To Protect and to Serve

Complying with privacy laws may also be an opportunity for better consumer preference management

In the CRM age, sharing information among the divisions, partners, and affiliates of an enterprise is simply good business. A consumer with high credit card balances would appreciate being informed of debt-consolidation or refinancing options. The marketing department's consumer information could be critical in turning around a sales department slump. Home equity information from a mortgage department would be invaluable to a debt-consolidation campaign. Unfortunately, such practices may be illegal by July 1, 2001.

Legislation governing consumer privacy and information sharing is coming fast and furiously. In the 105th Congress alone, nearly 80 privacy-related bills were introduced, with even more slated for the following session. The capstone of these new laws is the Graham-Leach-Bliley Act (GLBA), which has been referred to as "possibly the most important banking law passed since the Banking Act of 1933," which created the Federal Deposit Insurance Company (FDIC).

GLBA governs how any financial institution may share consumer information among its own affiliates, both internal and external, and with third parties. The legislation is extremely broad and covers any corporate entity engaging in financial activity with consumers. The act became law November 12, 1999, with mandatory compliance required by July 1, 2001. The law imposes two fundamental requirements: explicit notification of information-sharing policies and the means for customers to "opt out" of those practices.

To be in compliance with GLBA, financial institutions must deliver a copy of their privacy policies to their customers in a "clear and conspicuous" manner no later than July 1, 2001. Although "clear and conspicuous" has not been formally defined, most finanical organizations agree that such notification should consist of a written copy of an institution's privacy policy and practices. The institution would then mail a copy to each and every customer.

This requirement, of course, presupposes the existence of a defined and articulated privacy policy, which is not necessarily a safe assumption. After all, concern over the potential lack of adequate privacy policies in the banking industry prompted both the FDIC and the Direct Marketing Association (DMA) to publish step-by-step guides to creating compliant privacy policies. (See Resources.) Both of these guides begin with the same step: information gathering.

COMPLYING WITH THE LAW

A self-audit is the first step toward compliance with any privacy legislation. Your institution must complete an exhaustive inventory of information gathering and sharing practices before it can articulate a privacy policy. With this information in hand, your organization can determine if its current information usage practices are in line with corporate goals and intentions, along with being in legal compliance. If not, your enterprise must develop, implement, and deploy new policies, practices, and systems. At the conclusion of this process, your company's legal department may articulate a formal information usage and sharing policy by merely documenting the results of the audit and the subsequent changes made. Once the policy has been delivered to customers, you must provide them with a reasonable mechanism to opt out, such as a toll-free number.

After customers begin responding to the notification, managing the plethora of responses and propagating them throughout the enterprise in a timely manner can be quite problematic. Most organizations maintain a variety of products, services, and lines of business - often managed in a decentralized manner from a host of locations - that may or may not interact with each other. Consumer preferences expressed at a single touchpoint are binding upon the enterprise as a whole, and you must adhere to them until the consumer modifies or revokes these preferences in writing. Therefore, your entire corporation must consistently recognize individual consumers and apply their preferences across all lines of business. The enforcing agencies can classify each individual mistake in applying a consumer's stated preferences as a separate violation of the law, with penalties assessed accordingly.

Your enterprise's notification and internal propagation must be done in a time frame that is consistent with the consumer's perceptions and expectations rather than an explicit legal requirement. While GLBA specifies only a "reasonable period" as the requirement for suppressing consumers who have decided to opt out, it would not be unreasonable for a customer to ask, "If a check can clear my account in 48 hours, why does it take 30 days for my opt-out to go into effect?" Meeting such expectations requires a structured and comprehensive approach to managing privacy data. However, any such system must go beyond the baseline of tracking responses to an initial opt-out notification.

Privacy and opt-out notification is not a one-time procedure under GLBA. Such notification must occur at least annually. In addition, if an organization's privacy policies change in any way that would let information sharing occur other than as previously described, the new policy must be sent to all customers. Under the new policy, your enterprise cannot share any information until the consumer has had a "reasonable opportunity" to opt out.

MANAGING PRIVACY PREFERENCES

Congress ratified GLBA with three notification components - initial, annual, and revised policy - which were intended as a starting point for state-level privacy regulation. GLBA represents the current minimum requirement for consumer preference management. When you design a preference management solution, you must take both pending and existing legislation into consideration. For example, in addition to GLBA, 14 states currently have state attorney general consumer do-not-call lists. A single violation of such a list generally carries a $10,000 fine. Proposed legislation would require that your organization wait 30 days from the commencement of any customer relationship before sharing any information.

To meet privacy requirements and lay the groundwork for compliance with future laws, you need an interdisciplinary approach that cuts across the entire enterprise. Needless to say, this process can place a tremendous strain on the resources of any financial institution. However, if your enterprise handles preference management appropriately, this legislative burden can also be a boon by providing the means and justification to create informative consumer profiles specific to your organization's own customer base. Not only will the information acquired through GLBA compliance keep your institution out of legal trouble, it will also enable you to better service your customers and receive a positive response from them.

The lynchpin of preference management is the same as that of all CRM-related endeavors: consistent recognition of an individual across an enterprise. In an ideal situation, a customer information file (CIF) would exist containing an organizationwide, unique identifier for each and every customer. Then you must overlay such an identifier on all records to create an enterprisewide cross-reference. Regrettably, full and accurate CIFs rarely exist. In most cases, only a partial CIF is available to cover certain lines of business while omitting others, or multiple CIFs will exist, each covering a subset of the enterprise. Additionally, any sort of customer identification across lines of business may be completely uncoordinated. Therefore, you must address each of these situations. Whether through brute-force reconciliation or the application of CRM techniques, you must develop a cross-reference that ties together all instances of a given customer enterprisewide.

OFFER OPTIONS, NOT LIMITS

Although you must retain the appropriate level of information for each customer to meet legal requirements, you should avoid unnecessarily limiting your potential information gathering and sharing. Unfortunately, most organizations currently attempting preference management take an all-or-nothing approach: Either you can share a customer's information or you can't. Despite the fact that such a conservative approach does meet legal requirements, it is unnecessarily restrictive. By retaining a finer granularity of preference information, your organization can eliminate only those points of contact and information sharing that a particular customer finds undesirable.

By offering consumers more options, an organization can identify which products and services interest customers the most by their indication of a desire, or at least willingness, to receive relevant contact, thus giving permission to share information in those areas. For example, a banking customer with a significant amount of consumer debt may not want to receive any credit card solicitations, but would be very interested in debt-consolidation services. You can greatly enhance campaign precision by retaining line-of-business-specific consumer preferences while avoiding privacy violations at the same time.

You can break down information-sharing preferences into two categories based on the nature of the recipient of the customer's information. These categories are internal or affiliate and external or third party. In these cases, you should offer the consumer the opportunity to opt out of sharing on a case-by-case basis. Take your contact preferences to an even finer granularity: Rather than a single "do not contact" indicator, your organization should solicit individual preferences for each potential type of contact. In the case of "Do not call," you could offer a range of call times. For example, customers may not want to be called in the morning because they're preparing for work or getting their children ready for school, but would not object to a telephone solicitation in the evening. Rather than eliminating potential contact with a customer, you can manage consumer preferences at a detailed level and enable your marketing staff to determine when and how to most effectively reach a targeted consumer.

Once a consumer expresses a preference, you must organize and retain that preference in a manner that will let you retrieve and apply it throughout your business. Although you may associate a customer's preferences with that single individual across the enterprise, you may retrieve them through a variety of associations. Most individuals have multiple accounts - each potentially having its own set of contact information. Similarly, multiple individuals hold most accounts. As a result, you must store a given set of consumer preferences at the individual level so you can retrieve it at the account level. For example, bank customers may contact their mortgage representative and express a preference to be removed from the bank's mailing list. The mortgage account manager suppresses the individual for future mailings at the address given for the mortgage. Unfortunately, these particular individuals also have checking accounts with different addresses at which they soon receive unwanted mailings from the bank. Beyond federal and state penalties that may be levied, these customers' trust in the bank has just evaporated.

Additionally, you must decide how to handle joint accounts. An institution has the choice of sending either a single notice per account or individual notification to each person associated with an account. If a single notice is sent, the response to that notice must apply to all individuals associated with a given account. If separate notices are sent to every person on an account, you must retain and honor each individual response.

WATCH YOUR BACK

At some point, despite the best of practices, your organization will face a privacy violation claim. In order to successfully defeat such a claim, you must maintain an audit trail across all preference-related transactions by keeping historical versions of all expressed preferences. This process will also help customer service representatives explain to customers why the currently active preferences may not reflect what customers think they have expressed. These discrepancies are generally due to timing and coordination issues. For example, a customer may respond to an initial opt-out mailing expressing only a "do not share" preference. The day after mailing the response card, the customer has second thoughts, calls the bank, and requests "no sharing" and "no contact." This new preference may be recorded in the system long before receipt of the original mailed request. When the response card arrives, the older, less restrictive preference will supercede the more recent and restrictive preference. A time-stamped record of when the change was made and from which source it came will easily clear up the situation. Without that record, your organization has just committed a privacy violation.

Perhaps the biggest challenge of preference management is making consumer preference information available across the enterprise. The only reasonable approach to this dilemma is to establish a central, shared repository of all preference information. You can then enhance this data with external sources such as the DMA, state attorneys general, and third-party vendors.

Compliance with GLBA is simply a starting point. Laying a strong foundation for consumer preference management will help an organization comply with both current and emerging legislation and industry practices. Over and above keeping an organization out of legal trouble, respecting consumers wishes on how their data is used and maintained is just good business.

DARIN L. STEWART [dastew@acxiom.com] is a senior architect and technical lead for Acxiom Corp. and is responsible for developing its Consumer Preference Solution service.