About UsWhy Choose GCG?ServicesResourcesProfilesContact UsHome

FINANCIAL SERVICES

Privacy Does Matter

January 26, 2000

A presentation by Christopher C. Gallagher*
To the New Hampshire Bankers Association and
the Vermont Bankers Association

TITLE V - PRIVACY

Implementation - November 12, 2000

I. Disclosure of Nonpublic Personal Information (NPPI)

a) Policy
Every financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of their NPPI.

b) Standards
Each functionally regulating agency (including state Insurance Departments) shall establish standards relating to:

Safeguards - (technical, administrative, physical) - to protect against:

  1. breaks in security
  2. anticipated threats, or
  3. unauthorized access that could cause customers substantial harm or inconvenience.

c) Notice
Financial institutions may not disclose NPPI to a non-affiliated third party unless consumer has been provided:

Opt Out Notice that is:

  1. Clear and conspicuous and includes
  2. Opportunity to opt out with
  3. Explanation of how to opt out.

Receivers of NPPI may not disclose to another (except an affiliate of the receiving party and the originating financial institution).

d) Account Number Information
May not disclose to any non-affiliated party for use in marketing except to a consumer reporting agency. (FCRA)

Exceptions:

  1. As needed to carry out transactions authorized by the consumer.
  2. With the consent or direction of the consumer. (opt in)
  3. To protect confidentiality and prevent fraud.
  4. To provide information to insurance rate advisory organizations.
  5. As permitted by Right to Financial Privacy Act.
  6. To a consumer reporting agency (FCRA).
  7. Sale or merger (due diligence).
  8. State or federal directives.

II. Policy and Practices Disclosure

Disclosure required when customer relationship is established and annually thereafter, re:

  1. Disclosure of NPPI to others
  2. Even regarding old customers
  3. Protection of NPPI

III. Rulemaking by May 12, By All Federal Agencies (including the Federal Trade Commission (FTC))

First cut is attached (15 pages) dated 12/21/99

Comments on Rules

  • Compromise between customer privacy and commercial freedom.
  • Who owns NPPI? Who controls?
  • Who obtains value?
  • Who is your customer? Includes all loan applicants and others who are required to give you personal information, ever if the relationship is never formed.
  • Former customers include anyone with whom you ceased working before November 12, 2000.
  • Personal Information includes fact that someone has been a customer.
  • Foreign ATM user is not a customer.
  • Explanations of policy and practice need not be exhaustive — i.e. may in certain cases say "as permitted by law."
  • Examples used — leads to common sense basis for analysis.

IV. Definitions

NPPI means personally identifiable financial information provided by consumer, resulting from transactions, OR OTHERWISE OBTAINED.

Not included:

  • Publicly available information derived without using any non-public personal information.
  • State and federal records
  • Widely distributed media: telephone book, Internet site, available without password.

Financial Institution means any institution that engages in financial activities described in FMA.

  • Ratchet effect - FTC enforcement
  • Uniformity
  • Clawbacks

V. Preemption — State Action

  • Title V (A) will not alter any state law except where it is inconsistent.
  • Such laws are not inconsistent if the protection afforded any person is greater than the protection provided under Title V (A).

VI. Study

  • Report January 1, 2001
  • Information sharing practices among affiliates.
  • Extensive and precise.

VII. Not the Beginning - Not the End

Information Age driven by exponentially expanding:

  • Access
  • Aggregation
  • Processing power
  • Profiling - modeling

which is obliterating space and distance.

Technical Evolution is not constrained by the physicality, that constrains the pace of human evolution.

People are more protective of their...

VII. Personal Space

  • Reproductive Issues (Roe v. Wade)
  • Health data
  • Financial data
  • Who controls my information?
  • Where is it going?
  • Who is entitled to profit?

VIII. Personal Privacy/Security Concerns

All as old as man as a social animal.

Today polls confirm increasing concerns.

What used to be concern about Big Brother — government — use of data is now...

  • concern about data collection
  • exacerbated by Internet
    1. No personal cues.
    2. Can't give false data.
    3. Higher level of awareness.

Concerns will not be alleviated by markets — or technological arms race as in Spy vs. Spy cartoons.

IX. Government Will Intervene

Based upon

Privacy Online, A Report to Congress, June 1998

a. No meaningful difference between online or off line invasions

b. Washington and policy organizations relate to this

c. FTC will be defining extensions beyond banking.

FTC PRINCIPLES

  • Notice/Awareness
    • most fundamental
    • who, what, where
    • internal and external
  • Choice/Consent
    • Who is in control?
      • opt in
      • opt out
      • affiliates?
  • Access/Participation
    • Who can see, change?
    • Control
  • Integrity/Security
  • Enforcement/Redress
    • self regulation
    • common law
    • statutory

OCC

  • Will be out front.
  • Opt in should apply to affiliates
  • Banks should persuade customers to opt-out; not decide for them.
  • Personal information has value.
  • Predatory practices will be prosecuted.

X. Current Developments

  • Concern Growing
  • Common Law responding
    • Sp. Ct. — Roe now Condon
    • FOIA exemption upheld.
  • State Legislatures
    • Drivers Privacy Protection Act (DPPA)
  • European Union
  • FTC principles
  • FMA

Regulations in Early Draft

  • Public Awareness of "what has been going on for years" is not going to lead to public apathy.
  • As awareness of encroachment on personal space by direct surveillance or by processing massive bits of data into profiles, public will be alarmed because
  • Cyber identity can become real identity, which is
  • Theft of your very personhood.

XI. Banking

  • Information Age will commoditize products.
  • Services will define winners.
  • Trust is key to bank branding.
  • Customized services will require trust.

Don't just get a policy.

Make privacy and personal security a part of your line of business and marketing.

XI. The Winners in Financial Services Will...

  • Offer secure, private and customized access to multi-channeled, comprehensive services.
     
  • Community banks are in good position to be winners.
     
  • Consensual occupation of customer's personal space required to provide financial services.
     
  • Requires intimacy that cannot happen without trust, and that requires customer control, security and privacy.

*Christopher Gallagher is admitted in New Hampshire.

 

Return to top of page

Return to HOT TOPIC: PRIVACY
Return to Financial Services Articles
Return to Firm Publications

 

 

 

 

 

 

 

See also:

Hot Topic:
Privacy

 

 

 

 

 

 

You may contact Christopher Gallagher at 800-528-1181.
About Us - Why Choose GCG? - Services - Resources - Professional Profiles - Contact Us - Home