Privacy Law Requires Hard WorkPrivacy Law Requires Hard Work

Agnes Bundy Scanlan has spent the last two years trying to make FleetBoston Financial Corp. a company that respects consumer privacy. On July 1, the $200 billion Boston financial-services firm met the deadline for revamping business processes and policies to comply with the consumer privacy protection requirements of the Gramm-Leach-Bliley Act.

But corks didn't pop just because Fleet's privacy team brought the company into compliance on time. Bundy Scanlan, managing director and chief privacy officer, says that even though she began a compliance strategy for the act shortly after she joined FleetBoston in September 1999, compliance with the law is an ongoing effort that requires regular communication with customers, partners, and each line of business. Going forward, Bundy Scanlan anticipates having to deal with changes to the law, particularly regarding Internet banking.

The idea behind the Gramm-Leach-Bliley Act, passed in November 1999, is to let banks merge with securities or insurance companies. But the act includes a privacy-protection clause that has had financial-services firms scurrying to educate their employees, write new privacy policies, and inform customers how they use the personal data they collect.

FleetBoston's privacy initiative officially started in the fall of 1999 when Bundy Scanlan began holding divisional staff meetings to educate employees on the law. Despite her background as an attorney and Congressional staff member, Bundy Scanlan required regular clarification on the law from privacy attorneys and from the Office of the Comptroller of the Currency, which charters, regulates, and supervises all national banks. She recruited employees within each line of business to form task forces to help contribute to a companywide privacy policy that would best serve both the company and that unit's needs. In all, she formed 17 teams, composed of about 200 of the company's 50,000 employees.

Coordinating with the IT department was crucial, so Bundy Scanlan recruited a staff member familiar with the bank's systems to work full-time on her team. One of the biggest IT challenges was assessing the disparate stores of customer data across the various divisions and determining how to reconcile them. The company also had to determine how to improve data collection and analysis.

That's a huge challenge for the financial-services industry, which has undergone significant consolidation during the past few years and is notorious for developing proprietary systems, says Randi Purchai, a financial-services analyst at AMR Research. "These companies could have 40 or more major systems that in some way are involved in customer data," she says.

One problem had to do with updating customer contacts. Because of the various information sources, the team had to work with legal advisers to make sure they treated customer preferences in the way the customer requested. "One thing we quickly learned is that we had several sources of information on customer preferences for contact," Bundy Scanlan says. For example, a tail-chasing exercise might involve how to contact a customer to update that person's preferences if the person at one time told one of FleetBoston's business units that he or she didn't want to be contacted. "If we're trying to update our system and preferences, how do we contact that person?" Bundy Scanlan asks.

As the IT staff worked on technology issues last fall, Bundy Scanlan met with the heads of the business units who were members of her privacy council. She also established a corporate privacy office, along with two committees that held monthly meetings to develop and refine the strategy. The first step was to write the company's new privacy policy; it took seven pages to detail FleetBoston's approach to the issue, and it requires some careful reading.

FleetBoston's new privacy policy states the company won't share nonpublic customer data with nonaffiliated third parties for marketing purposes unless the customer authorizes it to do so. However, the company will share data as needed with outside parties to process transactions. And within FleetBoston's family of companies, all data is fair game. So if a customer comes up with a below-average credit rating and is turned down for a loan by the mortgage division, that information and history can be sent to the credit-card division, which can then try to sell the customer a credit-building charge card.

The privacy team began to train employees on how their jobs would change under the new policy. And each line of business had to contact partners to reassess current data-sharing practices. "The complexity was the same as the Y2K bug, only we didn't have as much time to prepare, and we weren't able to pinpoint where there would be problems," Bundy Scanlan says.

For a while, business partners were part of the problem. Under the act, FleetBoston was required to evaluate its contracts with thousands of partners and vendors to ensure that their privacy policies matched its own. "Our credit-card company alone has 700 contracts for outside services," Bundy Scanlan says. If FleetBoston shares data with a marketing company within the guidelines of its own privacy policy, it must also ensure that the partner doesn't resell that information because that would nullify FleetBoston's privacy policy. "We made the decision not to have relationships with some partners because our policy conflicts with theirs," Bundy Scanlan says. "But this is an entire industry change--we're having to figure out different ways to market ourselves, and our vendors and partners have to be more creative, too."

The act requires that financial companies inform customers of situations in which data sharing could occur and give them the chance to "opt-out" to prevent their personal data from leaving the corporate servers. But Fleet decided it wouldn't share any personal customer data with partners for marketing purposes unless the customer authorizes it to do so, an "opt-in" strategy that likely would reduce the data it has available to share. Marketing firms that depend on customer data from FleetBoston threatened to end the relationship, but that attitude changed as other financial institutions began adopting similar data-sharing practices. Most partners realized they needed to change their business strategies and look to public sources, such as voter-registration logs, for data.

In March, Bundy Scanlan set the third phase of the implementation into motion: educating the customer. Because Bundy Scanlan viewed FleetBoston's privacy policy as a way to gain customer loyalty, this was a top issue. "We want to communicate to our customers that we have a proactive privacy policy," Bundy Scanlan says. "It's a competitive stance."

Each division planned staggered mass mailings to customers to explain the policy, which meant any individual who was a customer of five FleetBoston divisions would receive five privacy statements. The company also set up toll-free numbers and staffed call centers to handle a potential flood of phone calls from each mailing. FleetBoston began to mail about 1 billion privacy policies--common-language statements, not legalese--and waited for the phone to ring. So far, the response has been less than anticipated--about 1.7%. Bundy-Scanlan suspects it may have to do with the fact that, during the past few months, consumers have received so many privacy statements they aren't reading them or taking the time to respond.

In the next few months, regional examiners will visit the company to evaluate FleetBoston's compliance with the act. Bundy Scanlan has revisited business units to see what worked and what didn't, and she's looking for ways to update the privacy policy. She's set to communicate with customers via telephone surveys and focus groups to find more ways to improve FleetBoston's policies and practices. And the company is hiring a senior IT member to work full-time on ensuring customer trust, in part by maintaining security across networks and databases. Says Bundy Scanlan, "We have to continue doing whatever it takes to garner trust."