USD The University of South Dakota School of Business

Institute for the Study of Rural Banking and Financial Markets

With the enactment of the Gramm-Leach-Bliley Act which repealed the Glass-Steagall Act financial institutions now have additional opportunities to expand the nature of the financial services provided to the public. But, as we have all told our own children on occasion, with these new opportunities come new responsibilities. Principal among the opportunities is affiliation with securities brokers. Banks will not be considered securities brokers if certain precautions are taken to ensure that depositors are not misled in their purchase of uninsured securities. One specific provision allows brokers or dealers to provide their services in the bank facility, but the service area must be "in an area that is clearly marked and, to the extent practicable, physically separate from the routine deposit taking activities of the bank." This restriction brings to mind the alleged scenario when a major Arizona savings bank sold uninsured securities in the main lobby of their facilities and customers, frequently retired persons, often assumed they were dealing with an insured financial institution. The customers were unpleasantly surprised when the securities lost value. The availability of securities brokers in banking facilities is an interesting opportunity, but significantly more institutions will be affected by the new privacy responsibilities that come with the ability to associate with other providers in the financial services industry.

Confidentiality of customer account information has always been a high priority for the banking industry. Given the new opportunities for increased services there is expected to be pressure from within the institution or from third parties to provide financial information in the quest for new customer relationships. This potential pressure was anticipated and the legislation requires the regulators to establish standards to "insure the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to . . . such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer [author's emphasis added].

The legislation does not prevent all disclosure of nonpublic customer information. Banks may continue to provide information, with certain conditions, to third parties for the purpose of marketing the bank's own services and products, but account number or access code information can not be disclosed to any nonaffiliated third party for use in telemarketing, direct mail marketing or marketing through the electronic media.

There continue to be some exceptions to the nondisclosure rules. Banks may disclose account information to effect a transaction requested by the customer or if the customer requests that the information be shared for a specific transaction. Fraud prevention and security activities are valid reasons for disclosing customer information and providing data for agencies rating the institution for insurance purposes or assessing compliance with industry standards remain valid reasons for disclosing customer data.

The major change in responsibility for handling customer account information appears to be how customers are informed of their right to keep their account information private. Institutions may release this type of information if they inform current and prospective customers that such information may be disclosed and the customer has the opportunity before the information is disclosed to a third party to request that their information not be disclosed. The consumer must be given a clear explanation of how they can exercise the non-disclosure option. The nondisclosure option must be communicated to the consumer when the banking relationship is established and not less than annually during the time the relationship continues. These periodic notices must include an explanation of the bank's policies on disclosing personal information including to whom the information may be given, the bank's policies about disclosing information of former customers, and the types of personal information the bank collects on its customers.

The handle these new responsibilities the bank is required to identify and assess potential risks to customer information, develop a written plan to manage and control these risks, implement, test and adjust the plan to adapt to changes in technology, information sensitivity and future threats. Due diligence in selecting service providers becomes increasingly important. The costs of administering these new security policies and practices will not add to the revenues of the bank, but failing in these new responsibilities will definitely add to the costs.