To Protect and to Serve

Complying with privacy laws may also be an opportunity for better consumer preference management

In the CRM age, sharing information among the divisions, partners, and affiliates of an enterprise is simply good business. A consumer with high credit card balances would appreciate being informed of debt-consolidation or refinancing options. The marketing department's consumer information could be critical in turning around a sales department slump. Home equity information from a mortgage department would be invaluable to a debt-consolidation campaign. Unfortunately, such practices may be illegal by July 1, 2001.

Legislation governing consumer privacy and information sharing is coming fast and furiously. In the 105th Congress alone, nearly 80 privacy-related bills were introduced, with even more slated for the following session. The capstone of these new laws is the Graham-Leach-Bliley Act (GLBA), which has been referred to as "possibly the most important banking law passed since the Banking Act of 1933," which created the Federal Deposit Insurance Company (FDIC).

GLBA governs how any financial institution may share consumer information among its own affiliates, both internal and external, and with third parties. The legislation is extremely broad and covers any corporate entity engaging in financial activity with consumers. The act became law November 12, 1999, with mandatory compliance required by July 1, 2001. The law imposes two fundamental requirements: explicit notification of information-sharing policies and the means for customers to "opt out" of those practices.

To be in compliance with GLBA, financial institutions must deliver a copy of their privacy policies to their customers in a "clear and conspicuous" manner no later than July 1, 2001. Although "clear and conspicuous" has not been formally defined, most finanical organizations agree that such notification should consist of a written copy of an institution's privacy policy and practices. The institution would then mail a copy to each and every customer.

This requirement, of course, presupposes the existence of a defined and articulated privacy policy, which is not necessarily a safe assumption. After all, concern over the potential lack of adequate privacy policies in the banking industry prompted both the FDIC and the Direct Marketing Association (DMA) to publish step-by-step guides to creating compliant privacy policies. (See Resources.) Both of these guides begin with the same step: information gathering.

COMPLYING WITH THE LAW

A self-audit is the first step toward compliance with any privacy legislation. Your institution must complete an exhaustive inventory of information gathering and sharing practices before it can articulate a privacy policy. With this information in hand, your organization can determine if its current information usage practices are in line with corporate goals and intentions, along with being in legal compliance. If not, your enterprise must develop, implement, and deploy new policies, practices, and systems. At the conclusion of this process, your company's legal department may articulate a formal information usage and sharing policy by merely documenting the results of the audit and the subsequent changes made. Once the policy has been delivered to customers, you must provide them with a reasonable mechanism to opt out, such as a toll-free number.

After customers begin responding to the notification, managing the plethora of responses and propagating them throughout the enterprise in a timely manner can be quite problematic. Most organizations maintain a variety of products, services, and lines of business - often managed in a decentralized manner from a host of locations - that may or may not interact with each other. Consumer preferences expressed at a single touchpoint are binding upon the enterprise as a whole, and you must adhere to them until the consumer modifies or revokes these preferences in writing. Therefore, your entire corporation must consistently recognize individual consumers and apply their preferences across all lines of business. The enforcing agencies can classify each individual mistake in applying a consumer's stated preferences as a separate violation of the law, with penalties assessed accordingly.

Your enterprise's notification and internal propagation must be done in a time frame that is consistent with the consumer's perceptions and expectations rather than an explicit legal requirement. While GLBA specifies only a "reasonable period" as the requirement for suppressing consumers who have decided to opt out, it would not be unreasonable for a customer to ask, "If a check can clear my account in 48 hours, why does it take 30 days for my opt-out to go into effect?" Meeting such expectations requires a structured and comprehensive approach to managing privacy data. However, any such system must go beyond the baseline of tracking responses to an initial opt-out notification.

Privacy and opt-out notification is not a one-time procedure under GLBA. Such notification must occur at least annually. In addition, if an organization's privacy policies change in any way that would let information sharing occur other than as previously described, the new policy must be sent to all customers. Under the new policy, your enterprise cannot share any information until the consumer has had a "reasonable opportunity" to opt out.

MANAGING PRIVACY PREFERENCES

Congress ratified GLBA with three notification components - initial, annual, and revised policy - which were intended as a starting point for state-level privacy regulation. GLBA represents the current minimum requirement for consumer preference management. When you design a preference management solution, you must take both pending and existing legislation into consideration. For example, in addition to GLBA, 14 states currently have state attorney general consumer do-not-call lists. A single violation of such a list generally carries a $10,000 fine. Proposed legislation would require that your organization wait 30 days from the commencement of any customer relationship before sharing any information.

To meet privacy requirements and lay the groundwork for compliance with future laws, you need an interdisciplinary approach that cuts across the entire enterprise. Needless to say, this process can place a tremendous strain on the resources of any financial institution. However, if your enterprise handles preference management appropriately, this legislative burden can also be a boon by providing the means and justification to create informative consumer profiles specific to your organization's own customer base. Not only will the information acquired through GLBA compliance keep your institution out of legal trouble, it will also enable you to better service your customers and receive a positive response from them.

The lynchpin of preference management is the same as that of all CRM-related endeavors: consistent recognition of an individual across an enterprise. In an ideal situation, a customer information file (CIF) would exist containing an organizationwide, unique identifier for each and every customer. Then you must overlay such an identifier on all records to create an enterprisewide cross-reference. Regrettably, full and accurate CIFs rarely exist. In most cases, only a partial CIF is available to cover certain lines of business while omitting others, or multiple CIFs will exist, each covering a subset of the enterprise. Additionally, any sort of customer identification across lines of business may be completely uncoordinated. Therefore, you must address each of these situations. Whether through brute-force reconciliation or the application of CRM techniques, you must develop a cross-reference that ties together all instances of a given customer enterprisewide.