By Mark Cunningham
With consumer data privacy laws banging on pots and pans in the compliance kitchen, banks are being forced to re-evaluate their marketing practices to identify areas of potential risk. Direct-mail campaigns aimed at purchased lead lists have long been a mainstay of bank marketing. But as more states place restrictions on how consumer data is used and stored, some banks are concluding that they may be better served by prioritizing customer retention above new customer acquisition.
The U.S. compliance landscape has always been thorny, but it’s become even more difficult to navigate following recent regulations that mark a paradigm shift in how consumer data is protected. On the regulatory front, California’s Consumer Privacy Act is leading the way, followed closely by a wave of similar bills from other states. Meanwhile, companies like Apple and Google are leading the commercial data privacy charge.
Consumer data is becoming not merely a secured entity but an almost wholly protected one where companies may be required to limit the sharing of consumer data with third parties and delete consumer data after use. As much as banks want to do right by their customers, these limitations are a bitter pill to swallow considering the tremendous investment financial institutions make in customer acquisition and prospect marketing each year.
Fortunately, there are notable exceptions to consumer data privacy rules that suggest customer retention as a less fraught path to revenue growth than net new customer acquisition. (Note: This article mainly focuses on the CCPA, since this law is already in effect and is being used as the model for similar consumer privacy bills nationwide.)
Transactional exemption to retain consumer data
The CCPA establishes nine exemptions to a consumer’s right to have his or her data erased. Perhaps the most useful for bank marketers is the “transactional” exemption, which allows businesses to retain a consumer’s data to complete the transaction for which the personal information was collected; provide a good or service requested by the consumer (or reasonably anticipated within the context of the ongoing business relationship with the consumer); or otherwise perform a contract between the business and the consumer.
While the transactional exemption does not give banks carte blanche to keep customers’ information— determinations must be made on a case-by-case basis—justifying retention of a bank customer information is frequently straightforward. Financial institutions obviously have an ongoing need to retain account holder data, and a customer who takes out a 30-year mortgage can expect his or her information to be retained for the life of the loan. But it can also be appropriate to maintain data for a turndown. For example, say a customer applied for a first-lien home loan with a bank in 2018 and did not meet the required minimum credit score at that time. Banks that accompany each turndown letter with an offer of credit improvement solutions and a promise to check back in once the consumer’s credit is repaired have effectively established an ongoing business relationship that could fall under the transactional exemption.
What these scenarios all have in common is that they relate to use of a bank’s existing database of customers and prospects, not a purchased lead list for which it can be difficult, if not impossible, to prove the existence of a transactional business relationship.
Permissible use of personal information by service providers
A typical financial institution engages numerous service providers to process personal information on the bank’s behalf. While the CCPA imposes limits on the sharing of consumer data with third parties, it also grants exceptions for “permissible use” of a bank’s customer data by third-party vendors acting on behalf of the bank and in support of providing consumers a net tangible benefit.
Permissible use of a consumer’s data includes sharing information with vendors to determine if and when the bank can best serve the consumer with the offer of a loan.
Provided they adhere to Fair Credit Reporting Act guidelines, third-party vendors can view the consumer’s data, identify the relevant opportunity with a net tangible benefit and notify the consumer of a potential benefit on the bank’s behalf by, for example, generating and delivering a firm offer of credit. (Note that firm offers of credit are not subject to the same disclosure requirements as loan applications and therefore do not trigger any compliance-related actions should the consumer decide not to obtain a loan.)
Ideally, third-party vendor software and processes should integrate with a bank’s existing systems and compliance practices. Banks should ask third-party vendors how they are using data in accordance with CCPA, the European Union’s General Data Protection Regulation and other regulations.
Regulators hold banks responsible for the actions of their third-party vendors, so banks should ensure their third-party vendors are meeting all guidelines and work with vendors to develop best practices that include the regular, voluntary compliance audits. Banks can require a third-party vendor that generates firm offers of credit to receive approval from the credit bureaus on the collateral firm offers of credit to be sent to consumers. Additionally, banks can add their own legal opinion or opt-out messages to meet general consumer marketing opt out disclosures.
Consumer data privacy is only likely to become more regulated in the future, but that doesn’t mean that banks can’t find compliant ways to use consumer data to gain competitive advantage and better serve consumers. A customer retention strategy focused on mining a bank’s database for new opportunities of tangible value is an easy way to generate new business without running afoul of tricky data privacy issues associated with purchased lead lists. And banks can even continue to use third-party assistance in this endeavor without taking on undue compliance risk.
Mark Cunningham is an entrepreneur and business strategist who co-founded Sales Boomerang, where he now serves as president and COO.
