Is Confidentiality in Banking Outdated?

Peter P. Swire

Chief Counselor for Privacy

United States Government

Overview:

Chief Counselor for Privacy The Banking Heritage of Trust Reasons for Data Transfers U.S. Bank and Today’s Real Problems The Administration’s Proposals Is Confidentiality in Banking Outdated?

I. My Background:

Writings at www.osu.edu/units/swire.htm Represented banks and ABHC in 1980s Taught banking reg 6 times in law schools “None of Your Business: World Data

Flows, Electronic Commerce, and the European Privacy Directive” -- first mention in print of several exceptions

“Chief Counselor for Privacy”

New Position announced by Vice President– In Office of Management and Budget– In Executive Office of the President

Public-sector data Private-sector data International point of contact

II. The Banking Heritage of Trust

My father-in-law, Ted Putney Trust officer & manager in Albany, N.Y. Proud to have the “trust” of his clients Family rule -- no names Not measured by opening his clients to

offers by affiliates or outside parties

Two kinds of “trust”

Confidentiality and trust as great banking traditions

Safety and Soundness– “Trust” in financial stability– Laws and norms against undermining public

confidence

Two Kinds of “Trust” (cont.)

“Trust” as confidentiality:– Customer as borrower– Customer as depositor– Customer who seeks advice from banker– Customer who uses a bank’s cash management

services

Beyond Ted Putney:

“Privacy is everyone’s concern, and these principles confirm what we have been saying all along -- the banking industry is still the center of trust and confidentiality”

ABA Privacy Principles (including notice and opt-out for marketing)

“Consumers of banking services have come to rely upon and, more importantly, expect that their financial information to which their institution is privy will be cautiously guarded.”

Wisconsin Bankers Association, 1999

“As a consumer, I am personally concerned about my name, address, telephone number, and financial information being on thousands of lists targeting me and my family for the sale of products and services I may not want or need.” Robert R. Davis, America’s Community Bankers, July 20, 1999

“At the same time, there are legitimate -- even essential -- reasons for business to share information.” Robert Davis

The Administration agrees.

III. Reasons for Data Transfers

Technology -- laptops more powerful than mainframes

Geographic changes -- national banking Product changes -- more lines of business Electronic payments -- credit & debit cards,

electronic deposit, Internet payments, electronic benefits

The vision for cross-marketing:

Marketing dream -- “every purchase the customer ever makes”

Economies of scope & scale One-to-one marketing -- precisely the

products the customer wants One-to-one marketing -- pricing based on

what consumer is willing to pay

Why data mining may maximize profits: Perhaps it is more profitable to mine the

data than to protect confidentiality Competitive pressures to use the available

data Customers benefit from one-to-one

marketing “Free flow of information” inevitable

“Free flow of information”

A noble goal, but do we mean it?– Security -- free flow to hackers?– Intellectual property -- free flow to pirates?– Privacy -- free flow to intruders?

Moral:– Many wonderful flows– Not all flows are wonderful, or inevitable

IV. Are there real privacy problems today? U.S. Bank case

– Information here from interrogatories -- public knowledge

– U.S. Bank has made major commitments for the future

600,000 checking account customers name, home phone & address, SSN, DOB,

product code, account number, routing & transit number

U.S. Bank (continued)

330,000 credit card customers name, home address & phone, last purchase

date, date opened, current balance, credit limit, YTD finance charges, last payment date, amount last payment, SSN, DOB, behavior score, bankruptcy score

U.S. Bank (continued)

Notice: “Periodically we may share our cardholder lists with companies that supply products and services that we feel our customers will value.”

Apparently no opt-out Apparently similar activities by other banks

What problems from U.S. Bank?

Data released for unrelated purpose -- a dental plan

“Negative option” by Memberworks:– Postcard then have 30 days to cancel– If not, then billed annual fee ($59.95)– Lots of complaints once fee taken out of

account

How do bankers react to this?

From my discussions -- majority view, strong negative reaction

“That shouldn’t happen” Minority view -- “Marketing is inevitable.

Get used to this.”

The challenge today:

Reinventing confidentiality in banking How to take advantage of data mining and

marketing opportunities, while maintaining customer trust?

What are new information and privacy best practices?

How, as a society, get those practices in place?

V. The Administration’s main proposals: Notice -- the bank’s policy Choice -- customers can say no to

“unrelated” uses Enforcement -- examiner authority as with

other consumer laws Anti-fraud: fight pretext calling and identity

theft, scrutinize risky data flows

Reasons for Confidentiality Rules: Reinforce strategic asset of trust -- like $50

rule for credit cards Hard to resist competitive pressures Hard to market to those who care about

privacy -- they’re not on the lists Truly sensitive data -- “every purchase

ever”

Why choice? Why opt-out?

Not “stopping all marketing”! Do respect choices of individuals who do

not want marketing or other transfers The price of opening an account should not

be undisclosed and unlimited data flows Consumers’ ability to choose creates

confidence, and less need for fear

Is choice workable?

As stated before, not all flows that are technically possible are desirable -- security, and IP, and privacy

Direct Marketing Association -- notice and choice or else expelled from DMA

Are the opt-out rules too broad?

Exceptions – extensive list in H.R. 10– Gensler testimony -- more for affiliates – regulatory discretion in H.R. 10– Administration will keep meeting with you

Within HCs -- “closely related to financial services,” and even “convenient” to that -- may include surprising businesses

VI. Is confidentiality in banking outdated?

No -- we can’t waste such a strategic asset Many new flows of information are good --

for customers and for profitability Some new flows are not good

– Identity theft and pretext calling -- SSNs and account numbers on the loose

– Reasonable expectations of customers are violated

What do bankers want?What does society want? Bankers want to be proud of their industry’s

practices -- give notice and live by those policies

Consumers want a sense of control and autonomy -- choice over their sensitive, personal information as it enters the database

What should you do next?

If none exists, name a responsible person in your organization

Take a personal interest in how your organization is handling the data of your customers -- leadership counts.

Do you, as an experienced banker (like Ted Putney) feel comfortable with what you are doing?

Next steps (continued)

Give notice of how you really handle customer information.

Give a choice to customers if you, or someone in your family, would want a choice.

Finally:

If you, as an experienced and informed banker, are proud of your practices:– Your employees will be proud– The press and regulators will be (mostly) quiet– Your customers will trust you, and banks

generally, as vital institutions for the information age.