Banks balk at info-sharing provision in privacy law

Computerworld - Banks doing business in California are planning to appeal a recent federal court decision that lets the state enforce tough new provisions related to the sharing of customer information with affiliates.

The provisions are part of California's Financial Information Privacy Act, known as SB 1, which went into effect July 1. The law, which is hugely unpopular among financial service providers, requires banks to give customers the opportunity to opt out of cross-marketing programs in which their information is shared with affiliates such as mortgage and credit card companies.

Most financial companies in the state had expected that the affiliate sharing provisions in SB 1 would be preempted by existing guidelines in the federal Fair Credit Reporting Act of 1996, under which no such permission is required.

An attempt by the American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association to legally block the affiliate sharing provisions of SB 1 was rejected by a California Federal District Court judge in late June.

"We were certainly disappointed by that ruling," said Harvey Radin, a spokesman for Bank of America Corp. in New York. "The decision really makes it harder for our customers to do business with us." IT expenses associated with maintaining and processing customer preference information could contribute to increased costs, he added.

Under the law, companies have to send notices to all California-based customers and give them a chance to opt out of affiliate sharing. They must wait 45 days for replies. During that time, customer records have to be quarantined and can't be shared with others. Companies that share information with nonaffiliated third parties also need to get separate opt-in permissions.

Compliance Headaches

From an IT standpoint, complying with the requirements means creating new database tables for recording information about when notices were sent out, when they were returned and a customer's preference, said Arshad Noor, CEO of StrongAuth Inc., an identity and compliance management company in Cupertino, Calif.

It also means putting policies in place "that spell out what business divisions need to do and a process for ensuring that they check this table before sharing any information with affiliates" and third parties, Noor said.

"Companies are making a huge effort to comply with the law. It caught a lot of them by surprise," said Fritz Elmendorf, vice president of communications at the Consumer Bankers Association. A lot of that group's members have "simply shut down cross-marketing activities" because they have not yet gone through the process of sending out notices, he said.

Notating the opt-out and opt-in selections on customer files "becomes complicated, time-consuming and expensive," given the separate systems that banks often maintain for mortgages, credit cards and deposit accounts, Elmendorf said. "Mergers often complicate this and compound it where there may be multiple systems in multiple states," he said.