Sensitive Information in Financial ServicesCS 457aIntroductionFinancial services is fundamentally an information-driven industry. Consumerfinancial transactions generate huge amounts of personal data. Every ATM transaction,credit card purchase, check deposit, and loan application leaves electronic traces in theform of transaction records at both your bank and (often) the counterparty’s financialinstitution. The sheer volume of such transactions is huge, Visa’s USA division aloneprocessed 14 Billion transactions in 2002.1 Financial institutions can use the informationacquired in the course of business beyond the basic function of rendering the servicerequested by the consumer. Databases of customer data and provide insights in tocustomer habits and allow institutions to connect consumers with products they are likelyto want. Detailed transaction databases also allow financial institutions to moreefficiently price products. For example data mining tools enable better estimate andunderstand important costs that are not known a priori such as credit risk and price loanproducts accordingly.There is little question that customer information is quite valuable to businesses.For years, the courts have held that customer list are valuable and can be protected astrade secrets. Financial information is an interesting class of personal information to lookat from a privacy perspective because it exists in large quantities, is non-public, and isoften sensitive, yet a singly piece of information can be handled by a wide range ofentities. Clearly, some level of information sharing is needed to effectuate financialtransactions. It would not be possible, for example, to deposit a paycheck in your bankwith out your employer and its bank also knowing the important details. While aconsumer understands this necessity, advances in databases and communicationtechnology now allow financial institutions to compile vast amounts of data about theircustomers and even create profiles of their personal financial habits. 1 http://usa.visa.com/personal/newsroom/1trillion.htmlThere are two primary areas of concern about privacy and sensitive data handlingin financial services: information sharing, and information security. These two classes ofconcerns are often mixed together, but should be thought of as largely distinct issues.Information sharing concerns the intentional use and distribution of personal information.Many consumers are uneasy about the amount of information that their financialinstitutions know about their lives and what firms may be doing with that information.Information security questions center around unauthorized use of personal information.The principal concern is the risk of some sort of identity theft, but may also includeunauthorized disclosure of sensitive personal information such as your wealth orspending habits. Information sharing and information security issues both concern thedistribution of non-public personal financial information, but they each requirefundamentally different approaches, both procedurally and technically, to addressing theneeds of consumers.Information SharingThe tremendous advances in information technology have led some to questionwhen financial institutions should be able to share information about its customers withother businesses. Consumer advocacy groups want to restrict information sharing andhave lobbied for “opt-in” laws that would require institution to obtain explicit consentprior to sharing personal information to third parties. Such a system would likely forcefinancial institutions to compensate customers with incentives such as lower fees, betterinterest rates, etc. in order to induce customers to authorize sharing of their information.Obviously these inducements would be limited to something less than the value that theinstitution can generate from this right to share information. While not driven by a legalrequirement, this is essentially the way that grocery store discount cards work. Grocerystores provide cardholders with special discounts in exchange for the ability to track acustomer’s buying behavior by studying card usage. While many consumers may thinkmore about the potential savings than the loss in privacy, the grocery card has essentiallycreated a market system for acquiring privacy rights from its customers.The Graham Leach Bliley Act of 1999 (GLB) does not go so far as requiring opt-in consent for information sharing, but it does financial institutions to allow consumer’sto “opt-out” of the firms right to share the customer’s information to non-affiliated thirdparties. Beginning July 1st 2001, financial institutions that share information with anynon-affiliated third parties had to provide written privacy policies that describe whatinformation is collected by the institution and precisely what may be shared with thirdparties. Institutions must provide this notice annually and consumers must be given anopportunity to opt-out of unwanted information sharing.The opt-out approach is clearly favors financial institutions because they areallowed to share information by default. Jeffrey Lacker, a Fed economist, argues thatfrom an economic perspective the distinction between opt-out and opt-in should be nodifferent than the difference between treating CD players as standard equipment or anavailable option in a new car.[1] Because institutions can still provide incentives toinduce its customer’s not to opt-out, the overall compensation provided to consumers forthe right to share their personal information should be the same. One would expect,however, that a larger proportion of customers would not opt-out from informationsharing than would opt-in under and opt-in scheme. While consumer advocates maycriticize GLB for having an opt-out system, any difference in information sharingauthorized under one scheme or the other reflects indifference about information sharingamong a portion of the population. Why not allow financial institutions to share theirinformation if they don’t seem to care that much? While exact figures are not available,industry sources cite an opt-out rate of about 5% for GLB-related privacy notices.[2]The information sharing debate is fundamentally about the ownership ofinformation rights. The opt-out rules and privacy policy requirements of GLB provide aclear mechanism for assigning information distribution rights between the institution andthe customer. It is up to the markets