Privacy? Don’t Bank on It

Congress is nearly done with an overhaul of U.S. banking law that will allow banks, insurance companies and stockbrokers to get into each other’s businesses. The reform measure, which is expected to be enacted this week, is a boon for the financial industry, but a mixed bag for consumers. On the plus side, consumers will find one-stop shopping for financial services more convenient, and, presumably, cheaper. But the reform measure fails to protect customers’ financial and medical privacy. With little restraint, a bank will be able to share all the information it has about its depositors and credit card holders with affiliated insurance companies and brokerages.

Federal financial regulators, including the Federal Reserve Board and the Comptroller of the Currency, have recognized that unrestrained disclosure of financial data, which consumers rightly consider confidential, raises serious privacy questions. The very limited “opt-out” provision in the legislation, which gives customers the right to deny disclosure to third parties, does not go nearly far enough, though it is better than no restraint at all. It will be up to bank regulators and agencies overseeing business practices to keep a sharp eye on the new financial conglomerates and crack down on abuses. Insurance companies merging with banks, for instance, should be prohibited by regulators from sharing medical information about their clients.

The banking reform legislation is intended to repeal a Depression-era banking law, the Glass-Steagall Act, that prohibited banks from selling insurance or securities. It is expected to trigger a wave of mergers, creating large financial supermarkets.

To the conglomerates, the ability of one branch to share customer data with another is extremely valuable. Large depositors, for example, will be hot prospects for stockbrokers. That’s why banks spent millions of dollars on lobbyists to prevent the inclusion of a stronger privacy provision. Still, the new law will be an improvement on current privacy protection. Banks had been routinely peddling customers’ financial data to third parties, in some cases to criminals who then defrauded the customers. Only after criticism by regulators and a blizzard of adverse publicity did some banks adopt voluntary opt-outs, allowing customers to forbid such sales. The new law would make such opt-outs obligatory, and regulators should make sure that information is provided to customers in a clear, uncluttered way with a very simple way to respond. States will be free to enact stronger privacy protection laws, and the California Legislature should do so at the earliest opportunity, ideally requiring banks to ask customers’ permission before sharing sensitive data.

There is little hope of including stronger privacy safeguards in the federal bill at this late stage. But banking regulators must, through their implementation and supervision powers, ensure that banks do not abuse the little privacy that remains with consumers.