference closes, may the public be the winner.
Download entire document now
*Christopher Gallagher is admitted in New Hampshire.
Return to top of page
Return to HOT TOPIC: PRIVACY
Return to Financial Services Articles
Return to Firm Publications
