Compliance with new regulations costs millions
By Lucas Mearian
(IDG) -- In an action that some industry experts say will be costly for the financial industry, federal regulators Monday will begin the task of checking financial firms to see if they are in compliance with the Gramm-Leach-Bliley Act, which requires financial firms to give their customers a choice on whether their personal information can be shared with outside companies.
Financial companies have already spent more than $400 million compiling privacy policies and identifying partners and third parties with whom they share data, according to Needham, Mass.-based TowerGroup.
By the time state and federal regulators finish enforcing the rules and requesting changes to both business and IT processes at financial institutions, the cost of compliance could swell to "Y2k proportions" if an "opt-in" clause is adopted by Congress, according to Christine Pratt, a TowerGroup analyst.
But beyond the rules set down by the new law, formally called the Financial Services Modernization Act, there is a push in Congress to amend the financial services legislation with a tougher set of rules.
Moreover, the new federal law doesn't limit the ability of states to adopt their own, stricter rules. Such action by the states is critical to bankers, brokers and insurers since state laws could supersede the federal legislation and make it more difficult to adhere to disparate sets of laws.
A patchwork of rules could cost individual companies millions of dollars for privacy databases and other measures and even more for revamping marketing plans.
The Gramm-Leach-Bliley Act, passed by Congress last fall, was designed to break down the Depression-era barriers that have separated the business activities of banks, brokerages and insurance companies.
From a privacy perspective, the legislation requires banks, credit unions, investment companies and other financial institutions to prove they meet stricter new federal rules limiting the ways they can share customer information with third parties. The act mandates that companies let customers opt out of having their personal financial information shared with other unaffiliated firms.
"Consumers are starting to read these privacy notices, at least online, and making economic decisions based on what they see," said Patrick F. Sullivan, vice president of privacy and information policy at Waltham, Mass.-based security provider Guardent Inc. "If they don't like the policy, they're not going to spend their money there."
In preparation for Friday's deadline, many large financial services firms spent tens of thousands of dollars over the past several months on customer mailings asking clients if they were willing to have their personal financial information shared with third parties.
Regulators will now comb through the various mailings to determine if they were accurate in what they told customers, if they were clear in getting the message across and whether companies have set in place the systems to ensure customer information will be properly protected.
Sullivan said one study showed the majority of notices mailed out were written at the reading comprehension level of a third-year college student, which may not satisfy federal regulations that the policies be publicized in "clear and conspicuous" language.
But it's anybody's guess as to how many companies will be out of compliance.
"I don't think anybody knows. I'd venture to say it's very likely there will be problems," said Oliver Ireland, a privacy lawyer at Morrison & Foerster LLP in Washington and an adviser to banks and other financial services firms on the use of customer information.
But state laws may be another thing entirely.
For example, Vermont already has tougher privacy laws than are required under the act.
In addition, there's a push in Congress to strengthen the rules in governing information-sharing and privacy.
Senate Commerce Committee Chairman Fritz Hollings (D-S.C.) is expected to refile a bill that would allow consumers to give their consent before financial services firms could share their personal information with third parties.
Sen. Paul S. Sarbanes (D-Md.), chairman of the Senate Banking Committee, has also submitted a bill that would force financial services firms to give customers an opt-out option even when seeking to share their financial information with affiliated firms.
Among other things, Sarbanes' bill, called the Financial Information Privacy Protection Act of 2001, would require an opt-in option for consumers when sharing some types of sensitive financial or medical information to either an affiliate or an unaffiliated third party.
Opt in would be far more expensive, not only in that companies would have more information to protect, but also "you've got to start building your marketing lists all over again," Sullivan said.
"Opt in would probably defeat one of the key reasons for [the Gramm-Leach-Bliley Act]," he continued, "which is to break down barriers between financial services institutions."
|Back to the top|