Just when consumers thought their financial secrets...

Just when consumers thought their financial secrets would be off-limits to companies making unsolicited marketing pitches, some of the nation’s biggest banks are using a legal loophole to share confidential information with outsiders, even if customers have instructed them not to.

Under new privacy rules, financial institutions must disclose the kinds of personal information they collect and give customers an opportunity to limit its release to outsiders. Banks are mailing nearly a billion privacy notices to comply with the regulations, which take effect next month.

But some banks and credit card issuers have found a way to continue sharing names, addresses, Social Security numbers and account information with outside firms that hawk financial products such as car insurance, credit cards, mortgages, brokerage services, credit card life insurance and roadside assistance plans. The disclosures apply even to customers who explicitly have opted out of having their information shared with third parties.

Financial institutions including First USA, Washington Mutual, California Federal Bank and Providian Financial Corp. reveal in their privacy policies that they may continue to share customer data with outside companies under so-called “joint marketing agreements,” an exemption that permits the release of customer data as long as the two companies have signed a written contract.

Under the little-noticed exemption--which was included to help small community banks and credit unions--customers do not have the right to prevent their information from being released.

“The joint marketing agreement is the loophole that could swallow the rule,” said Ed Mierzwinski, program director of U.S. Public Interest Research Group. “This is not what Congress intended. What good is opting out?”

Banks stress that the joint marketing exemption can be used only for financial products and that outside partners may not reuse the customer data for another purpose.

“There are protections embedded into the agreements,” said John Byrne, senior counsel of the American Bankers Assn. The provision enables banks to offer a greater variety of products to customers, he said. For example, a bank and another company could offer credit cards, or a credit card issuer might team up with an insurer to sell annuities or disability policies.

But privacy advocates say these are precisely the kinds of unsolicited marketing offers and information-sharing practices that many consumers are trying to stop.

The loophole is so broad that it might even cover the controversial information-sharing practices that spurred the new privacy law in the first place.

In 1999, it was revealed that U.S. Bancorp, Bank of America, Wells Fargo and other large financial institutions were sharing customer data with Stamford, Conn.-based MemberWorks Inc., a direct-marketing firm whose aggressive sales tactics have come under fire.

Customer outrage caused banks to halt the practice and led legislators to tighten privacy protections as part of the Gramm-Leach-Bliley Act, a sweeping financial reform law.

Since MemberWorks offers financial products, including insurance policies, through a licensed subsidiary, and it has contracts with its partners, the company could qualify as a joint marketing partner. That would mean bank customers could not opt out, according to L. Richard Fischer, a leading financial privacy attorney at Morrison & Foerster in Washington.

A spokesman for MemberWorks, which still counts Citibank and other large credit card issuers among its clients, declined to comment on whether it had forged any joint marketing partnerships under the new law. “There are confidentiality clauses in all our contracts,” said company spokesman George Thomas.

Not all banks are taking advantage of the loophole. Bank of America, Wells Fargo Bank, U.S. Bancorp and American Express allow customers to opt out of information-sharing with joint marketing partners, even though the law does not require it.

“We wanted to respect our customers’ choice,” said Wells Fargo spokeswoman Mary Trigg. “If our customers are opting out, they obviously don’t feel comfortable with us sharing their data.”

The exemption was created at the request of small banks, which said they needed joint marketing partners to compete with larger rivals that had broadened their product line by merging with insurers and securities firms.

“The idea was to give small banks the same ability to market products that a big bank could do internally,” Byrne said.

But the exemption has caught the eye of several big players, including the nation’s two largest S&Ls; and several top credit card companies.

“We wanted the flexibility to use outside telemarketing vendors to call our customers about products and services,” said Marc Loewenthal, chief privacy officer at San Francisco-based Providian, the nation’s No. 7 credit card issuer.

Providian’s privacy policy boasts that it does not share customer information with third-party marketers, but that does not include about a half-dozen outside telemarketing firms and vendors that have signed joint marketing agreements with Providian to sell vacation packages, prescription drug plans, buyer protection policies and buyer discount memberships.

Loewenthal said the company shares only customers’ names and telephone numbers, though its privacy policy reserves the right to disclose account balances, credit card lines and other transaction information.

Seattle-based Washington Mutual uses the exemption to disclose customer information to its credit card partner and to a firm that sells a service to help borrowers repay their mortgages faster.

Officials at Bank One, parent of First USA and the nation’s fifth-largest bank, say they use the exemption to share data with Hartford Insurance Co. to offer its customers credit card life insurance. “We might share information so we can make the offer, but it would be limited,” said Julie Johnson, the company’s chief privacy officer.

CalFed shares names, addresses and some account information with MBNA Corp., its credit card partner. Company officials said it allows customers to opt out of joint marketing agreements, even though its stated policy is to prohibit opt-outs. “That’s in case we change our mind later,” said Eric Kawamura, an attorney for CalFed.

Use of the exemption probably will fuel growing criticism over the banking industry’s privacy policies, which consumer groups say are confusing, long-winded and misleading.

A review by Privacy Rights Clearinghouse in San Diego found the policies so full of legalese that readers needed three to four years of college just to comprehend them. Some consumer groups have threatened to file complaints with the Federal Trade Commission, alleging the policies are “deceptive.”

So far, less than 5% of customers are opting out of information-sharing with third-party marketers, according to the ABA.

Fischer, who is helping many banks comply with the new law, said privacy policies are confusing because the law itself is complicated.

Under current financial privacy law, there are at least two categories of “personal information” and four types of companies with which a bank might share. Customers have different rights, depending on the type of information and the company involved.

“The problem is everybody, including Congress, tried to do too much,” Fischer said. He favors a simpler approach, in which customers have the right to opt out of information-sharing for any marketing purpose, regardless of the type of data or the company involved. “Everybody would be a lot better off,” he said, “if we didn’t have all these categories.”