&nb sp;  On September 9, 1998, The Washington Post published an editorial, ``......And a Matter of Privacy,'' arguin g,

   Along with medical records, financial and credit records probably rank among the kinds of personal data Americans most expect will be kept from prying eyes. As with medical data, tho ugh, the privacy of even h ighly sensitive financial data has been increasingly compromised by mergers, electronic data-swapping and the move to an economy in which the selling of other people's personal information is highly profitable--and legal.

   The Post editorial concluded that the privacy amendment to last year's proposed financial modernization legislation which I introduced with Senators DODD and BRYAN was ``a protection well worth considering, especially in the banking context. As the pace of the much-touted `information economy' quickens, safeguards against these previous unimagined forms of commerce become ever more important.''

   The United States now faces pressure from the European Union nations as a result of our lack of privacy protectio ns, in comparison with the ones implemented by the European Union. The European Union Data Protection Directive, which went into effect on October 25, 1998, goes much further than any privacy protectio ns in place in the U.S. The Directive requires that member states protect privacy rights in the collection of data by both the public and private sectors. It prohibits the transfer of data without first obtaining the individual's unambiguous consent regarding the transfer of data without first obtaining the individual's unambiguous consent regarding the transfer and use of his or her personal financial data.

   The EU Directives provides ``that the transfer to a third country of personal data . . . may take place only if . . . the third country in question ensures an adequate level of protection.'' Since the European Union views current U.S. privacy policy as inadequate, U.S. companies that do not provide adequate privacy safeguard s may have difficulty conducting business in the EU. The Department of Commerce proposed a safe harbor so that companies which meet certain guidelines would be allowed to conduct business in the EU and send data from the EU to the United States. The EU has not accepted the proposed safe harbor as adequate, and negotiations continue. Meanwhile, U.S. businesses must negotiate private privacy agreement s with EU countries or face uncertainties in doing business. Congress by enacting privacy protectio n legislation could meet the EU standard and thereby solve this problem for American companies.

   Unfortunately, industry self-regulation to protect the privacy of inform ation has been tried and, generally, has not worked. Many, if not most, consumers are not informed of plans to sell or share their financial transaction and experience data, are not notified of a right to object, have no access to verify the accuracy of data, and have no independent body to enforce privacy protectio n. Recent studies by the FTC and the FDIC of on-line Internet privacy protectio n found self-regulation to be ineffective. Privacy protectio ns for ``off-line'' transactions are far weaker.

   I believe that the protection of the privacy of custom ers' personal financial information is much t oo important to ignore any longer. Therefore, I am, along with Senators DODD, BRYAN, LEAHY, EDWARDS, and HOLLINGS, introducing the Financial Information Privacy A ct of 19 99. This bill would require the Federal banking regulators--the Federal Deposit Insurance Company, Federal Reserve, Office of the Comptroller of the Currency and the Office of Thrift Supervision--and the Securities and Exchange Commission to enact rules to protect the privacy of financ ial information relating to the customers of the institutions they regulate.

   The regulators would define ``confidential customer information'' in a way that includes balances, maturity dates, transactions, and payouts in savings accounts, certificates of deposit, securities holding and insurance policies. The regulators would require an institution to:

   (1) tell its customers what information it will s ell or share, and when, to whom and

   for what purposes it will be sold or shared;

   (2) give customers the right to ``opt out,'' which means they can say ``no'' to the sharing or selling information to affili ates--unless the customer objects, institutions could sell or share customer financial data; and

   (3) obtain a customer's informed consent before selling or sharing confidential customer information with an u naffiliated third party.

   Under the Act, regulated financial institutions would be required to allow the customer to review the information to be dis closed for accuracy and to correct errors. Also, these institutions could not use confidential customer information obtained from another entity, such as an insurance underwriter, unless that entity had given its customers the same type of privacy protectio ns as the regulated entities had given their customers.

   Disclosure of data under several circumstances would be exempted from coverage, including disclosure of information that is n ot personally identifiable, disclosure necessary to execute the customer's transaction, and other limited purposes. The Federal bank and securities regulators would enforce the regulations.

   The bill recognizes the complexity of the subject matter involved. Rather than have Congress micromanage a solution, we would leave it to the regulators with a direction as to the scope and purposes that should be followed. This approach would afford an opportunity for public notice and comment, so all of those affected could present their arguments. The banking and securities regulators would develop the rules to implement these broad principles in the way most appropriate for the industry, balancing the consumer's privacy choice wi th business' desire to sell or share their customer's sensitive financial information with othe rs.

   As we proceed in an age of technological advances and cross-industry marketing of financial services, we need to be mindful of the privacy concerns of the American public. Consumers who wish to keep their sensitive financial information private s hould be given a right to do so. Congress can and should provide that privacy protectio n by giving consumers enforceable rights of notice, consent, and access through passage of the Financial Information Privacy A ct.

& nbsp;  Mr. President, I ask unanimous consent that the full text of the Financial Information Privacy A ct of 19 99, together with a brief summary of the bill and some newspaper articles be printed in the RECORD.

   There being no objection, the materials were ordered to be printed in the RECORD, as follows:

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

   SECTION 1. SHORT TITLE

    This Act may be cited as the ``Financial Information Privacy A ct of 19 99''.

   SEC. 2. DEFINITIONS.

    In this Act--

    (1) the term ``covered person'' means a person that is subject to the jurisdiction of any of the Federal financial regulatory authorities; and

    (2) the term ``Federal financial regulatory authorities'' means--

    (A) each of the Federal banking agencies, as that term is defined in section 3(z) of the Federal Deposit Insurance Act; and

    (B) the Securities and Exchange Commission.

   SEC. 3. PRIVACY OF CONFID ENTIAL CUSTOMER INFORMATION.

& nbsp;   (a) RULEMAKING.--The Federal financial regulatory authorities shall jointly issue final rules to protect the privacy of confid ential customer information relating to the customers of covered persons, not later than 270 days after the date of enactment of this Act (and shall issue a notice of proposed rulemaking not later than 150 days after the date of enactment of this Act), which rules shall--

    (1) define the term ``confidential customer information'' to be per sonally identifiable data that includes transactions, balances, maturity dates, payouts, and payout dates, of--

    (A) deposit and trust accounts;

    (B) certificates of deposit;

    (C) securities holdings; and

    (D) insurance policies;

    (2) require that a covered person may not disclose or share any confidential customer information to or wit h any affiliate or agent of that covered person if the customer to whom the information relates h as provided

[Page: S617]  GPO's PDF

    (A) with respect to an individual that became a customer on or after the effective date of such rules, at the time at which the business relationship between the customer and the covered person is initiated and at least annually thereafter; and

    (B) with respect to an individual that was a customer before the effective date of such rules, at such time thereafter that provides a reasonable and informed opportunity to the customer to prohibit such disclosure or sharing and at least annually thereafter;

    (3) require that a covered person may not disclose or share any confidential customer information to or wit h any person that is not an affiliate or agent of that covered person unless the covered person has first--

    (A) given written notice to the customer to whom the information relates, as described in paragraphs (4) and (5); and

    (B) obtained the informed written or electronic consent of that customer for such disclosures or sharing;

    (4) require that the covered person provide notices and consent acknowledgments to customers, as required by this section, in separate and easily identifiable and distinguishable form;

    (5) require that the covered person provide notice as required by this section to the customer to whom the information relates t hat describes what specific types of information would be disclosed or shared, and under what general circumstances, to what specific types of businesses or persons, and for what specific types of purposes such information could be disclosed or shared;

    (6) require that the customer to whom the information relates b e provided with access to the confidential customer information that coul d be disclosed or shared so that the information may be re viewed for accuracy and corrected or supplemented;

    (7) require that, before a covered person may use any confidential customer information provided by a third party that engages, directly or indirectly, in activities that are financial in nature, as determined by the Federal financial regulatory authorities, the covered person shall take reasonable steps to assure that procedures that are substantially similar to those described in paragraphs (2) through (6) have been followed by the provider of the information (or an af filiate or agent of that provider); and

    (8) establish a means of examination for compliance and enforcement of such rules and resolving consumer complaints.

    (b) LIMITATION.--The rules prescribed pursuant to subsection (a) may not prohibit the release of confidential customer information--

  ;   (1) that is essential to processing a specific financial transaction that the customer to whom the information relates h as authorized;

    (2) to a governmental, regulatory, or self-regulatory authority having jurisdiction over the covered financial entity for examination, compliance, or other authorized purposes;

    (3) to a court of competent jurisdiction;

    (4) to a consumer reporting agency, as defined in section 603 of the Fair Credit Reporting Act for inclusion in a consumer report that may be released to a third party only for a purpose permissible under section 604 of that Act; or

    (5) that is not personally identifiable.

    (c) CONSTRUCTION.--Nothing in this section or the rules prescribed under this section shall be construed to amend or alter any provision of the Fair Credit Reporting Act.

--

   ..... And a Matter of Privacy

   Along with medical records, financial and credit records probably rank among the kinds of personal data Americans most expect will be kept from prying eyes. As with medical data, though, the privacy of even highly sensitive financial data has been increasingly compromised by mergers, electronic data-swapping and the move to an economy in which the selling of other people's personal information is highly profitable--and legal.

   Just how much of it is legal in the financial arena, though, is a complicated question. The Senate, struggling with a banking bill, is weighing a proposed amendment that would draw clearer lines. A judge at the Federal Trade Commission, after years of trying to police the sale of credit information to telema rketers, two weeks ago ordered one of the country's largest credit reporting bureaus to stop selling customers' sensitive data to such marketers in violation, the agency said, of the Fair Credit Reporting Act.

   The Senate's attention to financial privacy comes in the form of a proposed amendment to a banking deregulation bill, already passed by the House, that would allow banks to merge more freely with the providers of other financial services, such as insurers. Once such institutions can merge, though, under current law they are under no restrictions from sharing even otherwise protected customer information from divi sion to division. (The Fair Credit Reporting Act, which offers some tough not comprehensive protection for credit information, doesn't impose the same restrictions on affiliated institutions.)

   For instance, watchdog groups say, if Citibank merges with Travelers Inc. insurance as expected, information about you r bank balance or a bounced check could be used to deny you insurance coverage. Conversely, data from a medical exam for insurance coverage could be shared with your bank and used to deny you a loan. Milder possibilities include the use of knowledge about your financial assets being shared with or sold to marketers who wish to target customers of a given income bracket.

   An amendment proposed by Sens. Paul Sarbanes and Christopher Dodd is likely to be weighed by the committee marking up the Senate bill this week or next. It would block such possibilities by prohibiting sharing or pooling of data not covered by the Fair Credit Reporting Act--known generally as ``experience and transaction data,'' and including account balances and activity--for any purpose beyond the reason it was collected, unless the customer gives specific permission.

   This goes well beyond existing privacy protectio ns, which mostly require that the customer actively ``opt out'' of such uses--a difficult proposition when the customer probably has not the slightest idea that such swapping and spreading of information is legal to begin with. For that very reason, it's a protection well worth considering, especially in the banking context. As the pace of the much-touted ``information economy'' quickens, safeguards against these previously unimagined forms of commerce become ever more important.

--

   Privacy Matters: When Bigger Banks Aren't Better

   Imagine you are being treated for breast cancer, a fact known to your Travelers' insurance agent from your medical tests and insurance forms. Imagine also that you are applying for a mortgage from, say, Citibank, where you've banked for years and which has just merged with Travelers Group. Despite your excellent credit rating, your mortgage is denied by Citibank for reasons that are unclear.

   Or suppose you've just inherited lots of money from a relative's life insurance policy and you put the money into your Fleet Bank account. Pretty soon you get a call from a representative of Quick & Reilly, a brokerage firm you have never heard of but which is owned by Fleet. The broker is equipped with surprisingly detailed knowledge of your financial situation--along with a few ideas about how to invest your windfall.

   Both situations may be hypothetical but they aren't so far-fetched, according to a growing number of bankers, lawmakers, banking regulators and consumer advocates worried about the potential dark side of the mergers sweeping the financial industry. As banks, brokerage firms and insurance companies combine into huge new conglomerates, and with legislation before Congress to make such mergers even easier, there is increasing concern about the amount of personal financial and medical data that can be collected under one roof.

   FEAR OF DISCLOSURE

   So far, this privacy debate ha s centered mainly on the use of patients' medical records, especially by health maintenance organizations. But a new twist has been added as banks have expanded into businesses like securities and insurance sales, both of which involve the collection of a wide range of personal information.

  ;  Just last week, Citicorp and Travelers Group completed their $50 billion merger, creating the world's largest financial services conglomerate, with 70 million customers. The new company, Citigroup, has access to a wealth of customer information, includin g mutual fund accounts, health claims on insurance policies, and credit card, mortgage and car loan balances. Many consumer advocates are worried that such sensitive data can easily be transferred from one part of the company to another and possibly be disclosed to outside parties.

   ``It is very important for banks to realize the challenge they face in the privacy area is s omething new, different and more difficult than what they've dealt with before,'' said Julie Williams, Acting Comptroller of the Currency. ``It's in their self-interest to recognize privacy as a cust omer concern and deal with it successfully or they may be subject to more restrictive controls on the ability to use this information.''

&nb sp;  Nationsbank, which is acquiring the BankAmerica Corporation, has already run into trouble with customer privacy. The comp any recently paid nearly $40 million to settle a class-action suit and end a Government investigation after more than 18,000 customers many of them elderly, were sold complex derivative securities that were far too risky for them. Nationbank's brokerage arm had used the bank's customer list to target people to approach, many of whom mistakenly believed that the derivatives were safe and insured. As a result, Nationsbank has imposed new limits on the use of private data.

THIS SEARCH     THIS DOCUMENT     THIS CR ISSUE     GO TO
Next Hit        Forward           Next Document     New CR Search
Prev Hit        Back              Prev Document     HomePage
Hit List        Best Sections     Daily Digest      Help
                Doc Contents