Full text of Economic Commentary (Federal Reserve Bank of Cleveland) : Consumer Financial Privacy and the Gramm-Leach-Bliley Act, March 15, 2002

View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

March 15, 2002*

Federal Reserve Bank of Cleveland

Consumer Financial Privacy and the
Gramm-Leach-Bliley Act
by Paul W. Bauer

ISSN 0428-1276
*Printed April 2002

ver the last 50 years, computers and
telecommunications have radically
changed many aspects of life. Most of
these changes have been beneficial. Cell
phones allow us to remain in touch with
our offices and families—of course,
some would argue they also allow our
offices and families to stay in touch with
us. The Internet enables us to obtain,
quickly and inexpensively, information
that previously was time consuming,
expensive, or unavailable. Increasingly,
we have greater access to our financial
accounts. We can check our bank balances, 401(k) balances, and brokerage
accounts 24/7.

their marketing dollars. Credit providers,
given a more complete view of household finances and spending habits, could
more accurately price their loans.

All this activity is generating a vast
amount of information, some of it
personal. Except for consumers’ names
and ages, most information about them
is created in transactions that involve at
least one other party. For example, when
consumers purchase new homes, they
transact with the current owner, the
county recorder, and usually a financial
institution to obtain a mortgage. To
conclude the transaction, consumers
willingly release personal financial
information to the other parties—but
who owns the rights to that information
once the transaction has occurred? Prior
to disclosure, consumers have complete
control over it. The problem arises when
data is subsequently transferred to third
parties, which, although it may benefit
the party releasing it, may not benefit
the consumer.

The general legal principle that has
evolved over the last hundred years is
that data collected for one purpose
should not be put to any secondary use
without the provider’s consent. Early
applications of the secondary-use principle go back to the U.S. Post Office and
the Census Bureau, and, since the 1970s,
privacy advocates have vigorously
promoted this principle. When privacy
is viewed as a fundamental right, economics has little to offer to the debate.
However, we will see that when privacy
is viewed as a characteristic of a financial institution’s quality of service,
economics offers a number of important
insights. This Economic Commentary
examines the economics of consumer
financial privacy and considers the
implications of the 1999 GrammLeach-Bliley Act.

Merchants and credit providers see
many potential benefits from this rising
flood of personal data. Merchants, given
a better understanding of household
preferences as revealed by their previous
purchases, could more effectively target

■

Not all consumers are convinced these
benefits are worth the loss of privacy.
When you buy a new house, for example, you may or may not be pleased to
find yourself bombarded by telemarketers hawking everything from new
roofs to basement waterproofing. A
more serious consumer privacy problem
is identity theft, a rare crime before the
information age that is made easier by
freer access to personal information.

Privacy Provisions of the
Gramm-Leach-Bliley Act

Passed in 1999, the Gramm-LeachBliley Act is remaking the financial services landscape by allowing financial
holding companies to engage in both

By requiring financial institutions to
put adequate controls in place to
secure consumers’ confidential data
and by clearly spelling out what
rights consumers and financial institutions have, the 1999 GrammLeach-Bliley Act is a positive step
toward ensuring consumer financial
privacy. If there are no market
imperfections, then competition may
be relied on to efficiently sort out the
competing interests of consumers and
financial institutions. Alternatively,
if there are market imperfections in
the form of externalities, the Coase
theorem suggests that the act, by
clearly assigning property rights to
the information, should facilitate an
economically efficient outcome.

commercial and merchant banking as
well as securities and insurance underwriting, removing barriers that had been
in place since the Glass-Steagall Act of
1933. Issued jointly on January 17,
2001, by the Federal Reserve, Federal
Deposit Insurance Corporation, Office of
the Comptroller of the Currency, and
Office of Thrift Supervision, Regulation
P—“Privacy of Consumer Financial
Information”—took full effect on July 1,
2001, and applies to any firm conducting
activities deemed “financial in nature or
incidental to such financial activities.”
(The joint final rules can be found on the
Board of Governor’s Web site at
www.federalreserve.gov/boarddocs/press/
BoardActs/2001/20010117/default.htm.)

The regulation has two main provisions.
First, financial institutions must establish
information security programs to ensure
that nonpublic consumer information is
kept secure from internal and external
threats. These security programs must be
tested and adjusted periodically to keep
them up to date. Guidelines outline
specific security measures that institutions should consider in implementing
an appropriate security program. These
provisions minimize the risk that
nonpublic consumer information is
unintentionally released.
Second, financial institutions are
required to disseminate (at least annually) a statement of their privacy policies to customers. These policies must
describe the conditions under which the
institution may disclose nonpublic personal information to nonaffiliated third
parties and to affiliates. If a financial
institution wants to intentionally disclose nonpublic information about a
customer to unrelated third parties, the
customer must have the option to “opt
out,” that is, request the information not
be shared. Financial institutions must
provide a reasonable method for consumers to opt out of disclosures to nonaffiliated third parties, and they must be
able to exercise this option at any time.

■

The Economics of
Financial Privacy

Because it is unclear whether the market
for financial privacy is free of market
failures, we consider both possibilities.
First, we consider how the market for
financial privacy would work in the
absence of market failures, and then we
show how an economically efficient
outcome may be possible even in the
face of a market failure.
The way a financial institution handles
consumer financial information is a
characteristic of its service. Most services and products in a modern economy have many characteristics that are
important to consumers. For example,
consider digital cameras. At any one
time, there are hundreds of cameras on
the market made by dozens of manufacturers. As features vary across models,
production costs will depend on which
features are included. Because consumers have varying demands—ranging, for instance, from those who want
to point and shoot to professional photographers—any two consumers may
value a given feature differently. How
does the market sort out the various

desires of consumers and cost constraints of manufacturers?
Economists assume that consumers
strive to maximize their well-being by
choosing products that best suit their
needs given their budget constraint,
while firms are assumed to maximize
profits in the way they design, manufacture, and sell their products. If there are
no market imperfections, economists
going back to Adam Smith have shown
that competition’s invisible hand will
ensure that, in the long run, consumers
get the most value for their money and
firms earn a normal economic profit. In
other words, at the margin, every item
sold is valued by consumers (the price
they are willing to pay) as much as the
resources required to provide it (the cost
to suppliers). Going back to the digital
camera example, the difference in price
between a 3 and 4 megapixel camera
should equal the difference in manufacturing and marketing costs.
How does all of this economic theory
apply to financial privacy? What a financial institution does with the data generated by handling customer accounts and
transactions is a characteristic of its
service. Sharing that information with
others could earn the firm extra revenue
and may even provide consumers with
additional benefits—for example, by
making consumers aware of other
products and services, information sharing may lead them to find better matches
in future purchases. Alternatively, some
consumers may not value this characteristic and might even be willing to pay
more to avoid it, either in the form of
higher fees or by incurring the transition
costs of switching to another financial
institution.
The actual outcome in the marketplace
will depend on how much revenue is to
be had from sharing information and
how adverse consumers are to having
the data shared. Currently, the revenue
available to financial firms appears to
be relatively small; in 2001, lists of
merchandise buyers fetched only 8–13
cents per name (Lacker 2002). It also
appears that although consumers are
generally concerned about the loss of
financial privacy, only about 5 percent
have taken the low-cost step of opting
out (Lacker 2002).
How the market for financial privacy
will evolve over time is unclear. Initially,
privacy policies may not have much

meaning. For example, a New York
Times article cites one institution’s privacy policy, which lists two kinds of
companies that it would share data with:
“1. Financial service providers;
2. Nonfinancial service providers.”
(“Privacy Policy Notices Are Called to
Common and Too Confusing, May 7,
2001). However, some financial institutions have begun to include a “no telemarketers” pledge in their advertising,
so it is quite conceivable that, as with
digital cameras, one size does not fit all.
Consumers who do not mind data sharing or feel they benefit from it will sort
themselves out to financial institutions
that share data. These institutions may
even offer inducements, in the form of
lower costs for services or some type of
bonus, to customers if the data is valuable enough. Alternatively, consumers
with a taste for privacy will seek out
financial institutions that do not share
data, forgoing the above inducements.

■

What If There Is a
Market Failure?

The foregoing analysis assumes there
are no imperfections in the market
for financial privacy. But what if the
market has some flaw that prevents
competition from achieving economic
efficiency? In other words, what if one
of the assumptions required for perfect
competition fails, and consumers’ marginal willingness to pay is not equal to
firms’ marginal cost of production?
Anything that causes a permanent
divergence between the two is called a
“market failure.” In theory, one source
of market failure is monopoly power,
but it seems unlikely this is a significant
problem for financial markets. Most
regions of the United States have a
multitude of banks, savings and loans,
and credit unions that actively compete
for consumers’ deposits. In addition, the
Internet and nationwide ATM networks
make distance less of a barrier, increasing
market competition for financial services.
Externalities are another theoretical
cause of market failure. An externality
occurs when the full economic costs of
a transaction are not born by the participants. The textbook example of an externality is water pollution from a paper
plant, whose owners do not consider the
effect on downstream users in its production decisions. Economist A.C. Pigou
suggested that a regulatory regime in
which taxes on the polluter are set
exactly equal to the costs of pollution

leads to an optimal solution. While such
a policy theoretically solves the externality problem, Nobel Prize winner
Ronald Coase pointed out that regulators
are unlikely to understand the costs of
pollution and abatement technology well
enough to set these taxes accurately.
Coase laid out an alternative way of
looking at externalities, generally
referred to as the Coase theorem. The
problem, he points out, is that the right
to clean water (or the right to pollute) is
not clearly assigned. The key to obtaining an economically efficient outcome
depends on assigning property rights in
such a way that minimizes subsequent
transaction costs. Under the “strong”
Coase theorem, which holds when
transaction costs are negligible, externalities are eliminated by giving either
the upstream plant the right to pollute
or the downstream residents the right
to clean water. In either case, plant owners and residents will bargain based on
the cost of pollution and pollutionabatement technology and achieve an
economically efficient allocation of
resources.
The most likely outcome is a combination of pollution abatement and payments to residents to offset the costs of
any remaining pollution. This is an efficient outcome from an economic perspective in that consumers’ preferences
and firms’ technology constraints are
such that no reallocation of resources
can make anyone better off without
making someone else worse off. This
allocation does not mean that everyone
will be happy with the outcome: Individuals who do not value the plant’s
products enough to allow even a little
pollution would not be pleased, and the
plant would most likely have to expend
some resources toward pollution abatement or compensation.
Of course, it is much more likely that
transaction costs between plant managers
and downstream residents are not negligible. For example, after the plant has
obtained agreements with all other residents, that last resident could hold out for
a larger payment, knowing the multimillion-dollar plant cannot produce anything until it has an agreement with him.
When transaction costs are significant,
the “weak” Coase theorem can be
applied. It suggests that the best society
can do is assign property rights in a
way that minimizes transaction costs.
Such an assignment could outperform

government regulation because regulators are unlikely to have the full information held by the firm on the cost of pollution abatement and by the residents on
the cost of the pollution. In our pollution
example, property rights might be
assigned to the plant and residents might
pay the plant to mitigate
its effluent.
Kahn, McAndrews, and Roberds (2001)
argue there are two sources of externalities in the market for financial privacy.
First, it is difficult to commit to not
using information once it is acquired
because, once collected, it is hard to
unlearn. Second, the usefulness of the
information may be tied to sunk investments required to analyze the data—
investments the financial institutions
may not be able to recoup if a significant number of consumers opt out.
If transaction costs are negligible, the
Coase theorem suggests the GrammLeach-Bliley Act will facilitate an
economically efficient outcome by
assigning property rights. At this point,
it is not clear how large the transaction
costs are. If costs are significant, the
weak Coase theorem advises assigning
property rights to minimize transaction
costs. Kahn, McAndrews, and Roberds
suggest that if the problem is that it is
difficult to forget, then property rights
should be assigned to consumers.
However, if the problem is sunk costs,
then the rights should be assigned to
financial institutions.
At this point, we do not know how large
these transaction costs are likely to be.
In fact, there is some debate as to
whether there really is an externality
problem in the market for financial
privacy. Although it may be difficult to
forget, Lacker (2002) argues, the Federal
Trade Commission has a long history of
battling “unfair and deceptive trade
practices.” If a financial institution fails
to live up to its privacy policy, it could be
subject to enforcement action, just as if it
had failed to live up to any other commitment. The possibility that sunk
investment costs will lead to externalities
has also been questioned. Economists, as
a rule, are seldom persuaded that sunk
costs affect long-run outcomes. In addition, the sunk costs may not be that
large, as only the dedicated software
may have no other productive use.

■

Conclusion

By requiring financial institutions to
ensure that adequate controls are in
place to secure consumers’ confidential
data and by clearly spelling out consumers’ and financial institutions’
rights, the Gramm-Leach-Bliley Act
is a positive step. If there are no market
imperfections, competition will efficiently sort out the competing interests
of consumers and financial institutions.
Alternatively, if there is a market
imperfection in the form of externalities, the Coase theorem suggests that
by clearly assigning property rights to
the information, the act should facilitate
an economically efficient outcome.
Over time, the market for financial
privacy should evolve to sort out the
conflicting interests of consumers and
financial institutions in an economically efficient manner.
It may be that there are two types of
consumers—one type with strong privacy preferences and another type with
weak preferences—and financial institutions geared to both types may exist
profitably. If consumers feel strongly
enough, a niche will develop for financial institutions that voluntarily enact
strict privacy policies that satisfy even
the most ardent privacy advocate. If not,
it will reveal that consumers value the
benefits of a freer exchange of information more than the costs.

■

Full text of Economic Commentary (Federal Reserve Bank of Cleveland) : Consumer Financial Privacy and the Gramm-Leach-Bliley Act, March 15, 2002

FRASER