Globalization Meets Privacy Policy

By: Peggy Bresnick Kendler

This Month's Experts

GEORGE A. SAVARESE
Vice President
MetLife (New York), 2000 operating revenues of $29.1 billion.

EDWARD A. PISACRETA, ESQ.
Partner
Brown Raysman Millstein Felder & Steiner LLP (New York), a law firm concentrating in IT and e-commerce law.

PATRICIA M. TILTON
Partner
Business Advisory Services Practice, KPMG LLP (New York)

DANA W. RUDMOSE
Director
Insurance Regulatory Practice, KPMG LLP (New York)

BILL BRADWAY
Co-founder
Meridien Research (Newton, MA), a provider of analytical research services to users and providers of financial industry technology.

-------------------------

Q: What does a domestic insurance company operating outside the US need to know about privacy regulations in other countries?

A: George A. Savarese, MetLife: Satisfying the regulations of a specific country or region does not necessarily address the entire issue. The focus needs to be ongoing for each region and country, and the investigation is frustrating since often times the regulations are not very well defined. Privacy regulations vary from market to market. For instance, regulations are very stringent in Europe, while Asia and Latin America have a lot further to go. The Europeans went so far as to introduce legislation in 1998 to address the issue of using information in ways that customers never intended. For example, unsolicited marketing using telephone and electronic footprints from the Web are common in the US, but not allowed in some European countries.

A: Edward A. Pisacreta, Brown Raysman Millstein Felder & Steiner: US insurance companies must be aware that foreign privacy laws vary widely, are constantly in flux, and are generally more restrictive than US laws. Laws in the European Union and several South American countryies require companies to provide customers with notice of their data collection and use practices, use collected information only for a specific intended purpose, and not share such information with entities in countries with lesser legal protections.

A: Patricia M. Tilton, KPMG: Certain countries' policies are considerably stricter than the US, which is the case with the European Unified countries. As such, it is critical that US companies seek local counsel to understand limitations in each country. It should not be assumed that, because a US company has privacy practices and procedures that align with the various US regulations by entity type or product type, this is sufficient for global compliance.

A: Bill Bradway, Meridien Research: In general, the US is the most liberal marketplace for allowing insurers to handle customer data and exchange it with other third-party companies. In Europe, the general model for data sharing is opt-in. In the US, there's generally an opt-out model, where consumers have to stipulate that they want to be excluded.

Q: What are the systems implications of these trends?

A: Savarese: When it comes to systems, traditionally one solution does not fit all. Implementing systems at a regional level has helped simplify matters relating to privacy. For instance, by locating systems physically in Europe, the privacy issue related to data storage is addressed, since the data is housed within the European Union. However, with the move toward modular, Web-based systems, privacy considerations are further complicated. Current technology makes unique systems physically located in a country or region less necessary or desirable from both a cost and operational perspective.

A: Pisacreta: Integration among local systems will be key. Due to varying laws and regulations, domestic and foreign systems will need to be able to communicate to determine, among other things, whether certain information subject to local laws needs to stop at the border. On the sales side, consideration must be given to whether customer data may be used for marketing and how foreign "distance selling" laws will be handled. In the end, a "privacy-intelligent" integrated system would be optimal, but if the resources are not available, the highest level of protection may need to be adopted, limiting marketing opportunities.

A: Tilton: Cost/benefit of a buy/build strategy needs to consider areas such as compatibility of existing systems to foreign market-available technology, interface capabilities between systems, system-based communication needs between foreign and domestic markets, security, control features required and ongoing support and maintenance. These bear relevance as far as both integration of middleware or modules to core systems to meet foreign needs, and the stand-alone foreign-based system. Compatibility of core US-based systems with those of foreign markets should not be assumed, either with respect to system language or telecommunication interaction. Hardware and software compatibility, foreign currency, foreign reporting and compliance re- quirements and back-office processing of underwriting, claims, reserving and accounting and overall data security must all be considered for each country in which any United States-based financial services company desires to conduct business.

A: Bradway: The primary challenge that has been exposed in the past five to six years is the impact of virtual channels, the Internet being the most obvious. For insurers, the role of technology may have to be sensitized to local market requirements, which in some cases require the data to remain present and used within the particular sovereign domain.

Q: What are the implications for non-US insurance companies operating here?

A: Savarese: Data privacy implications differ. Asian and Latin American privacy regulations are less developed than European regulations, creating a challenge to develop regulations that provide a level of comfort to US customers. The Europeans, on the other hand, need to strike a balance between their current regulations and what is necessary to compete effectively in the less-regulated US market.

A: Pisacreta: Companies located in certain countries may find their privacy laws more restrictive than the US. On the other hand, these companies may be accustomed to dealing with only one national set of insurance regulations, whereas the US has 51 independent schemes. Learning and complying with each state's insurance laws may prove to be the most significant hurdle.

A: Rudmose, KPMG: Implications are in brand recognition, market competition and penetration opportunity; state regulatory compliance; domiciliary, licensing, reporting and product requirements; market conduct; rating; and the Gramm-Leach-Bliley Act, SEC, HIPPA and NASD. To a large extent, brand recognition and market penetration opportunities are key to a non-US company's understanding of its desire to compete in the US market.

Q: Will privacy be an obstacle or an incentive in cross-border mergers?

A: Savarese: From a European perspective, where cross-border transactions are more likely, adherence to the Data Privacy Directive has become a measurable due diligence item, since the guidelines are well defined. For Asia and Latin America, privacy is less measurable, since guidelines in those regions aren't as developed. Going forward, I expect privacy to be an increasing obstacle until it gets further sorted out globally.

A: Pisacreta: Data collection and processing are critical to accurate-and profitable-underwriting. Significant efficiencies can be achieved by merging databases, provided that incompatible privacy regulations do not prevent such a merger. These could dissuade cross-border mergers if compliance would require significant new investment.

A: Rudmose: Whether privacy regulations are an obstacle or incentive will depend on the philosophical similarities or differences between the respective entities and the compatibility of the respective countries' privacy rules and supporting compliance and monitoring systems. Generally, differences will exist in the rules, and the decision of which company's rules to follow in which particular situation may vary. Companies may find that living with varying rules by country will be required.