Gramm-Leach-Bliley vs. U.S.P.S.
By Scott Crockett, Vice President, Keiger Printing Company, Inc.
July 14, 2008A sleeping giant has arisen with the advent of the new postal regulations. Recently the U.S.P.S. (United States Postal Service), in an effort to reduce waste, instituted its new rules requiring discount mail customers to clean up their mail list. This process raises security questions within the banking and insurance industries and will certainly require many organizations to rethink their data protocols in order to obtain the discounts afforded by the U.S.P.S.
In an effort to comply with the security provisions of the Gramm-Leach-Bliley (GLB) Financial Modernization Act of 1999 many financial institutions adopted isolation data protocols. The concept was to achieve data security by limiting the ways data could be input or changed within the system, especially through automated processes.
One perceived threat was the National Change of Address system (NCOA) implemented by the U.S.P.S. over 20 years ago. NCOA has been highly promoted by the U.S.P.S. for at least the last 20 years to update and keep current mailing addresses within the U.S. The NCOA system is now part of the new Move Update process that is intended to streamline the mailing process and reduce overall waste.
In short the GLB requires that financial institutions:
- Protect their non-public information collected on customers.
- Provide a yearly privacy notice to its client.
- Provide an Opt-Out option for third party sharing of information.
- Limit their use of non-public personal information.
- Limit their use of account specific information with third parties.
- Not participate in pretexting or acquiring information under false pretenses.
A summary of the privacy requirements may be found at:
The U.S.P.S. Move Update, the process for updating names and addresses, is required if mailers want to get discounted rates for First-Class Mail service.
Since July 1997, the Postal Service has required that all addresses on mailings receiving discounts for First-Class Mail service, whether presorted or automation, undergo name and address correction within 185 days of the mailing. The Postal Service offers mailers four approved and two alternative Move Update methods.
Mailers can meet the Move Update requirement in the following five ways:
- Ancillary Service Endorsement
- Address Change Service (ACS)
- National Change of Address Linkage (NCOA Link™) System
- Alternative Move Update Methods (Legal Restraint or 99 Percent Accurate)
A mailer wishing to enter mail at a discounted First-Class Mail rate must certify, on the postage statement submitted, that the names and addresses on each mail piece have been updated within the previous 185 days.
A summary of the postal requirements and definitions may be found at:
According to representatives of the U.S.P.S., recent challenges under the alternative move update methods, Legal Restraint process, have already been made. The challenges made from the banking and insurance industries in reference to GLB and HIPPA could not meet the evidentiary requirements. The test is to show documentation within a law or ordinance that specifically precludes the use of NCOA or other Move Update methods. To date no challenge has met this test.
Isolation Data Protocols
By adopting isolation protocols banks and insurance companies are actually creating an environment that may unwittingly harm the less financially savvy customer. This may extend to the organization itself in lost revenue, relationships and accounts. State governments collected over 22.8 billion dollars last year alone in unclaimed monies. The federal government collected over 18 billion.
The escheat process takes monies from financial institutions and holds these unclaimed monies in escrow after a period of time of lost communication with customers. There are many causes for losing contact with a customer. This often happens after death of the owner, or due to a name change after marriage or divorce. An unreported change of address or expired postal forwarding order, and incomplete or illegible records are also causes. Even after death most estates are still in contact with financial institutions and do a good job of tracking down financial relationships.
Part of the problem is that although common sense tells us to let our bank know when we have moved, many people do not. The U.S.P.S. has spent millions over many years promoting NCOA as a way for people to let all their personal and business relations maintain contact with them after a move. The promotion continues today under a philosophy of continuously educating the marketplace. Unfortunately information perceived as common knowledge, such as previously mentioned, is often relegated to small print and not promoted by other institutions.
The idea behind disallowing the use of NCOA for data updates is that an institution controls where the recipient's mail is delivered and potentially thwart identity theft. In reality unless a specific endorsement is placed on outgoing mail requesting return service or address correction the mail piece automatically forwards to the recipients new address if a change of address (COA) is registered with the Post Office. This process occurs for a twelve month period. At the end of that time the mail is returned to sender institution with a "forwarding order expired" notice on the mail piece. A standard procedure for data mangers at this point is to replace the physical address with "MAIL RETURNED" thus effectively disconnecting ties with the customer. At this point there is no system short of an expensive hands-on search to recover this data or relationship.
With our understanding of the needs facing the banking and insurance industries and the requirements of the U.S.P.S., three questions become apparent in regard to these two seemingly conflicting positions:
- How do we maintain current address data on customers in order to qualify for postal discounts?
- How do we maintain compliance with current laws and regulations while keeping data current?
- How do we effectively maintain current data on customers with the least amount of inconvenience and confusion?
In our opinion, the answer to all three questions can be pulled from the common data practices of other industries such as utilities.
Utilities, electric, phone, cable etc., have similar requirements placed on them regarding safeguarding customer information. They are also required by governing agencies to apply all cost cutting measures available before requesting rate increases. This policy has prompted these institutions to utilize an opt-out verification process that begins with the use of NCOA. Utilities require similar verification that banks would require in order to make changes to data within an account. The exception is when notification is forwarded to them via NCOA updates. When this occurs a verification letter is sent to the recipient's old address with "or current resident" adjacent to the name and the new address letting the customer know that they have received notification of the change of address. This notice is an OPT-OUT meaning that the customer has to take no more action if the change is correct. If the change is not correct the customer may take action to correct the situation and keep their current information. This process gives a higher level of security by maintaining contact with the last known address of the customer.
At no point is the previous address deleted or replaced with "mail returned." This gives the utility the option of using NCOA up to 48 months after a potential lost relationship to recapture a client's current or accurate address.
It is our firm belief that this protocol not only meets the requirements of financial and healthcare industries through Gramm-Leach-Bliley and HIPPA but most other heavily regulated industries as well.
We would be happy to have a conversation with anyone regarding mailing, data and compliance issues, and make our local U.S.P.S. resources available upon request. We will also supply all relevant forms needed to comply with the Move Update Program of the U.S.P.S.
Federal Trade Commission, "In Brief: The Financial Privacy Requirement of the Gramm-Leach-Bliley Act." - http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.shtm (removed)
United States Postal Service, "Publication 363 - Updating Address Lists Is A Smart Move." January 2007 - http://www.usps.com/cpim/ftp/pubs/pub363/welcome.htm (removed)