Remarks by Julie L. Williams First Senior Deputy Comptroller and Chief Counsel Office of the Comptroller of the Currency Before the California Bankers Association Regulatory Compliance Conference San Francisco, California October 6, 1999 I was delighted to have the opportunity to meet with representatives of the California Bankers Association who visited at the OCC in Washington, D.C. earlier this week. It's really a double treat to have the opportunity now to come to San Francisco, to visit with you here. California bankers should be proud of your state's distinguished banking history. The San Francisco mint established in 1854, turned miners' gold and silver into U.S. currency, and was instrumental to the state's and the nation's economic development, as were pioneering banks such as Wells Fargo and Bank of America. Foreign-owned banks and foreign correspondent relationships were established early on to facilitate U.S. trade with the Pacific Rim. And today, California's financial institutions serve an ethnically diverse population and support a vibrant and diversified State economy that includes some of our Nation's most advanced industries. Just as the business of banking has evolved for California bankers -- and bankers everywhere -- so has the "compliance" challenge facing bankers today. I am going to talk this morning about some of the reasons for growth of this compliance challenge, why it differs qualitatively from aspects of "traditional" banking regulation, and why, today, bankers need to integrate their approach to compliance into a larger customer relations strategy. First, let's look at how the business of banking has been evolving in recent years. Not that long ago, most banks were predominantly lenders and deposit-takers. Through the 1970's, their income statements, and their profits, were dominated by interest income. Today, however, even as the dollar volume of bank credit is growing, banks’ reliance on interest income as a revenue source is decreasing and we see more and more banks, of all sizes, with a significant and growing portion of their income, coming from fees and other sources of non-interest income. Reliance on non-interest income began its dramatic growth in the 1980's and, as of June 30th of this year, accounted for just over 42 percent of operating income at commercial banks. Between June 1996 and June 1999, for example as bank ROAs have hovered in the 1.2 percent range, the contribution of non-interest income to the bottom line has increased by 41 basis points, while interest income as a source of earnings has declined by 17 basis points. Larger banks have been particularly successful at tapping non-interest sources of income. Recent OCC statistics show that interest and non-interest income for banks over $300 million are converging. As of June 1999, non-interest income as a percent of average assets had grown to 2.7 percent for those banks, while interest income represented a stagnant 3.4 percent of average assets. As you can, see, non-interest income is the fuel propelling the record earnings of many commercial banks. The composition of non-interest revenue is changing as well. The historical sources of fee income, such as the basic fiduciary services provided by the traditional bank trust department, are being supplemented by an expanding array of activities and products, and the fees and charges that go with them. Services, agency activities, brokerage and investment advice, insurance sales -- there are many on the list. These products and services are delivered in a variety of ways -- ranging from traditional brick and mortar bank facilities to the Internet. This overall shift in the composition of bank revenues has some important implications for how bankers approach their compliance responsibilities. First, many of these non-interest revenue sources come from lines of business that are subject to very specific and detailed regulatory requirements. Regulatory compliance in this context is very different from making a loan that, all factors considered, must be safe and sound. Instead, compliance may involve highly detailed requirements about who can offer a product or service, just how and where it can be offered, and exactly what disclosures must be provided to customers. Delays of even a day in taking a required action can prove to be costly regulatory violations. Thus, one implication of the growing importance of non-interest revenue to banks is the need to match that new business with increased attention to the often detailed and technical compliance responsibilities that accompany the businesses that produce that income. That will require new types of expertise -- bank personnel appropriately trained and licensed in new areas, for example. It will also require a recognition and sensitivity to the fact that in some areas of compliance, what appear to be little mistakes can get banks into a lot of -- expensive and sometimes public-- trouble. Second, many of the non-interest revenue generating lines of business involve contacts with individual customers, often on an ongoing basis, although not necessarily in person. Also, many of the products and services in this category are increasingly "commoditized," so customers may obtain them from various providers and changing providers is not difficult. Thus, good customer relations are important for banks to keep this type, of business. Individual consumers may not know exactly if their bank has complied with all the applicable compliance rules, but they immediately know, and have no problem reacting, when they feel they haven't been treated right by their bank. Customers can and do react by switching their business elsewhere. And if many customers of a particular institution have the same type of problem with their bank, the reputational damage from bad publicity and the loss of business can be highly detrimental. This leads to the final point I'd like to discuss, the need for banks, to integrate "compliance' with a broader strategy of customer relations and customer service. Today's consumers are increasingly sensitive, vocal and mobile in how they react to treatment by their financial institution. A technical compliance issue can easily turn into a public relations nightmare, particularly where, as is the case with many retail products, the same mistake can affect hundreds or thousands of customers. Also, whether a bank has complied with particular legal requirements may not be all that determines whether customers want to do business with the bank. or not. A bank may be complying with what the law requires but doing something that has a significant customer relations impact. If that impact is negative, it is important to recall that many of the non-interest revenue generating products and services are available from many other providers. A prime current example of the interplay between compliance and customer relations is the issue of customer privacy. A variety of laws at the Federal and State level define the "compliance" obligations of banks and other financial, institutions in this area. But at the same time, American consumers are increasingly privacy conscious. Survey data bear out that, whatever laws are on the books, consumers nevertheless are concerned about threats to their privacy and about whether they have lost control of information they consider personal and private. And they worry in particular about how their confidential financial. information is being used. Bankers should take notice, for this customer concern touches an increasingly important asset of the banking business - - your information about your customers. From the perspective of bankers and other financial institutions, collection and analysis of extensive data about individual, transactions, preferences and circumstances, is important for marketing purposes and can lead to products tailored to maximize their appeal to consumers. A banker recently told me about his company's goal of customizing and individualizing credit cards to appeal to a market of one. Bankers talk about the ability to anticipate and satisfy their customers' changing financial needs over the course of a lifetime. It is the availability of these opportunities that may well cement relationships between customers and their financial institutions. In short, personal information is a potent and profitable tool in a company's portfolio, and responsible use of that information can be a boon to customers. But, as a practical matter, when customers perceive that their information is not being used in a way they expect it to be used, I doubt that they are distinguishing between a “compliance" problem and, a "customer relations" failure. In fact, the same activity may involve both, and it’s no solace to an institution coping with lost customers and damage to its reputation to be able to say that it got one of these elements right. For example, if customers are surprised and upset to learn that their bank has made available to third parties extensive information about their financial transactions -- information which they assumed was confidential -- they probably will not find it very satisfying to be told that the activities in question did not violate the Fair Credit Reporting Act. As many of you may know, during the last several years, the OCC has issued guidance to the banking industry on several customer privacy-related issues. Our guidance has covered areas such as safeguarding customer data from unauthorized release to unscrupulous information brokers or "pretext callers" posing as bank customers, effective practices for meeting the notice and opt out requirements for affiliate information sharing under the Fair Credit Reporting Act, and most recently, effective practices guidance encouraging banks to establish privacy policies and post them on their web sites. We are currently looking at another area -- relations between banks and telemarketers. In the spirit of offering some constructive suggestions to help bankers avoid both reputation and financial damage arising from the customer relations implications of these activities, I would like to share with. you some observations arising from this new effort. From our work so far, we found that the majority of the largest banks and numerous other retail banks -- and I'm not talking about just national banks -- have relationships with third party marketers that involve the disclosure of personal customer information. The bank normally receives a fee for use of a customer list or a percentage of the net membership fees generated by the marketer, typically 20 to 25 percent. Some banks have generated millions of dollars in revenue by providing third parties with information on millions of customers, including name and address, social security numbers, and credit card numbers. The arrangements also frequently enable the marketer to initiate a charge against customer credit cards or a debit of customer checking accounts. Customers may not feel comforted to be told in these cases that their bank has not violated a law. Instead, they are likely to be unhappy, perhaps because they feel betrayed when they discover that their bank has provided other parties with information they consider personal and private, perhaps because they are supremely annoyed by telemarketer calls that interrupt their evenings at home, at perhaps because they see charges or fees on their bank statements that they do not recognize. None of these results foster good customer relations for the banks involved. And any of them invites legislation and more regulation that will transform what may now be a customer relations issue into a compliance obligation. This leads me to offer several suggestions: First, as a general matter, banks should review their information handling practices and establish privacy policies. - Make those policies clear and straightforward. Avoid generalities that are effectively big loopholes. Put yourself in your customers' shoes. Is the policy easy to understand? - Adhere to them. Don’t make promises you can't keep. - If you are doing business on the Internet, make sure to conspicuously post information about how customer information is handled on your Web site. Second, if you have arrangements with third party marketers, consider the following measures: - Clearly disclose to customers what information you provide for third party marketing purposes. - Have contractual agreements in place with third party marketers that require them to maintain the confidentiality of any customer information to which they are provided access. - Ensure quality control. Maintain control over credit card and checking account numbers so that you can ensure their proper usage. - Consider other options about how arrangements with third party marketers can be structured -- such as determining your customers' interest in a particular product or service first, before providing information about the customer to a third party marketer. - Even where the law doesn't require it, consider giving your customers the choice to decline to have their information shared for third party marketing purposes, i. e., to "opt-out" of having their information shared. And, last but not least, know the law. The area of customer privacy is complex and sometimes confusing, and the "compliance" challenges are considerable. This type of integrated "compliance"/customer relations challenge will only become more prevalent as banks diversify their product lines and seek to grow their non-interest revenue. Excellence on both scores will be key to attracting and retaining important customer segments. Perhaps bank managers and officials involved in compliance functions haven't thought of their jobs in this light, but you really are on the cutting edge of the evolution of the banking business. Keep on doing the good work you have been doing to help insure your institutions "get it right'' in the compliance area, and as you do so, try to recognize and integrate the broader, customer relations dimensions of your institution's consumer banking activities. Strive to "do the right thing" there as well. Thank you.