WASHINGTON, D.C. -- Days after the Federal Trade Commission announced plans to step up enforcement of privacy laws, an online privacy rights advocate has filed a complaint with the commission alleging that five mortgage companies are violating new federal privacy laws.

A Center for Democracy and Technology (CDT) complaint alleges that Advantage Mortgage, Ameriwest Mortgage, Central New England Mortgage, G.M. Mortgage, and Online Mortgage Corporation all failed to comply with privacy provisions of the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (FSMA), which became effective July 1 this year.

The new law says financial companies must disclose privacy policies to consumers and give consumers, in some cases, the opportunity to request the companies not share personal information.

FSMA was designed to create a more open and competitive financial market, but it also has the real estate industry and the banking industry at loggerheads over whether a real estate brokerage is a financial institution. If so, that would give banks the right to sell real estate and real estate brokerages would have to abide by privacy disclosure law. The real estate industry says real estate brokerage is not a financial institution, banking says real estate brokerage is a financial institution. The debate, considered the most hotly contested issue of the new law, is likely to rage on throughout the year.

The real estate industry could use CDT's findings to argue lenders' handling of private information is still another reason bankers shouldn't become brokers in a position to gather more private consumer information.

"In particular, CDT has found that as of August 28, 2001 the following mortgage companies did not offer proper clear and conspicuous initial notice to customers on their Web sites. CDT has e-mailed each of these companies to inform them that they may be in breech of the law, but has not received a response," CDT alleged in its complaint to the commission.

CDT's complaint stemmed from a survey of 100 online banks and lenders, "Online Banking Privacy: A Slow, Confusing Start To Giving Customers Control Over Their Information," which says while some online banks provide customers with an array of privacy controls, most banks offer few online privacy choices -- or none.

It also says a large percentage of banks take advantage of loopholes in the law to share personal information with "affiliates" and "marketing partners" while offering customers no privacy options.

CDT says the survey is a "summons" for legislators and federal regulators to monitor banks' practices more closely and it is designed to encourage online banks to comply with legally mandated privacy provisions.

It seems to be working -- somewhat.

As of Sept. 5 Advantage and G.M. Mortgage had posted privacy policies in compliance with FSMA while Ameriwest's Web site revealed only a blank page with the notice "This page is intentionally blank." Central New England Mortgage and Online Mortgage both continued to operate without posted privacy policies.

Federal Policy

FSMA's Title V specifically says, in part, each financial institution, in a "clear and conspicuous manner," must:

• Disclose to existing customers the institution's privacy policy -- how the institution shares, sells or otherwise passes on consumers' private information to both affiliates and third parties, such as telemarketers.

• Disclose to existing customers, consumers' right to "opt-out" or not allow the financial institution to share private information with certain nonaffiliated third parties. The disclosure must explain to consumers how to exercise that right.

• Disclose to existing customers the institution's policies developed to prevent fraudulent access to consumers' confidential financial information.

• Disclose the same information mentioned above to new customers at the time of establishing a relationship with a new customers and to annually disclose the above mentioned information to all customers.

The law doesn't say lenders have to offer opt out provisions when they share information with affiliates, nor does it specifically require Web site opt-out access.

CDT, San Diego, CA-based Privacy Rights Clearinghouse and other consumer advocates say the law doesn't go far enough and even when lenders do comply with the law they often use small print and stilted language that makes it difficult for consumers to understand their rights and easily excercise them.

Both would like to see restrictions on sharing information with affiliates and the right for consumers to opt-in before companies share information. CDT also believes disclosures and opting-out tools should be available online from online lenders.

The survey said...

The "Online Banking Privacy" study found

• Thirty-four of the 100 institutions surveyed acknowledged that they shared information with unaffiliated third parties, but offered Internet banking customers no online privacy controls, although most provided some off line means to opt-out.

• Only 22 institutions offered Internet users an online opt-in (affirmative consent policy) or a consumer friendly opt-out to get off marketing and shared lists.

• Forty-four of the 100 institutions surveyed said that they did not share information with outside parties as defined by the law, and thus under FSMA did not have to offer any privacy choice online or off, yet two-thirds of these reserved the right to share information with "marketing partners," leaving consumers uncertain as to how and by whom their information was being used and offering consumers no opportunity to control such disclosures.

• Even fewer companies offered privacy controls on internal use and affiliate sharing. More than 80 percent of the financial institutions offered customers little or no opportunity to limit this type of sharing, which is not covered by the new law. Interestingly, banks offering choices to consumers for third-party sharing were more likely to give choices to individuals for internal sharing than those who claim not to engage at all in sharing covered by the law.

• Some banks make it particularly difficult to get off marketing lists. Community First, for example, requires online banking customers to call an 800 number to obtain a form consumers must then fill out and mail back in order to exercise their privacy rights.

• CDT also found some lenders offering innovative consumer-controls it considers "best practices," including First Union's easy-to-use, secure, online form, linked directly to the company's privacy policy. It allows the customer to opt-out of marketing deals by email, telephone or direct mail, and to limit sharing to third parties and affiliates, while still reminding the user what information may be legally shared.

  The opt-out form is available in Spanish, as is the entire privacy policy. Should users not want to opt-out online, a bilingual hotline is available to answer questions about the policy and to exercise the opt-out option.

• Internet-only banks fared best. Many do not share information with affiliates or third parties and several offered opt-in controls to their customers.

Recommendations

CDT recommends:

1. All online and offline financial institutions should follow the best practices adopted by industry leaders and offer online privacy controls.

2. Online mortgage companies should institute online privacy choices or face FTC investigation.

3. Policymakers should carefully reconsider the current exemptions in the new financial services privacy law, in particular the ability for companies to share with marketing partners and affiliates without any privacy controls.

"Requiring an opt-out choice for the financial industry has not yet given consumers easy-to-use controls over redisclosure and use of personal financial information. Policy makers should be working to make sure that future privacy requirements offer better results by studying best practices and creating stricter standards."

For more articles by Broderick Perkins, please press here.

Published: September 7, 2001

Use of this article without permission is a violation of federal copyright laws.

A journalist for 35-years, Broderick Perkins parlayed an old-school daily newspaper career into a digital news service offering editorial content and consulting services. Perkins' San Jose, CA-based DeadlineNews Group includes the flagship news site, DeadlineNews.Com, offering real estate, personal finance and consumer journalism, and a backshop, the Deadline Newsroom.