Imagine competing in a race, straining in an all-out sprint to the finish line--only to discover that the wire is the starting line for yet another race--one that starts before you even can catch your breath.
Why imagine this? You're probably living it.
For this is what the banking industry faces as it comes down the stretch in meeting the privacy requirements of the Gramm-Leach-Bliley Act. The new regulations will be difficult to implement--most banks will be grateful for every day of preparation between now and the extended effective date of July 1, 2001.
They will not, however, have the luxury of collapsing at the finish line. Gramm-Leach represents just the first few miles of a marathon the industry will be running for years to come, as new laws, regulations, litigation, and public pressures create ever-growing demands.
Begin as you mean to go on
Decide how you want to use customer data, today and tomorrow. The new law's provisions are driven largely by concern about banks selling customer data to third parties for a fee. Some banks do this, but many do not. Those that do not still face extensive compliance challenges under the new regulations, but may feel that privacy regulation is aimed more at others than at them. In the short term, they are right. Longer term, though, the privacy issue will expand to address more and more.
If your bank is evolving toward intensive use of customer information as a way of doing business, it must look beyond the July deadline. Here are three examples of such data use.
* A customer relationship management (CRM) strategy that seeks to create a "one-to-one " relationship with each customer to custom-tailor products, price, and convenient delivery;
* Expanded use of risk-based or relationship-based pricing, in which customer data is gathered and modeled to set rates and fees on an individual basis; and
* On-line data gathering--i.e., analyzing what web customers show interest in, combining this with other data about them, and using the information to offer them certain products or services.
All of these activities raise privacy issues even if done within the bank. If done using data pooled among the bank's affiliates, these activities may trip the Fair Credit Reporting Act's privacy rules. If done using data from nontraditional insurance and brokerage affiliates, they raise still more issues. And again, most of these practices are largely untouched by Gramm-Leach-Bliley.
Acknowledge a changed world
Banks can--and should--argue that new uses of customer data will generate valuable customer benefits. However, if these come at the cost of lost privacy, many customers will balk. Further, the shift toward individualized products and pricing will create losers as well as winners, eliminating cross-subsidies built into today's pricing. When customers face a loan denial or a higher rate because the bank has used information people thought was private, more controversy will erupt.
The new privacy regulations take a step toward this in their disclosure and opt-out provisions. But again, these focus mainly on whether the bank will sell data. A smarter strategy is to disclose and give choices about all the ways in which the bank may use information that the customer might consider sensitive.
Meanwhile, banks that do not plan to use customer data for anything beyond the specific purpose for which they received it may want to make that well understood. If they believe customers prefer very limited use of their data, they can disclose and publicize a policy that offers the highest privacy protection. …