Banks balk at info-sharing provision in privacy law
Claim compliance with Calif. SB 1 will raise IT costs
Computerworld - Banks doing business in California are planning to appeal a recent federal court decision that lets the state enforce tough new provisions related to the sharing of customer information with affiliates.
The provisions are part of California's Financial Information Privacy Act, known as SB 1, which went into effect July 1. The law, which is hugely unpopular among financial service providers, requires banks to give customers the opportunity to opt out of cross-marketing programs in which their information is shared with affiliates such as mortgage and credit card companies.
Most financial companies in the state had expected that the affiliate sharing provisions in SB 1 would be preempted by existing guidelines in the federal Fair Credit Reporting Act of 1996, under which no such permission is required.
An attempt by the American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association to legally block the affiliate sharing provisions of SB 1 was rejected by a California Federal District Court judge in late June.
"We were certainly disappointed by that ruling," said Harvey Radin, a spokesman for Bank of America Corp. in New York. "The decision really makes it harder for our customers to do business with us." IT expenses associated with maintaining and processing customer preference information could contribute to increased costs, he added.
Under the law, companies have to send notices to all California-based customers and give them a chance to opt out of affiliate sharing. They must wait 45 days for replies. During that time, customer records have to be quarantined and can't be shared with others. Companies that share information with nonaffiliated third parties also need to get separate opt-in permissions.
From an IT standpoint, complying with the requirements means creating new database tables for recording information about when notices were sent out, when they were returned and a customer's preference, said Arshad Noor, CEO of StrongAuth Inc., an identity and compliance management company in Cupertino, Calif.
It also means putting policies in place "that spell out what business divisions need to do and a process for ensuring that they check this table before sharing any information with affiliates" and third parties, Noor said.
"Companies are making a huge effort to comply with the law. It caught a lot of them by surprise," said Fritz Elmendorf, vice president of communications at the Consumer Bankers Association. A lot of that group's members have "simply shut down cross-marketing activities" because they have not yet gone through the process of sending out notices, he said.
Notating the opt-out and opt-in selections on customer files "becomes complicated, time-consuming and expensive," given the separate systems that banks often maintain for mortgages, credit cards and deposit accounts, Elmendorf said. "Mergers often complicate this and compound it where there may be multiple systems in multiple states," he said.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Privacy White Papers | Webcasts