If Tolstoy had reviewed the privacy practices at today's banks, would he have concluded that all bad bank policies are equally bad?
It turns out that he would have been mistaken if he had. I reviewed the "Facts: What Does XYZ Bank Do with Your Personal Information?" forms that banks now offer as a part of their standard disclosure processes. Going in, my assumption was that they all would be equal, and that their equality would find a center at a point that was uniformly aggressive.
The forms answer seven different elements related to "reasons we can share your personal information." They then complement this with "can you limit this sharing?"
Reasons We Can Share Your Personal Information:
- For our everyday business purposes.
- For our marketing purposes.
- For joint marketing with other financial companies.
- For our affiliates everyday business purposes - information about your transactions and experiences.
- For our affiliates' everyday business purposes - information about your creditworthiness.
- For our affiliates to market to you.
- For non-affiliates to market to you.
Activities in italics represent actions where the company shares your data with companies outside of their corporate span. In my opinion, it is hard to imagine why a bank would not share your information internally. On the other hand, when a bank has a practice of sharing (selling) your information to third-parties, something wrong is happening.
In some cases, banks reserve the right to share your information, but then maintain a practice of not doing so. The second part of the form says "Can you limit this sharing?" Interestingly enough, some banks say that you can opt-out, but others do not. So for example, while Commerce Bank (Kansas City) says that it does share information about your transactions with affiliates, it also says that a consumer can limit that sharing. Fifth Third shares your credit worthiness to affiliates, but they are willing to let a consumer ask to place a limit on that practice. On the other hand, a lot of banks take away the right of a consumer to limit sharing transactional information to affiliates. This group includes Chase, Capital One, Wells Fargo, Citibank, TDNorth, Regions, BB&T, KeyBank, and HSBC USA.
Who Shares the most?
M&T Bank, Ally, Capital One, Citibank, Green Dot/Wal-Mart MoneyCard, JPMorgan Chase, and Santander Consumer USA all share to non-affiliates, for joint marketing, and to affiliates. In the case of every sharing opportunity, these institutions share.
Among the Big Banks, is there any differentiation?
Wells Fargo will not give your information to third-parties, nor will they share it in joint marketing efforts. The same holds true for Charles Schwab.
Who Shares the Least?
State Street. Of the largest fifty financial institutions, no one can match State Street for respecting your privacy. Not only does State Street shy away from selling your data to others, they do not use it with affiliates or for joint marketing. What happens at State Street stays in State Street.
While a survey of smaller banks cannot help but be more random, it was the case that of those I surveyed, they were more respectful of consumers' privacy. At Bank of North Carolina, the only times when they share are for their own purposes or for joint marketing. It was the same with credit unions.
WebBank. This is the bank behind Prosper. Outside of ordinary internal business purposes, nothing that a consumer tells to Prosper goes beyond the walls of the peer-to-peer lender.
Prepaid Card Issuers
There was a lot of variety among prepaid card issuers. MetaBank shares data with joint marketing partners, but after that, mum's the word. Green Dot's Wal-Mart MoneyCard, by contrast, is a chatter box. It shares for joint marketing, with affiliates, and with non-affiliates. I would like to know how Wal-Mart defines "affiliate," as there is hardly a large-sized economic actor in the United States who operates independently of Wal-Mart. Payroll cards issued under NetSpend by SunTrust were quiet on the important things (joint marketing and non-affiliates).
A Policy Response?
Why is it not the case that sharing/selling to third parties is only done on an opt-in basis?