The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
March 15, 2002* Federal Reserve Bank of Cleveland Consumer Financial Privacy and the Gramm-Leach-Bliley Act by Paul W. Bauer O ISSN 0428-1276 *Printed April 2002 ver the last 50 years, computers and telecommunications have radically changed many aspects of life. Most of these changes have been beneficial. Cell phones allow us to remain in touch with our offices and families—of course, some would argue they also allow our offices and families to stay in touch with us. The Internet enables us to obtain, quickly and inexpensively, information that previously was time consuming, expensive, or unavailable. Increasingly, we have greater access to our financial accounts. We can check our bank balances, 401(k) balances, and brokerage accounts 24/7. their marketing dollars. Credit providers, given a more complete view of household finances and spending habits, could more accurately price their loans. All this activity is generating a vast amount of information, some of it personal. Except for consumers’ names and ages, most information about them is created in transactions that involve at least one other party. For example, when consumers purchase new homes, they transact with the current owner, the county recorder, and usually a financial institution to obtain a mortgage. To conclude the transaction, consumers willingly release personal financial information to the other parties—but who owns the rights to that information once the transaction has occurred? Prior to disclosure, consumers have complete control over it. The problem arises when data is subsequently transferred to third parties, which, although it may benefit the party releasing it, may not benefit the consumer. The general legal principle that has evolved over the last hundred years is that data collected for one purpose should not be put to any secondary use without the provider’s consent. Early applications of the secondary-use principle go back to the U.S. Post Office and the Census Bureau, and, since the 1970s, privacy advocates have vigorously promoted this principle. When privacy is viewed as a fundamental right, economics has little to offer to the debate. However, we will see that when privacy is viewed as a characteristic of a financial institution’s quality of service, economics offers a number of important insights. This Economic Commentary examines the economics of consumer financial privacy and considers the implications of the 1999 GrammLeach-Bliley Act. Merchants and credit providers see many potential benefits from this rising flood of personal data. Merchants, given a better understanding of household preferences as revealed by their previous purchases, could more effectively target ■ Not all consumers are convinced these benefits are worth the loss of privacy. When you buy a new house, for example, you may or may not be pleased to find yourself bombarded by telemarketers hawking everything from new roofs to basement waterproofing. A more serious consumer privacy problem is identity theft, a rare crime before the information age that is made easier by freer access to personal information. Privacy Provisions of the Gramm-Leach-Bliley Act Passed in 1999, the Gramm-LeachBliley Act is remaking the financial services landscape by allowing financial holding companies to engage in both By requiring financial institutions to put adequate controls in place to secure consumers’ confidential data and by clearly spelling out what rights consumers and financial institutions have, the 1999 GrammLeach-Bliley Act is a positive step toward ensuring consumer financial privacy. If there are no market imperfections, then competition may be relied on to efficiently sort out the competing interests of consumers and financial institutions. Alternatively, if there are market imperfections in the form of externalities, the Coase theorem suggests that the act, by clearly assigning property rights to the information, should facilitate an economically efficient outcome. commercial and merchant banking as well as securities and insurance underwriting, removing barriers that had been in place since the Glass-Steagall Act of 1933. Issued jointly on January 17, 2001, by the Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, Regulation P—“Privacy of Consumer Financial Information”—took full effect on July 1, 2001, and applies to any firm conducting activities deemed “financial in nature or incidental to such financial activities.” (The joint final rules can be found on the Board of Governor’s Web site at www.federalreserve.gov/boarddocs/press/ BoardActs/2001/20010117/default.htm.) The regulation has two main provisions. First, financial institutions must establish information security programs to ensure that nonpublic consumer information is kept secure from internal and external threats. These security programs must be tested and adjusted periodically to keep them up to date. Guidelines outline specific security measures that institutions should consider in implementing an appropriate security program. These provisions minimize the risk that nonpublic consumer information is unintentionally released. Second, financial institutions are required to disseminate (at least annually) a statement of their privacy policies to customers. These policies must describe the conditions under which the institution may disclose nonpublic personal information to nonaffiliated third parties and to affiliates. If a financial institution wants to intentionally disclose nonpublic information about a customer to unrelated third parties, the customer must have the option to “opt out,” that is, request the information not be shared. Financial institutions must provide a reasonable method for consumers to opt out of disclosures to nonaffiliated third parties, and they must be able to exercise this option at any time. ■ The Economics of Financial Privacy Because it is unclear whether the market for financial privacy is free of market failures, we consider both possibilities. First, we consider how the market for financial privacy would work in the absence of market failures, and then we show how an economically efficient outcome may be possible even in the face of a market failure. The way a financial institution handles consumer financial information is a characteristic of its service. Most services and products in a modern economy have many characteristics that are important to consumers. For example, consider digital cameras. At any one time, there are hundreds of cameras on the market made by dozens of manufacturers. As features vary across models, production costs will depend on which features are included. Because consumers have varying demands—ranging, for instance, from those who want to point and shoot to professional photographers—any two consumers may value a given feature differently. How does the market sort out the various desires of consumers and cost constraints of manufacturers? Economists assume that consumers strive to maximize their well-being by choosing products that best suit their needs given their budget constraint, while firms are assumed to maximize profits in the way they design, manufacture, and sell their products. If there are no market imperfections, economists going back to Adam Smith have shown that competition’s invisible hand will ensure that, in the long run, consumers get the most value for their money and firms earn a normal economic profit. In other words, at the margin, every item sold is valued by consumers (the price they are willing to pay) as much as the resources required to provide it (the cost to suppliers). Going back to the digital camera example, the difference in price between a 3 and 4 megapixel camera should equal the difference in manufacturing and marketing costs. How does all of this economic theory apply to financial privacy? What a financial institution does with the data generated by handling customer accounts and transactions is a characteristic of its service. Sharing that information with others could earn the firm extra revenue and may even provide consumers with additional benefits—for example, by making consumers aware of other products and services, information sharing may lead them to find better matches in future purchases. Alternatively, some consumers may not value this characteristic and might even be willing to pay more to avoid it, either in the form of higher fees or by incurring the transition costs of switching to another financial institution. The actual outcome in the marketplace will depend on how much revenue is to be had from sharing information and how adverse consumers are to having the data shared. Currently, the revenue available to financial firms appears to be relatively small; in 2001, lists of merchandise buyers fetched only 8–13 cents per name (Lacker 2002). It also appears that although consumers are generally concerned about the loss of financial privacy, only about 5 percent have taken the low-cost step of opting out (Lacker 2002). How the market for financial privacy will evolve over time is unclear. Initially, privacy policies may not have much meaning. For example, a New York Times article cites one institution’s privacy policy, which lists two kinds of companies that it would share data with: “1. Financial service providers; 2. Nonfinancial service providers.” (“Privacy Policy Notices Are Called to Common and Too Confusing, May 7, 2001). However, some financial institutions have begun to include a “no telemarketers” pledge in their advertising, so it is quite conceivable that, as with digital cameras, one size does not fit all. Consumers who do not mind data sharing or feel they benefit from it will sort themselves out to financial institutions that share data. These institutions may even offer inducements, in the form of lower costs for services or some type of bonus, to customers if the data is valuable enough. Alternatively, consumers with a taste for privacy will seek out financial institutions that do not share data, forgoing the above inducements. ■ What If There Is a Market Failure? The foregoing analysis assumes there are no imperfections in the market for financial privacy. But what if the market has some flaw that prevents competition from achieving economic efficiency? In other words, what if one of the assumptions required for perfect competition fails, and consumers’ marginal willingness to pay is not equal to firms’ marginal cost of production? Anything that causes a permanent divergence between the two is called a “market failure.” In theory, one source of market failure is monopoly power, but it seems unlikely this is a significant problem for financial markets. Most regions of the United States have a multitude of banks, savings and loans, and credit unions that actively compete for consumers’ deposits. In addition, the Internet and nationwide ATM networks make distance less of a barrier, increasing market competition for financial services. Externalities are another theoretical cause of market failure. An externality occurs when the full economic costs of a transaction are not born by the participants. The textbook example of an externality is water pollution from a paper plant, whose owners do not consider the effect on downstream users in its production decisions. Economist A.C. Pigou suggested that a regulatory regime in which taxes on the polluter are set exactly equal to the costs of pollution leads to an optimal solution. While such a policy theoretically solves the externality problem, Nobel Prize winner Ronald Coase pointed out that regulators are unlikely to understand the costs of pollution and abatement technology well enough to set these taxes accurately. Coase laid out an alternative way of looking at externalities, generally referred to as the Coase theorem. The problem, he points out, is that the right to clean water (or the right to pollute) is not clearly assigned. The key to obtaining an economically efficient outcome depends on assigning property rights in such a way that minimizes subsequent transaction costs. Under the “strong” Coase theorem, which holds when transaction costs are negligible, externalities are eliminated by giving either the upstream plant the right to pollute or the downstream residents the right to clean water. In either case, plant owners and residents will bargain based on the cost of pollution and pollutionabatement technology and achieve an economically efficient allocation of resources. The most likely outcome is a combination of pollution abatement and payments to residents to offset the costs of any remaining pollution. This is an efficient outcome from an economic perspective in that consumers’ preferences and firms’ technology constraints are such that no reallocation of resources can make anyone better off without making someone else worse off. This allocation does not mean that everyone will be happy with the outcome: Individuals who do not value the plant’s products enough to allow even a little pollution would not be pleased, and the plant would most likely have to expend some resources toward pollution abatement or compensation. Of course, it is much more likely that transaction costs between plant managers and downstream residents are not negligible. For example, after the plant has obtained agreements with all other residents, that last resident could hold out for a larger payment, knowing the multimillion-dollar plant cannot produce anything until it has an agreement with him. When transaction costs are significant, the “weak” Coase theorem can be applied. It suggests that the best society can do is assign property rights in a way that minimizes transaction costs. Such an assignment could outperform government regulation because regulators are unlikely to have the full information held by the firm on the cost of pollution abatement and by the residents on the cost of the pollution. In our pollution example, property rights might be assigned to the plant and residents might pay the plant to mitigate its effluent. Kahn, McAndrews, and Roberds (2001) argue there are two sources of externalities in the market for financial privacy. First, it is difficult to commit to not using information once it is acquired because, once collected, it is hard to unlearn. Second, the usefulness of the information may be tied to sunk investments required to analyze the data— investments the financial institutions may not be able to recoup if a significant number of consumers opt out. If transaction costs are negligible, the Coase theorem suggests the GrammLeach-Bliley Act will facilitate an economically efficient outcome by assigning property rights. At this point, it is not clear how large the transaction costs are. If costs are significant, the weak Coase theorem advises assigning property rights to minimize transaction costs. Kahn, McAndrews, and Roberds suggest that if the problem is that it is difficult to forget, then property rights should be assigned to consumers. However, if the problem is sunk costs, then the rights should be assigned to financial institutions. At this point, we do not know how large these transaction costs are likely to be. In fact, there is some debate as to whether there really is an externality problem in the market for financial privacy. Although it may be difficult to forget, Lacker (2002) argues, the Federal Trade Commission has a long history of battling “unfair and deceptive trade practices.” If a financial institution fails to live up to its privacy policy, it could be subject to enforcement action, just as if it had failed to live up to any other commitment. The possibility that sunk investment costs will lead to externalities has also been questioned. Economists, as a rule, are seldom persuaded that sunk costs affect long-run outcomes. In addition, the sunk costs may not be that large, as only the dedicated software may have no other productive use. ■ Conclusion By requiring financial institutions to ensure that adequate controls are in place to secure consumers’ confidential data and by clearly spelling out consumers’ and financial institutions’ rights, the Gramm-Leach-Bliley Act is a positive step. If there are no market imperfections, competition will efficiently sort out the competing interests of consumers and financial institutions. Alternatively, if there is a market imperfection in the form of externalities, the Coase theorem suggests that by clearly assigning property rights to the information, the act should facilitate an economically efficient outcome. Over time, the market for financial privacy should evolve to sort out the conflicting interests of consumers and financial institutions in an economically efficient manner. It may be that there are two types of consumers—one type with strong privacy preferences and another type with weak preferences—and financial institutions geared to both types may exist profitably. If consumers feel strongly enough, a niche will develop for financial institutions that voluntarily enact strict privacy policies that satisfy even the most ardent privacy advocate. If not, it will reveal that consumers value the benefits of a freer exchange of information more than the costs. ■ Recommended Reading Coase, R.H. 1960. “The Problem of Social Cost.” Journal of Law and Economics 3, pp. 1–44. Kahn, Charles M., James McAndrews, and William Roberds. 2000. “A Theory of Transactions Privacy.” Federal Reserve Bank of Atlanta, Working Paper no. 2000-22, November. Lacker, Jeffrey M. 2001. “The Economics of Financial Privacy: To Opt-in or Opt-out?” Federal Reserve Bank of Richmond, 2001 Annual Report. Pigou, A.C. 1920. The Principles of Welfare. London: MacMillan. Smith, Robert Ellis. 2000. Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet. Providence, R.I.: Sheridan Books. Paul W. Bauer is an economic advisor at the Federal Reserve Bank of Cleveland. The views expressed here are those of the author and not necessarily those of the Federal Reserve Bank of Cleveland, the Board of Governors of the Federal Reserve System, or its staff. Economic Commentary is published by the Research Department of the Federal Reserve Bank of Cleveland. To receive copies or to be placed on the mailing list, e-mail your request to 4d.subscriptions@clev.frb.org or fax it to 216-579-3050. Economic Commentary is also available at the Cleveland Fed’s site on the World Wide Web: www.clev.frb.org/research, where glossaries of terms are provided. We invite comments, questions, and suggestions. E-mail us at editor@clev.frb.org. Federal Reserve Bank of Cleveland Research Department P.O. Box 6387 Cleveland, OH 44101 Return Service Requested: Please send corrected mailing label to the above address. Material may be reprinted if the source is credited. Please send copies of reprinted material to the editor. PRSRT STD U.S. Postage Paid Cleveland, OH Permit No. 385