Copyright 1999 Federal Document Clearing House, Inc.
Federal Document Clearing House Congressional Testimony
July 20, 1999
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 4534 words
HEADLINE:
TESTIMONY July 20, 1999 ROBERT R. DAVIS DIRECTOR HOUSE BANKING
AND FINANCIAL SERVICES FINANCIAL INSTITUTIONS AND CONSUMER CREDIT UNIONS
FINANCIAL PRIVACY
BODY:
Testimony of America's
Community Bankers on Emerging Financial Privacy Issues before the Subcommittee
on Financial Institutions and Consumer Credit Committee on Banking and Financial
Services of the U.S. House of Representatives on July 20, 1999 Robert R. Davis
Director of Government Relations America's Community Bankers Washington, DC
Chairwoman Roukema and members of the Subcommittee, my name is Robert R. Davis.
I am the director of government relations for America s Community Bankers.
America's Community Bankers (ACB) is the national trade association for
progressive community banks of all sizes. ACB members have diverse business
strategies based on consumer financial services, housing finance, small business
lending, and community development, and operate under several charter types and
holding company structures. We appreciate this opportunity to testify before the
Subcommittee today on this very important issue. Chairwoman Roukema, let me
begin by commending you for holding these timely hearings on one of the most
critical issues facing our nation s financial services industry and the
customers we serve: protection of personal financial information privacy.
Without a doubt, financial information privacy protection is one of the top
issues facing our evolving financial services system and deserves the in-depth
review and examination by Congress that these hearings represent. All of us are
well aware of the growing public concern about information sharing practices,
both in the financial services industry and in other sectors of our nation s
economy. The news is full of stories about people receiving telemarketing calls
during dinner or bundles of direct mail solicitations in their mailbox, with no
knowledge about how or from where their personal information was obtained. As a
consumer, I am personally concerned about my name, address, telephone number,
and financial information being on thousands of lists targeting me and my family
for the sale of products and services I may not want or need. At the same time,
there are legitimate - even essential -- reasons for businesses to share
information. If the free flow of information were cut off, financial
institutions and other businesses could not carry out most of the transactions
initiated or requested by customers. They could not offer to consumers new lines
of products and services. They could not carry out the reporting and monitoring
activities required by law. While many consumers are understandably upset about
the occasional excesses of information sharing and marketing practices, I am
confident that virtually none of them would support laws which would effectively
ban information sharing altogether, or significantly restrict legitimate
marketing programs. Clearly, information sharing practices should be subject to
reasonable requirements. Those requirements should in part be the result of a
self-examination by businesses of their own activities. In fact, many of them
are now in the process of conducting such reviews. After all, the success of a
company, particularly a financial institution, depends on establishing good
relations with existing and potential customers. If a customer has reason to
distrust or lose faith with a company with which they conduct business, that is
one less customer a company will have the opportunity to serve. Good business
sense dictates the old adage: "the customer comes first." Government should have
a role in ensuring that basic standards to protect personal financial
information privacy are established and implemented by financial institutions.
While most businesses are serious about doing what it takes to maintain good
customer relations, it only takes one highly publicized, isolated incident to
upset the apple cart. Because financial institutions, particularly banks, depend
on continued public faith in the integrity of the financial system, reports of
excessive or abusive information sharing practices can have a detrimental impact
on their ability to do business. ACB urges the 106th Congress to enact
legislation which affirms its commitment to consumers that their basic privacy
rights will be protected. Such legislation must be balanced to ensure consumers
that their personal information will be protected, while not unduly interfering
with the routine, legitimate practices of financial institutions. ACB commends
the House for its efforts to reach that balance in the privacy provisions found
in H.R. 10 and supports moving the legislation forward, with some suggested
modifications. We thank the Subcommittee for this opportunity to discuss ways to
improve the privacy provisions in H.R. 10. Summary In response to the questions
you raised in your invitation letter of July 9, 1999, our testimony will focus
on five major points: (1) ACB s policy position on customer information privacy;
(2) some background and history of the financial information privacy debate; (3)
our member institutions experiences with information sharing; (4) some
recommended improvements for the privacy protection provisions in H.R. 10; and
(5) the effect that more stringent privacy protection requirements might have on
the operations of our member banks. As the voice for progressive, community
banks, ACB strongly supports protecting the personal information privacy rights
of consumers of financial services. On July 17, 1999, ACB s Board of Directors
adopted the following official policy position on customer information privacy:
ACB supports efforts to protect the non-public, personal information privacy
rights of consumers of financial services. While existing laws and general
industry practices have provided broad privacy protection for financial services
customers, ACB supports the enactment of legislation which would properly
balance the legitimate information sharing needs of a financial institution with
the obligation to protect customer information privacy. ACB supports requiring
all financial institutions to develop an individual privacy protection policy
that applies to all bank products or products shared with partners or through
other relationships, and provide that policy to all customers. An institution
should only be required to provide each customer with its privacy policy once,
unless substantive changes are made to the policy. This requirement should cover
all financial institutions, including but not limited to insured depository
institutions, credit unions, broker/dealers, investment advisers, investment
companies, and insurance companies. Enforcement of this requirement should be
assigned to an institution s functional regulator, where one exists, and to the
Federal Trade Commission for those institutions which are not functionally
regulated. A new private right of action for violations of the disclosure
requirement should not be created. ACB recognizes that customers of community
banks generally do not want their personal financial information sold to
unrelated third party telemarketers. ACB does not oppose requirements that a
customer be given the opportunity to opt out of having his or her personal
financial information shared with unrelated third parties for marketing
purposes, so long as these requirements do not apply to: (1) the sale of the
bank s own products and services; (2) the sale by the bank of products and
services as part of a contractual agency relationship with another company; (3)
joint ventures and the providing of products and services through common
employees; (4) information sharing practices to facilitate routine services,
such as authorization, settlement, billing, processing, check clearing,
transfer, or collection; and (5) information sharing practices needed to effect
the sale of mortgages in secondary markets. Such requirements should not
unfairly discriminate against smaller community banks which use contractual
relationships with third parties for the same legitimate purposes for which
larger banks use affiliates. Financial institutions should be required to notify
customers once of the opportunity to opt out, and customers should be required
to notify the financial institution within a reasonable, specified period of
time if they choose to opt out. As with disclosure, this requirement should be
applied to all financial institutions, not limited to insured depository
institutions; overseen by the institution s appropriate functional regulator;
and not subject to a new private right of action. ACB also supports
criminalizing the practice of obtaining the personal financial information of
another person through false, fraudulent, or deceptive means. To protect the
health and medical information privacy rights of customers, ACB
supports requirements that such information not be shared, unless the customer
consents to such practices or directs that his or her health or medical
information be shared with another party. This policy position is the result of
substantial input and feedback, both from a public policy and real-life
operational perspective, from a number of ACB member institutions. We are
pleased that the approach taken in H.R. 10 generally tracks the key points in
our policy position. We support legislation that, at a minimum, requires every
financial institution to establish its own privacy policy and to share that
policy with its customers; prohibits the sharing of health and medical
information without the consent of the customer; and bans abusive pretext
calling practices. We also appreciate the fact that the House of Representatives
responded to concerns raised by ACB members and other smaller community banks
and carved out critical exceptions to the bill s opt-out requirement for
information sharing with third parties. Prior to House floor action on H.R. 10,
some segments of the financial services industry suggested legislative language
as a substitute for the onerous privacy protection provisions in the House
Commerce Committee s version of H.R. 10. To ensure that smaller community banks
had a say in the drafting process of privacy protection legislation, ACB and the
Independent Community Bankers of America sent a letter on June 22, 1999 to
Speaker Hastert and Minority Leader Gephardt requesting that financial privacy
legislation not unfairly discriminate against community banks that use third
party relationships for the same legitimate purposes for which larger banks use
affiliates. We would like to thank Chairwoman Roukema, Representative Deborah
Pryce, Representative Martin Frost, and other leaders in the House for their
efforts to address these concerns. While we are not opposed to the bill s
provisions to give consumers a say in whether or not their personal information
is shared with third parties, we would like to suggest an alternative approach
that will allow us to reach the same goal more efficiently and with greater
certainty. Every day, smaller community banks use contractual relationships with
third parties for the same legitimate purposes, such as marketing of products
and services, while larger institutions often use affiliate relationships. H.R.
10 requires an opt-out procedure for these third-party information sharing
activities, with certain carved out exceptions. Because it does not, however,
impose a similar responsibility on sharing information with affiliates, H.R. 10
could still place smaller community banks at some disadvantage. While the bill s
exceptions to the opt-out requirement will help mitigate this disadvantage by
allowing banks to carry out routine activities, they may not cover all of the
legitimate information sharing activities for which community banks use third
parties. As a result, community banks would be forced to either tailor their
activities to fit the bill s exceptions or give up activities the benefits of
which cannot justify the cost of establishing an opt-out procedure. Instead of
using H.R. 10 s approach of establishing a blanket opt- out requirement for
information sharing with third parties and then carving out exceptions to this
requirement, Congress should first determine which activities, practices, or
relationships justify a required opportunity for a consumer to opt out, and
apply that requirement only to those activities. This more direct approach would
still give consumers the right to say no to the information sharing activities
that give rise to a public policy concern. At the same time, it would protect
smaller community banks from the cost and burden of having to justify each of
their legitimate information sharing activities with third parties. While ACB
commends the House for its efforts to date to help level the playing field
between larger and smaller financial institutions, we do urge the House-Senate
conferees to consider this alternative, targeted approach to the opt-out
requirement. Background and History As we work to identify and address the
public concerns about protecting personal financial information privacy, it is
important to remember how we got here. To suggest, as some have, that financial
information privacy protection is a "new" issue is inaccurate. For years,
customer information privacy has been addressed by a number of existing statutes
and regulations, including the Fair Credit Reporting Act (FCRA), the Right to
Financial Privacy Act, the Electronic Communications Privacy Act, and others. In
fact, just three years ago, Congress enacted a series of additional consumer
protections when it reauthorized the FCRA. But as advances in technology allow
financial institutions to provide more products and better services to
consumers, there remains an ongoing responsibility to reevaluate these laws and
their adequacy in protecting privacy rights. While consumers want to reap the
benefits of a modernized financial system, they also want their personal
financial information to be secure. Recent events, like the now-settled suit
filed against U.S. Bancorp in Minnesota, have heightened public scrutiny of
financial information sharing practices. In addition, well- publicized reports
of abusive pretext calling practices have also raised concerns among consumers
about the confidentiality of their personal financial information. Like it or
not, these separate incidents could very well lead consumers to believe that
their privacy rights might be threatened. That is not the case, and we cannot
lead the public to believe it is. It is the responsibility of both the private
and public sector to preserve consumer confidence in the integrity of our
financial system. The twin goals of providing consumers with greater benefits,
such as more efficient delivery of services and access to a wider array of
products, and protecting their personal financial information privacy rights are
not and should not be deemed to be mutually exclusive. As we move forward down
the information superhighway, we must reassure consumers that their personal
financial information privacy rights will be honored, both in the daily
practices of financial institutions and in the law. Information Sharing
Practices of ACB Member Institutions In June, ACB conducted a comprehensive
survey of select member institutions, asking detailed questions about their
information sharing practices. Because of the diversity of ACB s membership,
survey respondents were asked about information sharing activities with both
affiliates and non-affiliated third parties. The banks responding to this survey
ranged from those which engaged in numerous information sharing activities to
those which engaged in none. Information sharing activities engaged in by ACB
members include: (1) use of outsourcers providing services for banks, e.g.,
check printing, credit card processing, ATM/EFT networks, data processing, etc.;
(2) joint marketing arrangements with third parties, both for the sale by the
third party of the bank s products and services and the sale by the bank of the
third party s products and services; (3) mortgage activities, including mortgage
servicing and securitization, and sales of mortgages in secondary markets; (4)
activities involving dual or common employees; and (5) joint ventures, e.g.,
credit life insurance sales, and co-branding activities, e.g., credit cards.
While this list is not exhaustive, it does illustrate the wide range of
information sharing activities engaged in by ACB member institutions, both with
affiliates and third parties. Just as importantly, however, is the fact that
many ACB member institutions which do not presently engage in these and other
legitimate information sharing activities may want to do so in the future.
Feedback from our member institutions indicate that overly onerous regulation or
restriction on potential information sharing activities could foreclose the
opportunity for community banks to provide new products and services to their
customers. Privacy Protection Provisions in H.R. 10 Even with the recently
intensified efforts by financial institutions to reexamine their information
sharing practices, many consumers may still feel that more needs to be done to
protect their personal financial information privacy rights. In response to
these concerns, the House adopted the privacy provisions in H.R. 10. As I stated
earlier in my testimony, these provisions are generally consistent with the
scope of ACB s official policy position on customer information privacy. We
would, however, like to suggest the following improvements to the bill s
provisions. Privacy Protection Obligation Section 501 of H.R. 10 states that
each financial institution has an "affirmative and continuing obligation to
respect the privacy of its customers and to protect the security and
confidentiality of those customers nonpublic personal information." ACB is
concerned that the inclusion of this broad, vague legal obligation could have
unintended, harmful consequences, such as creating an implicit private right of
action by consumers. If Section 501 is retained, we ask that it be listed either
as a non- binding statement of legislative intent or as part of Congressional
findings. Disclosure Requirement Because we believe that an informed consumer
makes a better customer, ACB supports the general requirement in Section 503 of
H.R. 10 that each financial institution establish its own privacy policy and
provide that policy to its customers. We do not believe, however, that such
disclosure need be made at least once a year, as required by H.R. 10. Such
disclosure should be provided to new customers at the time the customer
relationship is established, to existing customers if the privacy policy is
amended, and to existing customers within a reasonable period of time following
the issuance of final regulations promulgated under the bill. Opt-Out
Requirement ACB does not oppose the opt-out requirement found in Section 502 of
H.R. 10 for information sharing activities with third parties. We would,
however, suggest that targeting specific activities, practices, and
relationships for an opt-out requirement would be a better and more direct
approach toward resolving consumer concerns than the bill s blanket requirement
for third-party information sharing activities with exceptions. For example, an
opt-out requirement could be imposed in cases where a third party uses a bank
customer s information to telemarket its own products to the bank s customer.
Such a requirement would help address the recently settled complaint raised in
Minnesota against U.S. Bancorp. At the same time, it would not limit
institutions from establishing new multiple-party marketing agreements or joint
ventures, such as those related to expanded use of the Internet. If the approach
taken in Section 502 is retained, ACB would suggest expanding the bill s
exceptions to the opt-out requirement. While the current exemption language in
H.R. 10 covers many of the activities and relationships in which ACB member
institutions are engaged, other practices, such as joint ventures and
co-branding activities, should also be explicitly included in the list.
Disclosure of Account Numbers Section 502(d) of H.R. 10 prohibits the disclosure
by a financial institution of account numbers to any unaffiliated third party
for use in telemarketing to a consumer or for use in direct mail or electronic
mail marketing. It should be amended to allow for the same exceptions applicable
to the bill s opt-out requirement. Customer Lists Under Section 509(4) of H.R.
10, "nonpublic personal information" is defined to include "any list,
description, or other grouping of consumers (and publicly available information
pertaining to them) that is derived using any personally identifiable
information other than publicly available information." This broad definition
could subject to an opt-out requirement any list or grouping of customers by a
financial institution, no matter how broad the category. This definition should
be narrowed to focus on the types of lists or groupings that the public finds
objectionable. Other Recommendations ACB also recommends that a broad federal
preemption of state laws be included in the bill. In the absence of a federal
preemption clause, financial institutions would not only have to comply with
federal law, but also with a host of potentially conflicting state laws. This
would make compliance unduly difficult and burdensome, particularly for those
financial institutions with operations in more than one state. ACB is pleased
that the disclosure and opt-out requirements in H.R. 10 will be functionally
regulated. Consistent with our official policy position, we also support the
protection of health and medical information privacy in Section
351 of the bill and the ban on abusive pretext calling practices in Subtitle B
of Title V. We respectfully urge the House-Senate conferees to take our
recommendations into consideration as they work out the differences between the
privacy provisions in H.R. 10 and S. 900. Effect of More Stringent Privacy
Requirements If the privacy provisions in H.R. 10 are enacted, it would mark the
biggest step ever taken by Congress to put in law basic standards to protect
personal financial information privacy. Still, we recognize that there are
members of Congress who believe that the privacy provisions in H.R. 10 should be
even more stringent. Some of these proposals include imposing an opt- out
requirement on information sharing between affiliates, requiring an opt-in
procedure for information sharing with all third parties, or creating a private
right of action as a means of enforcement. Given the experience of our member
institutions with information sharing practices, ACB does not believe that such
proposals warrant legislative action. ACB supports the decision by the House not
to include in H.R. 10 an opt-out requirement on information sharing activities
between affiliates. The bill defines "affiliate" as "any company that controls,
is controlled by, or is under common control with another company." Because of
the required controlling relationship between a bank and an affiliated firm, any
customer information sharing in which these businesses engage must be kept
within the same corporate family structure. An even tighter relationship can be
found in cases where a bank owns a service corporation, as many ACB member
institutions do. At the same time, ACB reiterates its opposition to legislation
that would unfairly discriminate against smaller community banks which use third
party contractual relationships for the same information sharing purposes for
which larger banks use affiliates. We do not, however, believe that imposing
restrictions on affiliate information sharing practices is an acceptable way to
ensure fairness. Instead, we continue to encourage Congress to target the
opt-out requirement to specific information sharing activities, practices, or
relationships which raise appropriate concerns, or failing that, to exempt from
the opt-out requirement those legitimate activities, practices, or relationships
with third parties. In addition, we believe that the study of affiliate
information sharing required by H.R. 10 represents a prudent course at this time
for identifying any future problems that should be addressed in law. ACB would
also oppose an opt-in requirement for information sharing with third parties.
While this idea might seem attractive to some people in theory, the real-life
impact of such a draconian requirement would mark the effective end of many
marketing activities. Consumers would stand to lose the most from such a
mandate, because they would lose access to information about many of the
products and services that can be offered today as a result of appropriate
information sharing arrangements. Finally, ACB would oppose any proposal to
create a private right of action as a means of enforcing privacy protection
requirements. Such a right of action has the potential for flooding banks -
particularly smaller, community banks - with frivolous litigation, thereby
hindering their ability to serve their customers and communities. We believe
that the bill s use of functional regulation represents the best means of
enforcing the privacy protection requirements in H.R. 10. Conclusion As I
conclude my statement, I would like to reiterate a point that I made at the
outset of this testimony. In addition to working in the financial services
industry, our members are also consumers. The practices in which they engage
affect all of us. In order to maintain the trust and confidence of their
customers, our members are committed to not engaging in excessive or abusive
information sharing practices. They just want the continued ability to
efficiently serve the financial needs of their customers and local community.
While financial information privacy has been a hot-button issue with the general
public, it should not be forgotten that the financial services industry
represents just one segment of our nation s economy, and the segment that is
most secure. With every transaction you make - whether with a financial
institution, a department store, a mail-order catalog company, or other business
- information is created. Sometimes, the data you generate may be found later on
someone s mailing or telemarketing list, but if it does, it most likely did not
come from a financial institution. While the information sharing practices of
financial institutions should be examined by Congress, as these hearings do,
other industries must be required to participate in the effort to reassure the
public that their personal information will be protected. And with the ever
expanding use of the Internet, the importance of their inclusion is almost
certain to increase. Again, Madame Chairwoman, let me commend you for holding
these very important hearings and thank you for the opportunity to testify today
on behalf of America s Community Bankers. We look forward to working closely
with you, the Congress, federal regulators, and the general public to protect
the personal financial information privacy rights of consumers. Speaking on
behalf of our member institutions, I can assure you that we at ACB will do our
part.
LOAD-DATE: July 21, 1999
