Innovative bank, FNB, has a consent problem. Jason Elk published a blog post over the weekend titled “FNB, what on earth are you doing to your customers?” in which he took issue with a consent mechanism FNB has been making use of or some time now. Essentially, this consent mechanism requires that customers agree to receive marketing information from the FirstRand Group in order to remain eligible to receive many of the benefits FNB gives its customers and which may have attracted many of its customers in the first place.
Jason’s concern is essentially as follows:
The nutshell version is that FNB is instructing me to say YES to receiving marketing of “other products and services”, or “forfeit any current reward programs (I’m) participating in and be excluded from programs (I) may qualify for in the future”. These include eBucks, fuel rewards and airtime rewards.
So hang on. I’m switching my bond account to FNB, adding the biggest asset I own to my existing portfolio that includes my car, credit facilities, call accounts, savings accounts, cheque accounts, cards and other accounts and services, and because I don’t want to receive marketing messages I will be excluded from eBucks and other rewards immediately and in the future? So instead of rewarding me further, I’m being punished for bringing even more business to the bank. Not the ‘do more’ bank I thought I knew.
FNB’s CEO, Michael Jordaan, responded to Jason on Twitter and, essentially, indicated to him that FNB requires the consent in order to communicate useful information about its products and services to customers. It had no intention of making use of the consent for “blanket marketing” which Jordaan professed a dislike for:
— Jason Elk (@jasonelk) September 28, 2012
@jasonelk earning ebucks requires marketing consent, not just for bond. For us comms really NB, we wanna talk to our customers.
— Michael Jordaan (@MichaelJordaan) September 28, 2012
While I understand the need for a consent in order to communicate useful information to customers, FNB’s consent model, in this case, is problematic. The Protection of Personal Information Bill (likely to become the Protection of Personal Information Act before the end of this year) defines “consent” as follows:
any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
The key terms here are “voluntary, specific and informed”. This means that a consent given in terms of the Protection of Personal Information Act can’t be a “dumb” consent. The person giving the consent has to clearly understand what he or she is consenting to, must be consenting to that action voluntarily (in other words, without that consent being coerced) and that consent must be fairly focused on particular activities that the person is informed about.
This is reinforced by several “Conditions for Lawful Processing of Personal Information” which are set out in Chapter 3 of the Protection of Personal Information Bill. These conditions include a processing limitation intended to moderate the extent to which personal information is processed as well as a Purpose Specification condition which requires that personal information be, among other things, collected for a very specific purpose.
Section 10, which forms part of the processing limitation condition, states that –
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Section 13 of the Protection of Personal Information Bill includes the following:
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
p>In the case of FNB’s consent model, there appears to be a disconnect between FNB’s apparent intention behind the consent and what the consent of wording actually allows for. As you can see from the consent wording, it is a fairly broad consent to receive information about the FirstRand Group’s products and services”. The consent mechanism goes further –
… current or future participation in FirstRand rewards programs … is dependent on you having granted the Bank consent to market other products and services to you. By processing a “No” instruction you will forfeit any current reward programs you are participating in and will be excluded from programs you may qualify for in future.
If no selection is made, marketing consent will default to “No”
This consent wording is a little contradictory in the sense that the mechanism itself is legally correct in that the Bank has requested an opt in from its customers and, in the absence of this opt in, the Bank will assume that the customer does not wish to be marketed to. The difficulty is that the consent required for what is essentially products and services related information is couched as a consent to receive marketing information about products and services from the FirstRand Group. The scope of the marketing consent required relative to what FNB appears to require, as its CEO clarified on Twitter, is very different.
The FirstRand Group includes a number of other entities, aside from FNB. Consenting to receive marketing information about the FirstRand Group’s products and services may well encompass far more than specific information about FNB products and services which a customer may be utilising. This could be a violation of the processing limitation condition in the Protection of Personal Information Bill. If so, this would render the consent sought to broad.
The concern Jason highlights in his blog post goes to the definition of consent in the first place. It is probably fair to say that many of FNB’s customers were attracted to the bank by its rewards programs and requiring a seemingly broad consent to receive marketing about potentially unrelated products and services in exchange for eligibility for these rewards programs may well undermine the “voluntary” requirement in the consent definition.
What this all means is that FNB’s consent mechanism may not obtain the appropriate consent required by the Protection of Personal Information Act. This consent mechanism is simply too blunt an instrument for what the bank appears to require. One option is for the bank to split the consents required into a mandatory consent to receive product and services related information pertaining to the products and services the customer is making use of from a consent to receive marketing information regarding the FirstRand Group’s products and services, generally. Because these consents may have to be accompanied by an opt out mechanism, they should also be accompanied by appropriate waivers from the customer in the event the customer elects not to receive product and services related information and either misses out on an opportunity or incurs costs due to not taking advantage of something communicated to the customer, for example.
While the suggestion probably will not be welcome news to FNB’s marketing team, it may be a necessary adjustment to the consent model in order to bring it into line with the Protection of Personal Information Act. Of course this is dependent on these provisions being interpreted on the basis I have suggested and a more flexible interpretation may allow for this consent mechanism to remain in place going forward.
A consequence of this, though, is that FNB may be facing a reputational storm from customers accustomed to the bank’s innovative approach to customer service now facing a somewhat overbearing approach to obtaining consent for marketing purposes. The effects of this may be less desirable than the consequences of changing the consent mechanism.