The following comments were filed by U.S. PIRG in response to a joint bank agency rulemaking request for comments on a proposed rule clarifying the definition of “other” information held by banks and bank holding company affiliates that is subject to an opt-out under the 1996 amendments to the Fair Credit Reporting Act.

 

4 Dec 00

TO: Agencies Below

FR: Ed Mierzwinski, Consumer Program Director, U.S. PIRG (ed@pirg.org)

RE: Comments of U.S. PIRG re proposed Fair Credit Reporting Act regulations on affiliate sharing

 

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 41

[Docket No. 00-20]

RIN 1557-AB78

 

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Regulation V; Docket No. R-1082]

 

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 334

RIN 3064-AC35

 

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 571

[Docket No. 2000-81]

RIN 1550-AB33

 

The U.S. Public Interest Research Group (PIRG) <http://www.uspirg.org> is the national lobbying office for state Public Interest Research Groups <http://www.pirg.org>, non-profit and non-partisan consumer advocacy groups with a long-standing interest in the Fair Credit Reporting Act.  While our reports (see e.g., "Nowhere To Turn", April 2000, on identity theft <http://www.pirg.org/calpirg/consumer/privacy/idtheft2000/> and "Mistakes Do Happen", March 1999 on credit reporting errors <http://www.pirg.org/reports/consumer/mistakes/index.htm> are highly critical of credit reporting agencies, and we have constantly sought to strengthen the FCRA, it remains that, for all its faults, the FCRA is generally based on enforceable Fair Information Practices (FIPs). When a company seeks to access a credit report or a credit reporting agency makes a mistake, consumers have detailed FIPs-based rights.

 

The two most glaring exceptions to this framework are the credit-header and affiliate sharing loopholes. We are encouraged that the FTC, and Congress, have taken steps to narrow the credit header loophole. That leaves the affiliate sharing loophole, which was established not through hearings, testimony and debate (what is called regular order in Congress), but by demand of the powerful financial community as its price for accepting the modest new Section 615 and Section 623 duties imposed on them in 1996.

 

We opposed the affiliate sharing loophole when enacted as part of the 1996 amendments and we continue to oppose it.  We believe that the idea of establishing virtually unregulated databases is contrary to the intent of Congress when it enacted the FCRA and, further, when it codified the FIPs in the Privacy Act of 1974. Unfortunately, the Privacy Act only to government uses of information.

 

Nevertheless, the notion of establishing regulations to clarify the vague FCRA provisions pertaining to affiliate sharing is noteworthy and we commend the agencies for this small step.

 

We have comments in four areas:

(1) On the definition of "other" information included in the opt-out.

(2) On the issue of partial opt-outs.

(3) On the need to improve the opt-out disclosure to describe the various uses of information.

(4) The missing parts of this regulation-- rules pertaining to 615 (b).

 

(1) Comments on the definition of "other" information included in the opt-out.

           (a) Previous agency best practices memos had alluded to information from credit reports and information from applications. The regulation posits two additional sources of "other" information -- verification of consumer representations and also employment history, including job references.

           *** It should be made clearer that these are examples, and that the consumer's opt-out applies to ALL outside sources of information.  Other sources might include web-site cookies, database enhancements purchased from 3rd parties, information derived from sharing databases with marketing partners, and information provided by the consumer in response to web site surveys and/or surveys by the bank's marketing agents that is not part of his or her experiences or transactions. In addition, suppose a consumer does happen to write in to the bank to request to opt-out, and provides information that the bank did not already have, such as a business address, or a business phone number-- would that information be subject to the opt-out? In our view, it should be.  We expect that financial institutions will increasingly seek to obtain excess information from consumers either through websites, marketing partners or other sources, or follow-up surveys. All this information, which is not in any way derived from a consumer's experiences or transactions, should be subject to the opt-out.

           (b) We are concerned that the proposed rule may limit the types and amounts of information protected by the opt-out. Nothing in the affiliate sharing exception limits "other" information only to "credit" related information.  The plain language of Section 603 refers to "other" information.  Although Section 615 describes certain duties of persons taking adverse actions on the basis of such "other" information and describes it as "credit..." related, Section 603 should guide the rule.  The new relationships being carved out in the marketplace today necessitate that agencies take a broad view of the intent of Congress in giving consumers this opt-out right, not a narrow view.  Therefore, we urge the agencies to revisit the language which states:

           “Other information” refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report. The proposed regulation uses the term “opt out information” to describe this category of information."

           Other information includes this information, but not inclusively. Other information must include all information that is not experience and transactions information.

 

(2) On the issue of partial opt-outs.

           The agencies seek to establish by rule that the FCRA allows partial opt-outs on an affiliate-by-affiliate basis.  Even presuming, arguendo, that this is allowed by the FCRA, it is a recipe for disaster. Coupled with the vague and general opt-out notice requirements, this is an invitation for abuse by firms seeking to manipulate customer information.

           ***Each of the four proposed rules includes a one-sentence statement that partial opt-outs are allowed. Nothing in the background explains the agencies' reasoning; nothing in the appendix offers a sample partial opt-out; and, nothing describes that your best choice may be choosing to limit the sharing of "certain opt-out information" rather than limiting "certain affiliates" if you desire to be more protective of your privacy. While it will be our goal to educate consumers that the best way to protect privacy will be to opt-out fully, we believe that it is imperative that if institutions will be allowed to describe partial information opt-outs, that the institutions be required to describe how information may be used by institutions. Obviously, we would also ask that the agencies require institutions to more specifically name and describe their affiliates on opt-out notices. Would the name, description or even the existence of predatory sub-prime affiliates be required to be disclosed? Would the name, description or even the existence of an over-priced credit life insurance affiliate be required to be disclosed?

 

(3) On the need to improve the opt-out disclosure to describe the various uses of information.

           The vague description of partial opt-outs in the proposed regulation is only part of the problem. Of course, nothing in the proposed regulation requires institutions to provide any clarity about how they use this information and why they desire it.

           ***Financial institutions may seek to share information for the limited and presumably benign purposes of running joint call centers or updating mailing lists.  They may also seek to share information for marketing purposes, which many consumers would oppose if they understood it.  Worst, they may also seek to share information for underwriting purposes-- denying credit or increasing the charge of credit based on information in a shared database rather than an outside credit report. Will opt-out notices allow consumers to choose between these "certain uses?" For example--

          

SAMPLE PARTIAL OPT-OUT

           "____ I agree that you can share my information so that the costs of call centers can be pooled between affiliates and so I only need to call you once to update my address when I move.

           ____ I do not agree that affiliates may use my information to make underwriting decisions about me, (since I do not believe that the FCRA grants me adequately enforceable dispute rights for affiliated-shared information).

           _____I do not agree that you can use my outside information to market me products."

 

           When the House Banking Committee debated the affiliate sharing exception to Section 603 and it was narrowly approved, the specter of credit denials on the basis of unregulated in-house databases was clearly raised. Nothing in the proposed rule reflects these concerns or warns consumers about the ways that this loophole allows institutions (Section 615(b)) to make underwriting decisions and generally to operate outside the full Fair Information Practices rules that would apply if the firms based underwriting, in whole or in part, on a third-party credit report (615 (a)). 

 

(4) The missing parts of this regulation-- rules pertaining to 615 (b).

           *** To clarify, the proposed rule focuses on parts of the problem, but possibly without explaining the biggest part of the problem. In the context of affiliate sharing, the proposed rule generally seeks to define "other information" and to describe model opt-out notices, with the flaws noted above. Why does the proposed regulation fail to require firms to limit, or even adequately explain, uses of information? Why does the rule fail to clarify the vague nature of disclosures required under Section 615 (b)?  Do the agencies plan to additional rules pertaining to Section 615 (b), which describes the limited duties of users of affiliate information in an adverse action context? For example, do the agencies plan to issue model affiliate sharing adverse action notices and dispute rules?

 

Conclusion

           U.S. PIRG is pleased that the agencies have proposed to expand the definition of "other" information but concerned that numerous types of other information may be missed by the rule. Further, the failure to require institutions to describe how they could use the information to deny credit or raise the price of credit is an invitation for firms to mislead consumers about the purported benefits of information-sharing. Finally, the rule fails to address the inadequacy of Section 615 (b)'s adverse action provisions.