Regulators are Ratcheting Up Data Privacy Oversight. How are Bank Marketers Responding?
Federal and state regulators demand that banks collect, store and use consumer data responsibly — forcing bank marketers to adapt their processes, increasing transparency in how data is used and being more deliberate in obtaining consumer consent.
By Joey Pizzolato
As digitization becomes more prevalent, bank marketers have access to troves of consumer data to help them personalize the customer experience.
But state and federal regulators have taken note and are ratcheting up consumer data privacy requirements for banks and financial institutions, putting a particular emphasis on how banks collect, store, protect and use consumer data.
Increased regulatory oversight, coupled with the forthcoming phase-out of the web cookie, is forcing bank marketers to adapt their processes and procedures to a new era where consent is king and transparency in how — and where — the data is used and shared is more crucial than ever before.
Unpacking State and Federal Data Privacy Regulations
In financial services, several U.S. regulatory bodies set data privacy standards and provide frameworks and guidelines that financial institutions must follow to ensure the privacy and protection of consumer data in their marketing efforts, says Anna Kooi, partner and national financial services leader at Milwaukee, Wis.-based advisory and accounting firm Wipfli.
Key Point: Key Federal Regulators
- Federal Trade Commission (FTC): Enforces rules against deceptive and unfair business practices, including those involving the collection and use of consumer data in marketing;
- Consumer Financial Protection Bureau (CFPB): Has broad authority over banks and financial institution, including the collection, use and sharing of consumer financial data and how it is used in marketing;
- Securities and Exchange Commission (SEC): Oversees financial institutions to ensure compliance with laws that include provisions for the protection of consumer information;
- Office of the Comptroller of the Currency (OCC): Supervises national banks and federal savings associations, enforcing privacy and data security standards; and,
- Financial Industry Regulatory Authority (FINRA): Regulates brokerage firms and exchange markets, ensuring compliance with rules that include data privacy in marketing.
Data privacy requirements also vary "significantly" from state to state, Kooi says. For example, the California Consumer Protection Act (CCPA), which has served as a bellwether to other state data privacy legislation, "sets stringent requirements, including broad consumer rights such as the right to access, delete and opt out of data sales."
Virginia, Colorado and Utah also have notable data privacy statutes, she says.
"These state-to-state variations mean that organizations operating across multiple states must navigate a complex regulatory landscape, tailoring their compliance programs to meet specific state requirements," Kooi says. "While some states, like California, impose comprehensive and rigorous standards, others, such as Utah, adopt a more relaxed approach, focusing on basic transparency and consumer rights."
In fact, 18 states have legislation on the books that is specific to data usage and sharing, according to the International Association of Privacy Professionals. Another six states have statutes somewhere in the legislative process.
"What we’ve seen is a fairly large and fast moving trend for the states to step in" and regulate data privacy, says Aaron Kouhoupt, member and chief privacy officer at financial services law firm McGlinchey.
The good news for traditional banks is that many – but not all – states’ data privacy legislation contain exemptions for entities that are required to operate under the FTC’s Gramm-Leach-Bliley Act (GBLA), he says.
"If they’re a true financial institution, their overarching requirements are going to be found under the GLBA," says Kouhoupt.
Still the GLBA is complicated.
The FTC’s 1999 statute requires financial institutions to provide their customers with a Gramm-Leach-Bliley privacy notice, Kouhoupt says, which "has to tell consumers how their data can be used or shared by the entity, by the entity’s affiliates or by the entity’s nonaffiliates.
"Some of those will require the financial institution to allow the customer to opt out of data sharing," he says. "Others will not."
For example, bank marketers can use the data they have on their own customers for their own purposes and are not required to allow the consumer to opt out under GLBA, Kouhoupt says.
But even with state exemptions, opt out requirements in the GLBA can get messy fast, he says. "If [a bank] starts sharing certain data — and it becomes a little bit fact specific about the type of data — with a non-affiliate, they would have to provide the consumer with an opt out," he says.
Dig deeper:
- Will GenAI be Your New Manager of Risk and Compliance?
- Before You Boldly Go into Partner Banking, Focus on Data and Compliance
- How Mixed Messages from Biden Regulators Are Muddying M&A Waters in 2024
No More Cookies
The forthcoming 2025 phase out of web cookies from Google Chrome also complicates bank marketers’ ability to secure consent from both their customers and prospective customers, says Ashvin Parmar, global head of insights and data for financial services at global consultancy firm Capgemini.
What is a Web Cookie?:
An HTTP cookie, also known as a web cookie, browser cookie, or internet cookie, is a small piece of data, secured with consumer consent, that a web server sends to a user's web browser. It is the tool that is responsible for keeping consumers signed in to their email or remembering what was in their shopping cart.
"Historically, there is a lot of reliance on the cookie," Parmar says. "A lot of the implementation we see the client uses a trust iteration platform to track the cookies and then use them for marketing."
All About Consent, Transparency
In order to navigate the wildly varying data privacy landscape, bank marketers are now required to be more transparent about what data they collect and more deliberate in how they obtain consent from consumers, says Glenn Kurban, partner at global consultancy firm Capco.
"The biggest thing I think we see challenging marketing groups today is this idea that what they have been able to do historically, vis-a-vis cookies and collection of data — sometimes without consent — we’re past that era," Kurban said.
The landscape for bank marketers has tightened up and is getting locked down "pretty significantly," he says.
"When we think about what marketers are typically doing — whether it’s running campaigns or helping to design the corporate website — they’re looking to collect information about the targeted end user so that they can then use that information for more targeted campaigns," Kurban says. "Now they’ve got to think about, ‘How am I getting that information? Can I ask for it directly?’ realizing that, in many cases, consumers may not consent."
Marketers today need to get "tangible, concrete permission to collect certain types of data. I have to have opt-ins and opt-outs in terms of consent and preference management. I can’t obfuscate what I’m collecting by asking tricky questions," Kurban says.
"Banks need to clearly explain what data they’re collecting, how they will use that data and who they will be selling that data to."
— Ashvin Parmar, Capgemini
"The reality is it’s just more hoops to jump through. And frankly, for the consumer, too, " Kurban says. "I consider myself in some cases a little bit too loosey-goosey about my own data. I want a personalized experience. I want to be able to get offers on things that maybe I hadn’t thought about. But a lot of people don’t feel that way."
In fact, many customers don’t want their data tracked at all, he says.
"So this idea that [banks] are now catering to not me as a target consumer, but to an audience that’s like, ‘No, I’m only giving you the bare minimum and I don’t care what the experience is like, you’re going to clunk through it with me, that’s the reality of what’s happening in the market today, Kurban says."
Bank marketers are also adopting increased transparency, data minimization and security in their marketing processes.
"Banks need to clearly explain what data they’re collecting, how they will use that data and who they will be selling that data to," Parmar says.
Data minimization – or the act of limiting the amount of data that is collected – and a robust security infrastructure, such as encryption and access controls to protect that data, are also key to remaining compliant with data privacy regulations, Wipfli’s Kooi says.
Personalization Comes Next
Once banks secure consent, a personalized customer experience can follow, Capgemini’s Parmer says.
New tools, such as generative AI and machine learning, can take personalization to a whole new level.
"AI and generative AI can have a significant impact on the marketing side," Parmar says, noting "traditionally banks would have relied on the user profile and then based on that demographic information and the risk profile, there would be a target ad.
"With AI and GenAI now, you can customize [the marketing message] in a significant way, Parmar says. "Not only can you learn about the customers’ likes and dislikes from the structured data, but also you can look through call logs and other interactions with the bank through various channels and have a much deeper and broader understanding of the customer."
Joey Pizzolato is an award-winning writer and editor based in New York, specializing in consumer finance. His work has been published in DSNews, The MReport, Auto Finance News and Bank Automation News, among others. He is a two-time recipient of an Azbee Award for Enterprise News and Investigative Reporting.
