SWEEPING CONSUMER BILL FOUR YEARS IN THE MAKING
The Press Democrat
FINANCIAL PRIVACY LAWS
FEDERAL:
In 1999, Congress included the following provisions in the Gramm-Leach-Bliley Financial Services Modernization Act:
– Financial institutions required to notify customers once a year of their privacy rights.
Financial institutions required to tell customers how to “opt out” or stop the company from selling or sharing their personal information with another company. However, customers could not stop companies from sharing information with affiliates.
– States urged to pass stronger laws to protect financial privacy.
STATE
The law signed by Gov. Davis last week goes beyond the federal law in key ways:
– Companies need their customers’ permission — that is, customers have to “opt in” — before institutions can sell or share information with an outside company. Under existing federal law, they can sell or share unless the customer objects.
– Companies can sell or share with affiliated companies unless their customer objects. Under existing federal law, customers don’t have the option to object.
PRIVACY ENDANGERED
Some high-profile financial privacy cases have spurred demands for tougher laws:
– In 1998, NationsBank, now Bank of America, and its affiliated brokerage arm, NationsSecurities, agreed to pay $6.75 million to settle charges by federal banking and securities regulators that they used false and misleading information to sell risky and unsuitable investments to bank customers, many of them elderly. As a result, NationsBank imposed new limits on the use of its private data.
– In 1999, U.S. Bancorp agreed to settle a lawsuit filed by the Minnesota attorney general contending it violated consumer protection laws by selling customers’ financial information to an outside telemarketing company, including Social Security numbers, account balances, names, addresses, checking and credit card numbers, average account balances, finance charges and credit limits. U.S. Bancorp did not admit wrongdoing, but it agreed to pay $3 million and stop working with outside telemarketers selling nonfinancial products.
– In 2000, Chase Manhattan Bank settled a lawsuit filed by the New York attorney general accusing the bank of deceiving as many as 18 million customers by selling 20 items of information about them to four marketing companies that sold a variety of products, from seeds to magazine subscriptions. The bank received a 24 percent commission on sales. Chase Manhattan denied wrongdoing but agreed to stop the disclosures and reimburse the attorney general for legal costs.
– In 2001, a Malibu man pleaded guilty to federal credit card fraud charges after he bought 3.7 million credit card numbers from Charter Pacific Bank in Agoura Hills and charged 800,000 accounts for
– $37 million in services the cardholders did not order. The bank denied any wrongdoing but said it would stop selling credit card numbers to merchants.
– In 2001, Fleet Mortgage agreed to pay restitution to settle a lawsuitfiled by the Minnesota attorney general alleging that Fleet sold customers’ home mortgage account numbers and other information to telemarketing companies. The companies led consumers to believe they were agreeing to a free trial in a discount club, but they were billed when they didn’t cancel within 30 days, the lawsuit said. Fleet admitted no wrongdoing.
– In 2002, Citibank agreed to pay $1.6 million to settle with 27 state attorneys general, including California’s, over charges that it sold its customers personal data to telemarketers who charged many credit card accounts for products without the customer’s consent. Without admitting wrongdoing, Citibank also agreed to ensure that companies using the bank’s customer lists protect consumers.
(Source: Press Democrat research including Securities and Exchange Commission, attorneys general, Federal Trade Commission, Department of Justice and companies themselves.)
LONG ROAD TO BECOMING LAW
Nov. 12, 1999: Federal bank deregulation legislation allows banks, stockbrokerages, insurance and other financial companies to combine to offer one-stop shopping. It requires them to notify customers once a year that consumers have the right to refuse to let them sell or share their private financial information with other companies. But sharing information with affiliates or with companies that the financial institution has authorized to provide products or services to the customers, is allowed.
January 2000: Assemblywoman Sheila Kuehl, D-Santa Monica, and state Sen. Jackie Speier, D-San Francisco, introduce the first of several unsuccessful bills that would require financial institutions to get permission from consumers before sharing or selling their information to any affiliated or unaffiliated company. Both bills fail.
February 2001: Assemblywoman Hannah-Beth Jackson, D-Santa Barbara, and Speier introduce financial privacy bills. Jackson’s bill fails in May.
June 2001: Assemblywoman Pat Wiggins, D-Santa Rosa, causes a consumer uproar when she refuses to vote for Speier’s bill in the banking committee, saying it is unfair to community banks and thrifts.
July 2001: Wiggins votes for the legislation in the banking committee after a provision was added to exempt community banks and thrifts, including all those headquartered in Sonoma, Mendocino and Lake counties.
September 2001: Speier’s bill dies in the Assembly.
January and February 2002: Assemblyman Joe Nation, D-San Rafael, and Speier introduce financial privacy bills. Both bills fail.
December 2002: Speier and Senate President Pro Tem John Burton co- author SB1, yet another financial privacy bill.
March 2003: Senate approves SB1, which goes to the Assembly. Wiggins is appointed chairwoman of the Assembly Committee on Banking and Finance. She begins months of efforts to pass financial privacy legislation.
At the same time, E-Loan chief executive officer Chris Larsen says supporters are collecting signatures for a March 2004 ballot initiative that would require financial institutions to get customer approval before sharing their information with affiliated or non- affiliated companies.
June: Assembly Banking and Finance Committee kills SB1. Wiggins votes in favor of the bill.
July 30: Larsen’s coalition says supporters have collected enough signatures to qualify their initiative for the ballot.
Aug. 14: Speier holds a news conference with representatives of financial institutions, who announce they will withdraw their opposition to SB1.
Aug. 18: The Legislature returns from summer recess. Three committees and the Assembly approve SB1.
Aug. 19: Senate approves AB1.
Wednesday: Gov. Gray Davis signs SB1. Privacy rights activists hold press conference in Washington, D.C., to draw attention to proposed federal legislation backed by financial institutions and the Bush administration that would override parts of SB1.
————–
When Kasum Kumar and her daughter, Karishma, walked into the downtown Santa Rosa branch of Exchange Bank on Thursday to discuss a financial issue, they fully expected that their banking information would be kept private.
Exchange Bank and other local banks say they don’t share information without a customer’s consent. “We don’t share information. … We never have,” said Robert Wallace, director of risk management for Exchange Bank.
But other, often larger financial institutions do share information, sometimes too freely. And last week, after four rocky years of debate in Sacramento, the nation’s toughest new financial privacy legislation was signed into law.
The resulting law was a win for consumers and was fair to small banks that don’t share information and large institutions that do, some experts said.
“Consumers got the best part of what they wanted. The banks … got the same cost for everybody,” said Patrick Kilkenny, chief executive of National Bank of the Redwoods in Santa Rosa.
The certainty of a bank customer’s privacy — for information like account balances, Social Security numbers and credit history — is likely to get much stronger after Gov. Gray Davis signed the new privacy bill Wednesday. As a result, starting next year, consumers will have much more control over how their financial records are used.
But the war to protect consumers is not over.
Attention now shifts to Washington, D.C., where the largest U.S. banks, insurance companies and stock brokerages are lobbying for federal legislation that would pre-empt the new California law before it goes into effect July 1, 2004.
“We want to be clear that CBA would much prefer a national standard to a patchwork of state or local privacy laws,” the California Bankers Association said in a statement.
The attention being given to financial privacy signals a nation that is becoming increasingly focused on protecting itself from intrusion, as telemarketers, spam and growing electronic commerce leave consumers feeling they are losing control over their most private information.
When some banks and other financial institutions started selling and sharing information about their customers — even when the purpose was to help customers get products and services they might want — consumers dug in their heels.
“There’s a privacy revolution going on in this country, and it is starting here in California,” state Sen. Jackie Speier, D-San Francisco, said in a statement. Speier led the four-year effort to get more stringent privacy protection.
For the first time, financial institutions will have to get their customers’ permission before sharing their personal information with other companies. And they’ll have to give customers a chance to block distribution of their information to affiliated companies.
Bankers typically share information — customer addresses, bank balances, buying habits — with mutual fund, insurance, marketing and credit card companies so they can offer their customers a wider range of products. But some banks have sold customer information to telemarketers, leading to the consumer backlash.
The bill will have a limited effect on community institutions headquartered in Sonoma County.
Executives at the county’s three largest commercial banks — Exchange Bank, Sonoma National Bank and National Bank of the Redwoods — and at Redwood Credit Union, the region’s largest credit union, said last week they do not share private customer information unless the customer first agrees.
Kilkenny said Assemblywoman Pat Wiggins, D-Santa Rosa, who as chairwoman of the Assembly Banking and Finance Committee played a major role in the bill’s passage, held meetings with local bankers to hear their concerns about the impact of the privacy legislation. Kilkenny said not a single bank at those meetings “indicated they were in an arrangement where they were providing names to a third party without the knowledge of their customer.”
Many do offer services other than banking through affiliates or third-party companies, but they don’t give customer information to those companies unless the customer agrees, they said.
Meanwhile, consumer activists last week launched the Washington phase of the privacy campaign when they showed up in the nation’s capital with an enlarged version of President Bush‘s Social Security card and personal information about other top Bush administration officials.
“Banks and insurers should not be able to go to Washington as an end-run around the most protective state privacy laws,” said Jamie Court, executive director of the California-based Foundation for Taxpayer and Consumer Rights.
The struggle over financial privacy began in November 1999 with the passage of the Gramm-Leach-Bliley Financial Services Modernization Act, which said banking, securities and insurance companies could merge for the first time since the Great Depression.
Realizing that the mergers raised privacy concerns, Congress also included the following provisions:
– It required financial institutions to notify customers once a year of their privacy rights. These are the often-confusing privacy notices consumers began receiving by mail two years ago.
– It required financial institutions to tell customers how to “opt out” or stop the company from selling or sharing their personal information with another company. However, customers could not stop companies from sharing information with affiliates.
– It encouraged states to pass stronger laws to protect financial privacy.
California legislators, led by Speier, took Congress up on the offer, and two months later they introduced their first privacy bills. The bills took a much tougher approach than Gramm-Leach- Bliley. They required customers to “opt in” or give their permission before financial institutions could share information with other companies or with their own affiliates.
That set off a four-year battle between consumer advocates and the financial services industry — mainly large banks, insurance companies and stock brokerages — which has spent more than $20 million in campaign contributions and lobbyists to fight the privacy bills, according to Speier.
Even after Speier compromised, by permitting institutions to share information with affiliates unless customers objected, the industry fought the privacy legislation.
But the battle came to an abrupt end last week after a coalition supporting a privacy initiative funded by Chris Larsen, chief executive of online lender E-Loan in Dublin, announced that it had collected more than enough signatures to qualify for the March 2004 ballot. Tougher than Speier’s bill, it would have required financial institutions to get customers’ permission before sharing or selling information with other companies or affiliates. Initiative backers agreed to drop the ballot measure if Speier’s bill passed.
Polls showed voters were likely to approve the initiative, and banks and other financial institutions quickly dropped their opposition to Speier’s bill, SB1.
Instead, they are shifting their attention to Washington in support of HR 2622, which would help prevent identity theft but also would prevent states from having their own financial privacy laws. The Fair Credit Reporting Act, which preempts new state privacy laws, is scheduled to expire at the end of this year and HR 2622 would extend the provision permanently.
Major financial institutions also will look to federal regulators to intervene to enforce the supremacy of federal laws.
The new state law signed by Davis last week goes beyond the federal law in key ways:
– Companies have to get their customers’ permission — that is, customers have to “opt in” — before institutions can sell or share information with an outside company. Under existing federal law, they can sell or share unless the customer objects.
– Companies can share with affiliated companies unless their customer objects. Under existing federal law, customers don’t have the option to object.
The financial services industry has argued against the “opt- in” provisions, which they said makes it too hard for them to offer a variety of products and services to their customers.
They argued they were spending a lot of money to comply with the Gramm-Leach-Bliley privacy provisions and it would be very costly to meet separate standards in California — costs they would have to pass on to consumers. They argued for uniformity nationwide.
They said that in the Internet age, financial institutions are by no means the biggest threat to personal privacy.
Consumer advocates countered that it was outrageous for companies to distribute private financial information without explicit permission — especially in California, where half of the people keep even their telephone numbers off the record.
Information that could be shared includes buying habits and past purchases, account balances, credit history, deposits, checking account transactions, Social Security numbers, names, addresses and even medical information gleaned from health care purchases paid for by check or credit card.
They said the unauthorized sharing of this kind of information increased the possibility of identity theft and also led to unwanted telemarketing, such as in 1999 when it was revealed that U.S. Bancorp, Bank of America, Wells Fargo and other large financial institutions were sharing customer data with direct-marketing companies. All have since ceased the practice.
Community bankers, which include 11 banks and thrifts headquartered in Sonoma, Lake and Mendocino counties, jumped into the fray when early versions of the California bills required companies to get customer permission before sharing confidential information with another company but not before sharing with their own affiliate.
That could have hurt community bankers who don’t have affiliates. If, for example, they wanted to offer insurance to their customers, they would have to contract with an outside company — and get customer permission to give information to that company. But financial conglomerates with their own insurance affiliates could readily share customer information with them without telling customers.
The bill signed last week by Davis resolves that problem by treating big and small companies the same.
Kilkenny said North Coast bankers will be watching upcoming proceedings in Washington closely to see that any federal legislation continues to treat community banks fairly.
“After all the work that’s been done — to think that it could possibly all be for naught,” said Wiggins.
————–
Library researcher Michele Van Hoeck, the Associated Press contributed to this report. You can reach Staff Writer Mary Fricker at 521-5241 or [email protected]
