In March 2000 The Region published a special issue about the Gramm-Leach-Bliley (GLB) Act of 1999, focusing on the new powers conferred on banking organizations and the enhancements made to the supervisory system to monitor and control the risks resulting from these powers. GLB was the capstone to a 20-year era of regulatory reform that gradually moved the banking industry out of the restrictive environment that followed the Great Depression. At the same time it concluded one regulatory period, GLB also marked the start of a new era of regulation, beginning with the limitations it imposed on the use and transfer of private customer information to third parties.
This article reviews the two broad classes of regulation that govern the activities of banks—safety and soundness regulation, which was the dominant theme of the regulatory era that GLB ended, and consumer protection regulation, which is the focus of the new regulatory era—and discusses the motivations behind each. We then explore the recent history of bank regulation and conclude that the new prominence of consumer protection regulation is a logical and natural trend in that history; indeed, it represents a swing back to an earlier era when this was a primary purpose of bank regulation.
We also show that this most recent era of consumer regulation has been strongly influenced by powerful new technologies, innovations that banks and other firms have used to serve existing customers efficiently and to reach new ones profitably. And we suggest that regulatory and legislative efforts in banking will likely continue to influence regulation in the economy as a whole.
Bank regulation—two distinct types
There are two broad classes of regulation that affect banks: safety and soundness regulation and consumer protection regulation. Broadly, regulation consists of the laws, agency regulations, policy guidelines and supervisory interpretations that have been established by lawmakers and policymakers.
Safety and soundness regulation ensures that banks and other depository institutions operate in a safe and sound manner and do not pose an excessive threat to the deposit insurance fund or taxpayers. This category of regulation usually focuses on bank activities or the supervisory mechanisms through which these activities are monitored and inspected.
Over the years, safety and soundness regulation has varied widely in restrictiveness. Following the Great Depression, safety and soundness regulation was quite strict. Regulators focused on separating commercial banking from investment banking and prohibiting multibank holding companies from entering into combinations with insurance companies. But in the 1980s, the nature of activities that firms could engage in broadened and the constraints on some of those activities lessened, as interest rate controls on deposit accounts ended and banks were allowed to experiment with securities underwriting and insurance sales. Several years later, in the aftermath of the savings and loan crisis, safety and soundness legislation had a different focus, as standards for capital levels tightened and the failure to meet certain safety and soundness standards subjected banks to regulatory action.
Consumer protection regulation is exactly what the term implies—regulations designed to protect the interests of consumers in their credit and other transactions with banks and financial service providers. This category of regulation focuses on a variety of topics, ranging from ensuring that consumers receive sufficient information about how credit costs are calculated on loans and leases, to prohibiting discrimination in credit transactions, to protecting customers from unlawful government scrutiny of their financial records. More recently, this type of regulation protects consumers from unlawful use of confidential personal financial information by private firms.
While depository institutions are fertile ground for consumer regulation, they are not unique in this regard. Laws on privacy, lending activities and customer identification, for example, typically affect a much broader set of institutions, including finance companies, mortgage brokers, insurance firms, securities dealers and even automobile dealers and pawn shops. Some consumer regulations, especially privacy laws, affect an even broader set of business activities. As one example, health care providers must follow a national set of patient record privacy standards. One important difference, however, is that banks are subject to a more rigorous supervisory scheme than most other firms, leading to more strict enforcement of these consumer regulations.
Purposes of bank regulation
What is it about banks and banking activities that requires such detailed and comprehensive regulation? One rationale for safety and soundness regulation revolves around the safety net that the government establishes for banks and other depository institutions and the tendency for this safety net to create moral hazard, or excessive risk taking among banks.
This safety net consists of deposit insurance, access to the Federal Reserve's discount window and payment guarantees for certain types of funds transfers between banks. While the safety net may limit costly bank runs and panics, it also creates incentives for banks to take larger risks than they otherwise would, since the deposit insurance fund—and ultimately taxpayers—will incur the losses if those risks don't pay off. Because the government provides the safety net, it has a vested interest in ensuring that banks operate in a safe and sound manner. Moreover, one reason that bank supervisors regulate and supervise banks is to limit the potential moral hazard.
The rationale for consumer protection regulation lacks the distinct clarity of purpose of safety and soundness regulation. Justification for these regulatory standards is often based on the premise that many consumers of financial services find it difficult to evaluate the quality of financial information provided to them. Such consumers may be subjected to opportunistic behavior and excessive prices by financial institutions that possess considerably more information on these products, eventually resulting in less than optimal utilization of credit. For example, if banks were not required to disclose the costs and terms of loans in a standardized format, consumers would not be able to readily compare one potential transaction with another, leading them to pay more than they should for credit or opt out of the credit market entirely.
A second justification for consumer protection regulation is that financial markets may not allocate credit in a way that is reflective of full and impartial access to credit markets. Regulatory standards prohibiting such discrimination are one way to help ensure that all individuals have adequate access to credit.
Different eras of bank regulation
Major pieces of banking legislation seem to appear every few years. And related regulations and interpretations follow shortly thereafter. Rather than view these events as single, unconnected responses to various issues of the day, we believe that recent banking regulation falls fairly neatly into alternating eras of safety and soundness and consumer protection regulation that typically span 20 years or so.*
These regulatory eras have considerable inertia—once they change, they tend to remain in the new mode for a significant period. Legislators and regulators can obviously respond as new situations develop, and examples can certainly be found of consumer protection legislation passed during an era of new safety and soundness regulation (and vice versa). But history suggests that a shift to one of the two areas of regulatory focus becomes a dominant theme for an extended time. Much of this persistence can be explained by the fact that regulatory changes are usually incremental. Legislators and policymakers, unless compelled by extraordinary circumstances, tend to slowly adjust the regulatory apparatus as conditions develop. It is important to recognize that when we talk about a shift in focus for legislative and regulatory activity, it does not necessarily suggest that previous laws or regulations in the other categories no longer exist or are not important. Instead, we are describing the focus of new laws, regulations and guidance that affect banking institutions.
From the late 1960s to the 1980s, consumer protection was the dominant theme of bank legislation, as Congress passed a variety of laws to ensure that consumers had equal access to credit and sufficient information to make knowledgeable decisions about credit transactions. These laws were supplemented by regulations promulgated by the agencies. Some notable examples of legislation during this era included:
- Truth in Lending Act (1969)—applied to all lenders who extend credit to consumers for personal use. The act was intended to provide consumers with information about the cost of credit and enable consumers to make meaningful comparisons.
- Fair Credit Billing Act (1974)—required creditors to provide detailed information on how finance charges were calculated.
- Equal Credit Opportunity Act (1974)—prohibited creditors from discriminating against applicants on the basis of sex or marital status. The act was later amended to prohibit discrimination on the basis of age, race, color, religion, national origin or receipt of income from a public source.
- Home Mortgage Disclosure Act (1975)—required that banks and other mortgage lenders make available to the public data on mortgage loans they took applications for, originated or purchased.
- Community Reinvestment Act (1977)—required banks to make credit available to all people in their market area, regardless of where they lived.
Beginning in the 1980s, the regulatory focus shifted from protecting the rights of consumers to adjusting the powers of banks and the ability of banking supervisors to take actions against institutions considered to be high risk. For example:
- Depository Institutions Deregulation and Monetary Control Act (1980)—began removing interest rate ceilings on deposit accounts.
- Section 20 Subsidiaries (1987)—the Federal Reserve issued a ruling allowing bank holding companies to underwrite securities through a subsidiary, subject to a revenue ceiling.
- Financial Institutions Reform, Recovery and Enforcement Act (1989)—restructured the regulatory system for thrifts and reformed, recapitalized and consolidated the federal deposit insurance system.
- Federal Deposit Insurance Corp. Improvement Act (1991)—required the creation of a risk-based deposit insurance system, increased the frequency of examinations at insured depository institutions and put forth new capital requirements.
- Reigle-Neal Interstate Banking and Branching Efficiency Act of 1994-permitted geographic expansion by banks without regard to barriers imposed by previous federal and state law.
- Gramm-Leach-Bliley Act (1999)—allowed banks to affiliate with insurance and securities firms.
Regulatory changes are typically made in response to developments that have occurred in the broader marketplace and overall economy. Legislation and associated regulation thus tends to be reactive rather than proactive. The consumer protection era of the 1970s was a natural outgrowth of several factors, including the social justice and civil rights movements of that period, a renewed consumer movement and the development of a mass market for consumer lending.
The gradual expansion of banking powers during the 1980s was prompted in large part by innovations in information and communication technology that allowed nonbank financial companies to offer more traditional banking products and therefore compete more directly with banks, which in turn required a more level playing field for banks and other depository institutions. And the enhancements to the supervisory framework in the late 1980s and early 1990s were a direct response to the savings and loan crisis.
We next turn to the question of what these observations, if valid, might suggest about the current and future environment for bank regulation.
A new era of consumer protection regulation
As with the rest of the economy, the financial services sector has been profoundly changed by the information technology revolution. Huge reductions in the cost of computer processing power, as well as significant decreases in the cost of storing and sharing data, have allowed banks and other financial services firms to more easily utilize the information they gather on their customers.
Many of these developments have benefited consumers. For example, technology innovations have permitted financial firms to greatly expand their data-mining abilities, allowing them to better understand customer profiles and increase the range of services offered to customers. Sophisticated computer models have also allowed these companies to evaluate creditworthiness more accurately and price risk accordingly. Such developments have helped extend mortgages and other credit to previously underserved groups, like borrowers with blemished credit histories.
As banks and other financial firms have more fully exploited the data they develop on their customers, many believe that the potential for abusive use of this information has increased. In response, legislators and regulators have taken a number of steps to ensure that the interests of consumers are adequately protected. Portions of three recent pieces of legislation illustrate the trend:
- Gramm-Leach-Bliley Act (1999)—imposed new privacy requirements on firms considered to be "financial institutions."
- USA Patriot Act (2001)—required financial institutions to develop risk-based procedures for verifying the identity of any person opening an account.
- Fair and Accurate Credit Transactions Act (2003)—assisted consumers and businesses in combating identity theft.
The far-reaching privacy protections of GLB were implemented not only by banks, but also by finance companies, insurance companies and agencies, securities brokers and dealers, travel agencies and other financial firms. The backdrop for privacy regulation was that these firms were selling products that were looking more and more alike, and at a time when broader powers were given to banking firms, policymakers were concerned about the misuse of personal information.
The purpose of these restrictions was to limit firms' ability to provide to unrelated third parties nonpublic personal information about customers who obtain financial products and services. The cost of capturing, sorting and transmitting such information had dropped significantly, and some financial firms saw business opportunities in selling the information to third parties who in turn, would then use the information in telemarketing and other sales efforts. Responding to concerns that personal information would be disseminated to entities with which the customer had no relationship, Congress enacted a general framework that would be supplemented by regulations and in some cases, expanded upon by state law.
As more and more financial information was being captured and transmitted by technology, financial fraud crimes became national, and even global. Person-to-person frauds and raiding Dumpsters for discarded receipts gave way to sophisticated fraud rings that open up accounts with fake identification and run up thousands of dollars in debt. In a few cases, perpetrators broke into large databases of personal financial information or took jobs at financial institutions to gain access to customer accounts.
In response, Congress passed the Identity Theft and Assumption Deterrence Act of 1998, making it a federal crime to engage in "identity theft," which is the unauthorized use of someone else's identity for the purpose of engaging in a federal crime or a crime considered to be a felony under state law. Legislation passed in response to the terrorist attacks of Sept. 11, 2001, requires financial institutions to develop appropriate procedures for verifying identities of customers and maintaining records of this verification. While the clear purpose of this law was to respond to terrorism and money laundering concerns, customer identification procedures developed in response assist in combating identity theft. More recently, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) provides consumers with new rights and protections, including the right to a free copy of their credit report to ensure that no one has applied for credit in their name. And banks, consumer reporting agencies and others have many new obligations under FACTA, including accuracy, notification and disposal requirements for consumer information.
Implications for the future
If previous trends in banking regulation hold, regulatory changes in the near future will continue to focus on consumer protection laws, and the current safety and soundness regulatory scheme will largely be unchanged. New regulatory eras tend to continue for several years as legislators and regulators cautiously respond to marketplace developments. While recent legislation has addressed some of the issues posed by the information technology revolution, there are other implications that we believe warrant consideration.
First, we can expect that regulatory activity will continue in areas where we have seen activity over the last few years. For example, additional privacy legislation has been advocated by some consumer groups since the passage of GLB. These advocates suggest that GLB should be altered so that financial institutions could only share nonpublic information with third parties if the customer has explicitly "opted in" to the arrangement. Under the current law, these institutions are allowed to share such information unless the consumer has specifically "opted out," or requested that the information not be shared. In other words, the burden now lies on the consumer, not the financial institution, and consumer groups hope to reverse this. Sharing information with subsidiaries has also come under fire, as well as foreign firms' use of information as a result of outsourcing arrangements. Clearly, debates on the appropriate scope of privacy regulation and other topics that have been addressed in a preliminary fashion, like identity theft protection, will continue.
Broadening the scope
While some laws and regulations may be refined, new laws may also be passed during the current consumer protection era. One potential area of new activity relates to how firms use information as part of providing services or products to the customers in their core business. A current debate is whether there should be a federal law to respond to concerns about predatory lending.
Though difficult to define precisely, predatory lending typically involves a firm making a loan based not on the borrower's ability to repay, but on the strength of the borrower's assets alone. Other examples of predatory lending include loan flipping, where borrowers are induced to repeatedly refinance a loan, thereby incurring points and fees multiple times, and lenders concealing the true nature of a loan obligation through fraud or deception. Unfortunately, the same information technology breakthroughs that have allowed credit to be extended to borrowers with blemished histories that were previously ignored by lenders can also be used to unfairly target individuals who are either likely to default or are unsuspecting or unsophisticated borrowers.
Difficulty in precisely defining predatory lending has not impeded efforts to try to regulate it, with several states and municipalities enacting laws in this area. In response, some commentators have pushed for federal predatory lending laws and preemption of state laws. These commentators suggest that the lending marketplace is national in scope, and so state and local legislation only diminishes credit availability while increasing the cost of credit.
Going forward, it seems plausible that concerns about the intentional misuse of information could also be extended to business areas outside of the traditional lending function. One could envision businesses marketing certain products and services to particular customers solely because their personal credit or account histories indicate they're likely to incur substantial fees. For example, individuals with especially volatile spending habits might be identified as a target market for checking accounts with stringent minimum balance thresholds likely to be exceeded on a regular basis. As banks and other financial firms become more proficient at identifying customer behavior patterns, policymakers may need to closely monitor such business practices.
Providing consumers with more control over their personal credit information also seems like a logical area for additional regulatory activity. Policymakers may look to further streamline and simplify the process by which individuals can correct mistakes or discrepancies in their credit histories. Financial institutions and credit bureaus could be required to notify consumers whenever a third party accesses their credit information. Given the critical nature of credit histories in lending decisions, there could even be a desire to exact financial penalties if firms negligently made use of flawed or incorrect data from an individual's credit history.
Extending throughout the economy
Third, regulatory activity that affects the banking industry will continue to spread to other sectors of the economy. The questions that policymakers and regulators are struggling with today concerning information and how it is used are certainly not unique to banking. But given the vast amount of detailed personal information that financial institutions have access to, it is not surprising that many of these questions are first being asked with respect to them.
In that sense, banking regulation is often in the vanguard of regulatory policy. For example, some of the corporate governance provisions of the Sarbanes-Oxley Act of 2002 have their roots in banking legislation from the late 1980s and early 1990s. It seems highly likely that much of the new consumer protection regulation developed for financial institutions will continue to be applied to other sectors of the economy. While consumer protection regulation and legislation has traditionally been a province dominated by banks and other financial institutions, protecting the consumer in the information age will likely involve a much wider set of firms, and the steps taken by legislators and policymakers will set the stage for those broader protections.