U.S. PUBLIC INTEREST RESEARCH GROUP
12 October 1998
Acting Comptroller of the Currency
250 E St., SW
Washington, D.C. 20219
Dear Ms. Williams:
Thank you for inviting us to meet with you on the issue of privacy and we look forward to next weekâs forum. We appreciate your interest and leadership on this issue and wanted to follow up in writing with concerns and issues discussed at the September meeting. We also commend you for taking action in the area of pretexting but, as we discuss below, we are concerned that the action is "advisory" rather than a rulemaking and it does not address the breadth of the financial privacy concerns of consumers.
As you know, current laws do not provide adequate privacy protection for consumer account information held by financial institutions. What limited protections there are can be found in the Fair Credit Reporting Act, which has several significant loopholes. Consumers need protections of personal medical, insurance, deposit, credit and demographic information held by financial services companies. We suggest the following:
Privacy Loopholes in Current Law Must be Closed: Several loopholes in current law pose huge threats to consumer privacy, particularly as banks join with insurance and securities firms. Banks will gain access to data about a customerâs health and family medical history through their insurance activities. Will a customer with a terminal illness be treated differently when they apply for a loan? A grieving widow who is the beneficiary of a life insurance policy can expect to be pressured by affiliated brokers. And the customer may not know of or be able to prevent this sharing of data. Because of loopholes in current law, we are all at risk of our financial and other personal information being shared and sold.
Affiliate Sharing Loophole: The Fair Credit Reporting Act allows affiliates to share information derived from credit reports so long as the customer is given a one-time opportunity to opt-out of this sharing. Once the data are shared with an affiliate, however, the consumer loses the protections of the Act. Therefore, if an insurance affiliate receives information from the bank affiliate about late-payment history, then the life insurance applicant may be denied insurance without ever knowing the reason, as is otherwise required under the FCRA.
Unregulated Databases: In addition, using the loophole, affiliates could pool data and create their own databases without complying with the FCRA. As you may know, the Federal Trade Commission (FTC) shares our view that the establishment of unregulated consumer reporting agencies by bank holding companies is one of the gravest threats posed by the sloppy Congressional drafting of the affiliate-sharing exception. All sharing and pooling of credit report data should come under the protections of the FCRA. Consumers must be given the opportunity to agree in writing before limited sharing or disclosure, between and amongst affiliates, is allowed, under an "opt-in" basis. However, under no circumstances should holding companies be allowed to establish unregulated consumer reporting agencies. We hope you will support and work with us to obtain these changes.
Pending the needed legislative changes, we urge you to take the strongest regulatory action available, e.g., the issuance of regulations, to ensure that adequate opt-outs are being provided under current law. We suggest developing model forms or standards that provide meaningful and clear opt-outs whenever the opportunity to cross-market or use information arises. For example, if a person submits a form in the process of purchasing investments, a clear opt-out should be included on the face of the form, printed in at least 10-12 point font, in boldface type. There should not be another form or a burdensome process for the consumer.
Medical Records: Under current law, medical information cannot be included in credit reports without a consumer's affirmative written consent, or opt-in. Yet, under affiliate sharing schemes, sensitive medical information is subject to no such protections and can be pooled with credit card payment records, census records and other information pooled for corporate use. Such information must be protected. We suggest rules that require explicit protection of medical and insurance records. Experience and Transaction Loophole: The FCRA exempts all experience and transaction data from the definition of credit report. Further, it exempts the pooling of these data among affiliates. For example, all transactions that Travelers-Citicorp has with its 100 million customers can be pooled into a massive database without coming under any protections of the law. Therefore, not even the "opt-out" applies, so consumers cannot prevent banks and affiliates from selling or sharing information about their experience with the institution.
When a customer deposits a $100,000 inheritance in the bank, the bank is free to share or sell that information without the customer ever knowing or having the opportunity to prevent such disclosure. Consumers should be able to protect the confidentiality of their dealings with banks and affiliates. We urge you to suggest and support changes in the law to delete the exemption for experience and transaction information and the pooling of it.
"Credit Header" Information Can Be Sold Without The Consumerâs Knowledge or Consent: Due to sloppy bank and credit bureau practices, consumers face financial theft of identity risks. Although the Senate has approved legislation, S. 512, to criminalize identity theft, much more needs to be done. Among the most important solutions is to prohibit firms from selling Social Security numbers, motherâs maiden name and other information derived from "credit report headers." The practice occurs because "credit headers" are not protected by the Fair Credit Reporting Act, according to a consent decree negotiated by the FTC. We urge you to support legislation, e.g., S. 600, to prohibit the sale of credit header information.
Financial Institutions Must Have an Affirmative Obligation To Protect Customer Data: While there are privacy protections when banks provide information to government agencies, there are no privacy protections in the law when banks disclose information to private parties. Banks and other financial institutions should have a duty to protect the confidentiality of their customersâ personal and financial information, particularly as more diversification and consolidation takes place.
We appreciate the intent of the recently issued advisory letters but we believe they lack sufficient "teeth" and do not include the protections needed to ensure banks keep confidential (unless for specific authorized use) and secure customer information. The provisions in HR 4388, introduced by Congressman LaFalce and based on industry privacy principles, would go a long way to providing this protection by requiring banks to secure and protect the confidentiality of customer information. We suggest using this language as the basis for regulations to address this huge gap in protection. We would appreciate your views on incorporating such protections into agency rules and/or whether you would support enactment of protections into law.
Consumers Must Be Informed About Their Rights: Another problem is the failure of banks to adequately inform consumers about their right to choose not to receive any of the 3 billion pre-screened credit solicitations mailed to consumers each year. These solicitations consist of credit card offers, blank checks payable to the consumer which become high-cost loans if signed, and other credit offers. Incredibly, some banks are even mailing actual credit cards, since they have identified an alleged loophole in legislation designed to prohibit the practice. Pre-screened credit offers not only constitute an unreasonable invasion of privacy if consumers aren't adequately warned of their rights, but often consist of aggressively marketed high-cost debt to high-risk populations. Please let us know whether you will use your existing regulatory authority to require banks to put required pre-screen opt-out disclosures in clear, easy-to-read, plain English boxes, rather than allowing them to continue to bury them in small type on the back of offers. You had asked us to assess some of the online privacy guidelines of banks. We are collecting those at some of the biggest banks and are looking at them. We will get back to you with our assessment as soon as possible.
Obviously, there is a lot to be done in this area. We understand that the banks are strongly urging a "no regulation" or "self-regulation" approach to privacy at this time. We expect that from them. The more they voice the mantra of "self-regulation," the more time and opportunity they will have to develop marketing and other systems that will be hard to unwind. You have performed an important service by publicly acknowledging that they have not done a good job; we hope you will implement enforceable rules to help ensure they do protect consumer privacy before itâs too late. We look forward to continuing to work with you and your staff on these and other important issues.
Mary Griffin Ed Mierzwinski
Consumers Union U.S. Public Interest Research Group