Credit unions are protecting sensitive personal information amidst shifts in marketing strategies and regulations.
Credit union managers grappling with privacy are finding that it is at once a marketing issue, a compliance issue and a security issue.
Privacy in Marketing
Using vast amounts of personal data to support targeted marketing has been a boon for CU marketers.
“We started budgeting for digital marketing around 2014,” recalls CUES member Jenna Taubel, director of brand and digital member experience for $263 million First Alliance Credit Union, Rochester, Minnesota. “We were pleased with the results. It was a more efficient way to put a message in front of a likely prospect.” She estimates her CU’s ad spending is now 75% digital and 25% print.
She also knows that growing privacy concerns are forcing data-based targeted marketing to retreat. “The marketplace is absolutely changing now,” she says, “in ways that will affect all digital advertising.” Consumers are asserting ownership of their data, she observes, and they are demanding and using opportunities to opt out of having it collected.
Advertising was revolutionized by the precision of being able to use personal information to direct ads to the very people most likely to buy the product or service, notes Richard Crone, principal of Crone Consulting LLC, San Carlos, California. Consumers happily sold their personal data by accepting cookies in return for free access to platforms, he explains. Technology trumped privacy.
Then came the backlash. It may have started in Europe with the General Data Protection Regulation, and in the U.S. with the California Consumer Protection Act, but for most American consumers a key date was April 26, 2021, according to Crone. That was when Apple introduced a screen option that gave users a choice to allow apps to track or not track their activities.
When 84% chose to block tracking, the cookie jar cracked, and targeted digital advertising quickly became more expensive and less effective.
Taubel has mixed feelings about the change. “As a consumer, I’m in favor of privacy and stricter limitations on how my personal data can be used, but as a marketer, it makes my job harder, so it’s frustrating. I hate to lose the useful tools that have been working for us. It forces us to be more thoughtful. We’ll adapt.”
First Alliance CU uses no cookies on its website but is well aware that third parties use them.
“We know cookies are definitely involved,” Taubel says. “That’s how the ads can show up where they are supposed to. Losing cookies will hurt our ability to deliver timely, personalized messages to people.” The CU does not sell member data to third parties and realizes no revenue from data-based marketing, she adds.
Marketing based on third-party data is on its way out, confirms Elisa Rode, president of Kearley & Co., a Fort Worth, Texas, ad agency, while first-party data is making a comeback. “If your 2022 marketing plan relies on third-party data and targeting, you didn’t get the memo,” she observes.
Cookies became controversial because they not only let data gatherers track a person’s activity on a particular website but also after they leave that website. Privacy laws like GDPR and CCPA make cookies illegal unless a consumer deliberately opts in, Rode reports.
Crone points out that the “pending cookie apocalypse by Google will magnify the value of the personal transaction data held by financial institutions, fintechs and neobanks.” (Google announced in January 2020 that it would eliminate third-party cookies from its Chrome browser by 2022.)
“Without cookies,” Crone points out, “advertisers will look to the transaction and payment processing data ... in credit union and bank accounts” to enable the offline attribution (return on investment) “required to command premium advertising rates,” he explains. “No other platform gets advertisers closer to a known or anonymized cohort than mobile banking and mobile wallets accessing the private transaction data managed by their credit union.”
Financial institutions have the data to create an alternative to cookies, he adds. They are not yet legally required to get member opt-in, but it’s smart business practice and could be legally required if GDPR and CCPA initiatives spread, he suggests.
Amanda Swanson, director of the channel practice at CUES strategic partner Cornerstone Advisors, Scottsdale, Arizona, outlines the new rules. If a credit union goes after new members with lead generation and collecting consumer data, it must make sure that its compliance, legal and marketing departments ensure they have the correct disclosures on the website. Such companies as Mozilla have taken steps to limit access to consumer data, she says, such as blocking trackers from following web users to collect information about browsing habits and interests. CUs also need to have a process to monitor opt-in and opt-out of nonmembers’ information, along with a strategy to destroy consumer data promptly when that’s requested.
Balancing marketing and privacy has become tricky, observes Sabah Samaha, founder and CEO of Samaha & Associates, Los Angeles and Miami. Demographic analysis of data can be useful, he says, but once companies start collecting information on consumer shopping to build individual behavioral profiles they can use to motivate more buying, they are entering dangerous ground that may jeopardize trust, he warns. CUs should be wary of engaging in too much data accumulation and manipulation, even if it works.
Member attitudes can be a problem. Unfortunately, notes CUES member Val Mindak, CCE, CEO/president of $320 million Park City Credit Union, Merrill, Wisconsin, members have embraced digital experiences in which they willingly give out personal information and accept tracking cookies to get free services or shopping deals, without considering the consequences of sharing their personal data. Once they run into difficulty, she says, they often expect credit unions—as guardians of their finances—to help them unravel privacy concerns.
As user adoption of digital and online services explodes, she insists, it is important that credit unions continually educate consumers about privacy concerns and exposures.
Compliance Aspects of Privacy
Advertisers and marketers want to follow privacy protection rules, Rode insists, but they want one national standard, not a patchwork of state standards. She’s also the Texas government relations chair for the American Advertising Federation. In Europe, GDPR provides such a common standard, she explains. In the U.S., CCPA provides a one-state solution that AAF hopes will not lead to more one-state solutions.
“It’s a sticky wicket,” she says of state regulation. “A California CU with a member in Vermont would have to follow CCPA for the Vermont member. It’s also possible that a Vermont CU with a member in California could be caught up in CCPA compliance.”
More regulatory disclosures are possible. Banks and CUs successfully fought off a proposal originally included in the Biden infrastructure legislation that would have required financial institutions to report gross annual inflows and outflows in personal accounts above a certain level. The proposal was intended to help the IRS target audits and catch people who were not reporting taxable income, explains attorney Michael S. Edwards, who specializes in CU issues in his Upper Marlboro, Maryland, practice.
But the proposal is likely to resurface in one form or another in the coming years, he warns. Such reporting is already in place internationally, he points out. “Most countries have signed on and are exchanging tax information,” he notes. “It would take an act of Congress for the U.S. to participate, and that hasn’t happened yet.” Canadian CUs have to report such information about Canadian accounts owned by U.S. citizens, he adds.
Look for the European Union to lead the way, Edwards predicts. “They move quicker than we do. I expect them to develop a privacy template that will spread to the rest of the world.”
Law still trumps privacy in some cases, Edwards notes. CUs frequently are caught in the middle when private member information is requested in a legal proceeding, he notes. When served with a proper subpoena in a divorce, bankruptcy or collections case or a search warrant in a criminal investigation, the CU must comply, of course, but it’s not always clear what a proper subpoena is, he observes.
“When seeking financial records from a credit union in such cases,” he explains, “a lawyer needs to file a pretrial subpoena duces tecum, but they often mistakenly file a subpoena for a trial or hearing. In that case, someone at the CU needs to point out the mistake and wait for a correct subpoena or wait to provide the documents when the trial or hearing occurs.”
After a Supreme Court decision that bank account holders did not possess a legal right to privacy for their accounts, Congress passed the Right to Financial Privacy Act in 1978, creating such a right, Edwards notes. So a CU must understand and follow RFPA and also satisfy court orders. “It can get complicated,” he observes.
The privacy statutes, even when they have been updated, are old, and social media’s impact on privacy is growing every day, Edwards points out.
“People have been willing to let the tech giants collect data about their activities, sacrificing more privacy than they realize, but the day of reckoning is coming. Facebook is retreating from using facial recognition. There will be fallout. It remains to be seen whether credit unions become collateral damage.”
“When a consumer opts out to having their private data used, it is critical that operational infrastructure is in place to respect and protect their privacy choices,” Mindak points out. This often involves vendors. “It’s a top priority for us to find out and monitor how our vendors are protecting our members’ privacy and not retaining data that should be destroyed,” she says.
Security and Privacy
Protecting member privacy starts with data security, Samaha insists. Simply collecting data for marketing analysis can create exposures when those data are stored in vulnerable systems, he points out.
Security is fundamental, but some CUs practice it better than others. $2.1 billion America’s First Federal Credit Union in Birmingham, Alabama, for example, goes to great lengths to lock down private member information.
Sensitive numbers are redacted in routine correspondence, explains CUES member Alan Stabler, CCD, EVP/CAO/general counsel. Account numbers are truncated. Outgoing email with sensitive member information is encrypted, he says. Most of it happens automatically. Documents required for court filings have to be carefully redacted before being released so that personal information not required by the courts doesn’t leak into the public domain, he notes.
Despite good automation, privacy training is essential. America’s First FCU requires rigorous annual privacy training for all staff that might deal with member information. Even the CEO.
“Everyone with access to our systems has to successfully complete privacy training,” Stabler reports. New staff members receive the training before starting their jobs. And good security practices are part of performance reviews. A lapse could cost an employee compensation or subject them to disciplinary action, he explains.
Include the board, Stabler adds.
“We used to send paper board packages before every meeting,” he explains. “They frequently contained confidential information. One board member admitted he placed his copy in a recycling bin after each meeting. So we started collecting the packages and shredding them. Now it’s all electronic with access controls to our secure board portal.”
America’s First FCU also hires firms to evaluate its staff’s security awareness by sending spoof emails to see if anyone clicks on a link or provides information to a caller impersonating another employee.
Have a clean desk policy as well, Stabler advises. At the end of each day, employee workstations should be locked and all files and working papers stored securely away.
“We even visit branches and departments after hours to determine if they are following our privacy protocols,” he reports. “We had a new accounts person stationed in our lobby and noticed that her screen could be seen by people moving through the lobby, so we relocated that station. With smartphone cameras, a person passing by an exposed computer screen can capture a lot with a click.”
Richard H. Gamble writes from Grand Junction, Colorado.