Jo Ann S. Barefoot, contributing editor. Barefoot heads up Columbus, Ohio-based KPMG Barefoot, Marrinan, a business unit of KPMG Peat Marwick LLP. She is a partner in the parent firm.
An informal survey of bank sites finds both good and bad compliance news. How can your bank stay clean?
The Internet is a great "leveler" between large and small banks. It provides a cost-effective delivery system for any bank to find and serve customers. Small banks can easily reach thousands of miles beyond local markets to promote niche products or competitive prices. Large banks can offer sophisticated products and high-convenience services to their high-end custom- ers. Both can use the Web to gather precious data on users of their sites and services.
Furthermore, both can use the Web to gain a foothold in the growing market of young, educated, computer-savvy consumers. Branch networks are still important delivery channels, but it takes an active imagination to envision bank lobbies in the year 2000 filled with come-of-age Generation X-ers standing patiently in line for basic transactions.
My parents still go to the bank. I go rarely. My grown son hasn't set foot in a bank in years. And my younger children, like most everyone's, use the computer to research school papers, "talk" with their friends, and conquer distant galaxies. It is inconceivable that they will not use it, almost exclusively, to do their banking.
Hence the proliferation of Web sites as banks learn to make this new channel work for them and their customers. And with this proliferation comes compliance problems.
What's out there--and what's not
For this column, my colleagues and I sampled the Web sites of a variety of financial services providers.
The good news is that we found no outright "horror stories"--practices that would create high-dollar risk exposure.
The bad news is that we found many violations of basic regulatory requirements. This confirmed our theory, based on our consulting work, that there is a widespread lack of communication between the units developing electronic services and banks' compliance experts.
For some reason, when the prefix "e" gets attached to a new product or service (as with "e-commerce"), even banks with top-notch compliance functions somehow forget everything they know about regulations.
We also found a wide spectrum of approaches to voluntary disclosure--efforts to help customers understand Internet banking and make good decisions for themselves.
Those at the better end of the scale are providing customers with information that goes beyond current regulatory mandates. Other banks are meeting only the lower standard of complying with today's rules, which, of course, were not designed with the Internet in mind. Such banks, as a result, are producing sites that arguably are confusing or even misleading to the public. Over the last three decades, banks have learned through bitter experience that customers who feel confused and misled gain the ear of politicians who feel the need for new laws, regulators who feel the need to write new rules, and courts that reinterpret laws and regulations to find new consumer remedies. Today's electronic delivery systems are out in front of the regulatory solid ground-a situation loaded with risk and calling for voluntary efforts to keep risks to a minimum.
Here is a round-up, then, of good and bad practices.
1. Advertising. Every bank Web site we have seen is an advertisement, Therefore, it is covered by the advertising rules that would apply if the same material appeared in a newspaper or other medium.
This means that Web sites for credit products must comply with truth-in lending rules, including assuring that triggering terms are accompanied by required disclosures. [Truth-in-lending disclosures were typically not shown on "shopper" Web sites (ones that have the rates of several banks), where the site is not owned and operated by the bank. This type of "advertising" could signal a need for monitoring those sites in which a bank "participates" with other banks through a third party, a point discussed later.]
Similarly, sites advertising home mortgage credit must provide the Equal Housing Lender logotype and legend. Sites promoting deposit products must provide required truth-in-savings information, including Annual Percentage Yields where applicable. Bank sites promoting non-deposit investment products must give the mandated disclaimers about lack of federal deposit insurance coverage. Home equity loan advertising should include the "consult your tax advisor" disclaimer in addition to other advertising requirements.
We looked at numerous sites that were missing some of these required advertising disclosures. Interestingly, we also found that many sites did not give customers enough information to trigger the advertising requirements, especially on rates. This may reflect bank wariness that rate information is often a trip-wire for regulatory mandates, However, surveys show that consumers like to use online comparison shopping to search for rates, so banks with competitive prices may be well advised to include them in the Web site, and make sure the necessary compliance steps are followed in the process.
2. Problems with disclosures and site design. A common pitfall we noted was that disclosures did not always dovetail with the way the consumer actually uses the site, especially on non-deposit products. A number of sites, including some at large banks, had the required disclosures that investment products were not FDIC insured; however, these sites permitted customers to search the site in ways that severed this disclosure from individual product descriptions. We often found ourselves looking at a computer screen on a non-insured product, with no insurance disclaimer in sight. Depending on the specifics of the situation, this might not be illegal, but in many cases it was confusing at best, and could be construed as misleading.
A good model in this area is one large bank's site. Its mutual funds page has the heading, "Entering XYZ Funds," and continues, "You are leaving the XYZ Bank website and entering the XYZ Funds website....Mutual funds are not FDIC insured and carry no bank guarantees." Other cautions are conspicuously provided and finally a large bold heading says "NOT FDIC INSURED. MAY LOSE VALUE, NO BANK GUARANTEE."
It would be difficult for a consumer to miss the warning here, in contrast to a number of other sites we checked.
3. Privacy notices. Many, although not all, of the sites we visited had voluntary privacy notices, often following guidelines from ABA and others.
There was huge variation in these privacy disclosures. Among 11 large banks we studied, we found highly informative and helpful disclosures at five: Citibank, NationsBank, Wells Fargo, Chase, and Bank of America. We found two with notices we considered inadequate. And we found three large hanks with no privacy notices, at all.
The Citi statement is a good model. It is over a page in length and detailed in describing the bank's policies. The disclosure explains the bank's commitment to keeping customer information confidential; the fact that it shares information with reputable companies; the fact that the bank does not share data with outside parties except in specified circumstances; the fact that it holds employees accountable for meeting privacy standards; and that it has policies on maintaining information security and investigating complaints. Citi promises not to give information to third parties without the customer's written consent.
Wells Fargo's statement covers essentially the same issues, and also offers an opt-out opportunity on marketing. Customers who do not want the bank to use their personal information to target-market them can call a toll-free telephone number to block such promotions. Also, Wells customers are given an explicit opportunity to check the accuracy of the data the bank has on them by calling a toll-free phone number.
NationsBank shows customers how to contact the Direct Marketing Association to be put on its "no-contact" lists.
4. Privacy and data security. A majority of the sites we visited did not allow the customer actually to apply for a loan or open an account on-line, although the industry appears to be moving rapidly toward that. Of those that did permit on-line applications and transactions, some, including one site at a large bank, were not "secure." This means sensitive information, including Social Security numbers, could he intercepted. It seems wider use of non-secure sites will escalate demands for more privacy protections, which will rend to impede growth of this delivery channel.
5. Hard-sell. Another issue relating to on-line loan applications is not about compliance, per se, but could lead to complaints. On a Web site for a large, non-bank lender, we clicked on, "Show Me Your Rates," and got the "Home Equity Loan Rate Shopper Page." This page invited us to fill out some information, "....to help identify the Home Equity Line of Credit rates that are most likely to apply to you" (an interesting statement in itself). After completing this information, we clicked on a bar and suddenly had a screen saying, "In order to process your loan application....
There had been no previous mention of making an application. For customers who are simply rate shopping, this leap to application processing is jarring. If the customer aborts the process, but the lender retains and uses the data, one can imagine charges of consumer abuse.
6. Related parties. We also visited the sites of on-line services such as Yahoo Finance/Bank Rate Monitor and Quicken that give comparative information on rates. Banks should pay attention to privacy and fairness practices at such general sites-especially those they are formally affiliated with. Again, it is not hard to imagine legal liability and/or brand name risk arising in connection with third-party web practices.
7. Other issues. Among the possible issues that may emerge are:
* Pricing. On-line banking user fees could become controversial, like ATM fees.
* Access. Fair Housing Act regulations require home lenders to depict diverse customer types in ads. Many Internet sites portray mainly nonminorities.
www.ongoingchallenge/4banks
Many of the risks cannot be eliminated-the light-speed pace of change will lead to consumer problems that will translate into legislation, litigation, regulation, and reputation damage.
Nevertheless, risks can be minimized if banks treat electronic banking as they treat traditional functions:
* Have everything reviewed by legal and compliance staffs.
* Have compliance people at the table during product and system design. Pay close attention when they frown and say, "well, that's not technically in violation of the rule but ..."
* Build a strong ethical mindset into these new-frontier products. Remember, many of the best retail technology people in banks, as everywhere, grew up in the "anything-goes" ethic that permeated the start-up years of the Internet. Banks should think about how much that environment contrasts with the total-protection mindset that permeates banking consumer regulation. Electronic banking teams must include both types, and need to be sensitive to the fact that what is legal today may be controversial, and very possibly illegal, tomorrow.
A checklist for Web site compliance
* Are FDIC-insurance disclosures made properly and do they appear in the right places? The speed and ease with which a visitor to your bank's Web site can move from the page that offers deposit products to another page that discusses mutual funds-or even to a linked Web site operated by a brokerage affiliate-makes compliance particularly challenging.
* Are all advertising requirements met? A Web page is an "advertisement." All advertising requirements-including the Truth in Lending, Truth in Savings, and the Fair Housing Acts-apply.
* Is there a privacy disclosure? Although a privacy policy is not legally required, developing and implementing one is not only good risk management but will enhance customer acceptance of on-line banking.
* Are affiliated Web sites in compliance? In addition to reviewing your bank's own Web site, be sure to consider the bank's participation in Web sites operated by third parties. On-line shopping services for auto or mortgage loans should be reviewed for compliance.
* Is customer information secure? Protect the security of personal information provided by consumers who visit the bank's Web site. Use appropriate encryption to protect the confidentiality of sensitive information collected via an on-line application.
