Copyright 1999 Federal Document Clearing House, Inc.
Federal Document Clearing House Congressional Testimony
July 21, 1999
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 4003 words
HEADLINE:
TESTIMONY July 21, 1999 GARY GENSLER HOUSE BANKING AND
FINANCIAL SERVICES FINANCIAL INSTITUTIONS AND CONSUMER CREDIT UNIONS FINANCIAL
PRIVACY
BODY:
Treasury Under Secretary Gary Gensler
Subcommittee on Financial Institutions and Consumer Credit Committee on Banking
and Financial Services United States House of Representatives Madam Chair,
ranking Member Vento, and members of the Committee, I am pleased to have this
opportunity to present the Administration's views on the protection of personal
financial information. These issues are of great importance to the President and
the entire Administration, and we look forward to working with Congress to
provide American consumers the financial privacy protections that they deserve.
Privacy has been a cherished right to Americans since the founding of our
nation. Originally, the idea was predominantly one of privacy from governmental
interference: privacy in ones home and ones person. The citizenrys fear of
governmental intrusions on privacy was rooted partly in American history -- our
rejection of tyranny -- but also in practicality. Businesses had neither the
means nor the incentive to invade ones privacy. But over time, the notion of
privacy has evolved. The right is no less cherished, but the threats to it are
new. When, a century ago, Louis Brandeis famously enunciated privacy as a Aright
to be let alone, he was referring to privacy from the press. Today many
Americans increasingly feel their privacy threatened by those with whom they do
business. In particular, financial institutions and others are able to
consolidate information about spending and investing habits. Americans want the
ability to earn, invest, and spend their money without having to expose their
lives to those who process their transactions -- just as they would not expect a
letter carrier to read their mail. Americans deserve that right, and financial
services firms wishing to maintain their trust would benefit by embracing it.
For much of our history, consumers were justifiably confident about their
financial privacy. Most of their day to day transactions were conducted in cash.
They obtained financial services from local firms. Records were kept on paper
ledgers rather than in computers. A small town banker, a local securities
broker, or an insurance agent knew the customer's financial circumstances and
tolerance for risk, to best anticipate the customer's financial needs. Yet
customers were confident that the banker, broker or insurance agent would not
share that information. Doing so would have been considered a breach of personal
trust. That confidence is understandably on the wane today. The first cracks in
that confidence began to appear in the late 1960s, as unprecedented amounts of
credit information were collected in new, national databases. Congressional
hearings revealed that many credit files contained inaccurate and damaging
information, and that consumers often had no way to correct errors that could
lead to a denial of credit, employment, or insurance. The resulting Fair Credit
Reporting Act was the first federal law directed at financial privacy. The Act
limited the purposes for which credit report information could be distributed,
and granted individuals access to their credit histories and the ability to
correct errors. Amendments to the Act in 1996 recognized that customers should
have notice and the ability to opt out of certain information transfers. Taken
together, these were significant privacy protections for their times. Much has
changed, however, since the Fair Credit Reporting Act was passed in response to
the mainframe computers of the 1960s. We are in the midst of three important and
significant changes in the financial services sector: a technological
revolution, industry consolidation, and a move away from cash towards electronic
transactions. First, today's ordinary desktop computer is significantly more
powerful than the mainframe of 30 years ago. Vast amounts of information can be
stored, sorted, manipulated, and analyzed at lower and lower costs. Advances in
telecommunications allow for this information to be sent virtually anywhere on
the globe in a fraction of a second. Financial services firms are collectively
spending billions of dollars per year to further enhance their technologies. A
second key change is the growing integration and consolidation of financial
services providers. Interstate banking and branching has allowed banks to grow
larger than ever before, and the removal of regulatory restraints has allowed
banking organizations to offer more insurance and securities services. Even
those smaller banks that have avoided consolidation often broaden their services
by contracting with other financial services providers. At the same time,
insurance companies are offering products that compete with bank products, and
investment banks are in the lending business. These developments have brought
considerable benefits to consumers, in the form of operating efficiencies, new
products, and better prices for customers. The desire of large, integrated
financial services firms to profit from their scale and cross- sell their
products, however, has created a powerful incentive to treat consumer data as a
business asset. Consolidation and technology also have allowed the relationship
between financial institutions and their customers to become increasingly
impersonal. Fewer customers walk into branches to deal with a personal banker,
as more customers drive up to ATMs or log onto the Internet. Third, there is an
increasing use of electronic means of payments and receipts. Americans
increasing use of credit cards, debit cards and (more recently) electronic bill
payment in lieu of cash now allows financial services companies to collect a far
greater amount of information. Direct deposit now means that a bank knows not
only what you spend but how much you earn, and from whom. A generation ago,
financial privacy meant keeping private your salary, your bank balances, and
your net worth. Today, financial privacy means keeping secret your entire way of
life. The typical credit report in 1970 would have shown only that a customer
had received a total of, say, $5,000 of credit, and had repaid it on time. The
credit card records of 1999, by contrast, can list each and every purchase ever
made by that customer, sorted by date, location, and other details. Furthermore,
if credit card companies work together with merchants, then the level of detail
can become even more refined -- each dish ordered at a restaurant or each book
title bought at a store. Taken together, these three trends -- a technological
revolution, industry consolidation, and the movement from a cash to electronic
payment and receipt system -- are the means, motive, and opportunity for
financial services firms to mine consumer information for profit. Our challenge,
therefore, is to protect the privacy of consumers while preserving the benefits
of competition and innovation. On May 4, the President outlined the
Administrations Financial Privacy and Consumer Protection in the 21st Century
initiative. Protecting financial privacy led the list of key principles for
consumer protection. First, the President recommended enactment of legislation
to provide consumers notice and choice before their financial information is
shared or sold -- the right to say no. Central to this policy is the idea that
control of the self-portrait painted by ones financial information belongs to
the consumer, not the financial institution that processes the transactions.
Second, the President stated that consumers should not have to worry that the
results of their latest physical exam will be used to deny them a home mortgage
or credit card. The President therefore recommended legislation that would
impose special restrictions on sharing medical information within financial
conglomerates and with third parties, consistent with the Administrations
overall plan for protecting medical privacy. The President made clear in his
State of the Union Address his intention to work with Congress to pass a strong,
comprehensive medical record privacy bill this year. He has consistently
encouraged legislation that would expand our authority to protect the
privacy of medical information. Third, the President called for
giving back to regulators authority to monitor compliance with privacy
protections. Under the Fair Credit Reporting Act, for example, banking
regulators were in 1996 prohibited from examining banks for compliance with this
statute, as they do for other consumer protection statutes. Surely there is no
compelling reason for treating privacy less seriously than other statutory
consumer protections. When the President announced this agenda in May, some may
have viewed his proposals as ambitious. Only two months later, however, the
policy of notice and choice is gaining momentum. Leadership by the President and
members of this Committee and of the House has sparked a debate on this issue
that has educated policy makers and produced dramatic results. Most recently,
the House of Representatives passed with overwhelming bipartisan support a bill
providing notice and choice before personal financial information can be shared
with third parties. The House provided the enforcement mechanisms sought by the
President. It also generally prohibited the use of so-called "pretext calling"
-- albeit with an unwarranted exception that would allow investigators to commit
fraud in child support cases, while a subpoena would be the best approach.
Acceptance of the idea of notice and choice is an important step in protecting
financial privacy. Consumer choice over third party sharing, however, should be
the floor, not the ceiling. We should move forward to consider how consumers can
exercise choice over sharing of transaction and experience information within
financial conglomerates -- especially conglomerates which, under H.R. 10 and S.
900, would be able to engage not just in financial activities, but also
activities incidental and complementary to such financial activities. We should
prevent exceptions from swallowing the rule by prohibiting re-use of shared data
beyond the purpose for which it was shared. We should further ensure that any
new federal legislation add to B as we believe H.R. 10 does, but should do so
more clearly B rather than preempt existing protections in federal and state
law. And we should consider how to make any privacy protection regime workable,
all the while keeping in mind the significant economic benefits that information
sharing can bring to consumers. With that in mind, I will address five basic
issues that we believe the Congress ought to consider as it moves forward with
financial privacy legislation: what information such legislation should cover;
what notice is appropriate; what choice is appropriate; what exceptions may be
appropriate; and how any privacy regime is to be administered. Madam Chair, you
also requested that I discuss various privacy issues relating to the privacy
practices of state governments and the federal government, and of the Treasury
Department itself. I am attaching as an appendix a discussion of those issues
not addressed in my testimony. Scope The first issue is what financial
information should be protected. Under the Fair Credit Reporting Act, there are
currently no limits on sharing information about consumers transactions and
experience. Thus, financial institutions currently are able to treat what a
person buys with checks and credit cards as information belonging to the
institution, and are free to sell it. The Administration believes that this
transaction and experience data must be protected, regardless of the type of
financial institution at which it is held. Checks written on a checking account
should share the same protections as checks written on a money market account.
H.R. 10 adopts this sound approach. We must consider, though, a future where
financial information may be consolidated -- and potentially mined -- at
non-financial firms. Many of us already provide a list of our assets to Internet
web sites, where daily performance can be monitored. Consumers might be
surprised if a list of stocks held at an Internet brokerage site were protected
as confidential, but a list of stocks entered at another type of web site could
be freely sold without notice or consent. Eventually, we may wish to look beyond
financial privacy. Like financial institutions, booksellers and other retailers
can build considerable databases and can sell them without customer knowledge or
consent. Your on-line bookseller may not only know what books you read, but what
books you considered buying, where you vacation, what music you listen to. The
Administration continues to support efforts at self-regulation. Industry efforts
over the past year have been impressive, but they still have a long way to go.
We will want to continue scrutiny of these non- financial areas. Notice Notice
is fundamental to privacy protection. The Administration believes that every
financial institution should establish and disclose a privacy policy that
encompasses information sharing with both affiliates and third parties.
Disclosure of an institutions information practices is a precondition to
consumers choosing how their information will be used, or choosing to do
business elsewhere. The Administration believes that a meaningful notice should
be provided before a customer opens an account and at least annually thereafter.
The contents of the notice should be sufficient to inform the customer of the
uses that will be made of their information and to whom it will be transferred.
That said, the exact contents of a notice may be best left to a rulemaking
process where public comment can be solicited. Choice The next issue is that of
choice -- under what circumstances customers should be able to restrict the uses
a company makes of their data. The Administration believes that consumers should
have the choice to opt out of -- that is, say no to -- the use of their data by
both third parties and affiliates. Although the uses of affiliate sharing
generally tend to relate more to the consumers original expectations than
third-party sharing, this will not always be the case. Under both pending
financial modernization bills, affiliates of banks will be permitted to engage
in any financial activity, any activity incidental to financial activities, and
to some extent in any activity complementary to such activities. Unless the
language is clarified, commercial companies held pursuant to merchant banking
and joint venturers -- perhaps even telemarketers -- could be considered
affiliates. I would also note that restricting only third party sharing would
tend to confer a competitive advantage on large banks, which have many
affiliations, as opposed to small banks, which tend to use third parties to
service customers. Congress has embraced notice and choice -- for both
affiliates and third parties -- in the Fair Credit Reporting Act. The FCRA has
given consumers the right to notice and the opportunity to opt out before a
company shares certain credit information with an affiliate. Financial firms
have proven the practicality of notice and choice through the implementation of
the FCRA. Most recently, U.S. Bancorp, in response to a suit brought by the
Minnesota Attorney General, has agreed to notice and opt out before transaction
and experience data can be shared with affiliates for direct marketing purposes
and with unaffiliated third parties for purposes of marketing financial products
or services of the unaffiliated third party. The settlement prohibits sharing
information with third parties for purposes of marketing non-financial products.
Nonetheless, some have contended that customers need not have choice over
information sharing because they possess the ultimate choice: the ability to
take their business elsewhere. We believe that customers are less able to "vote
with their feet" on financial privacy than may first appear. Changing one's bank
or broker is not a simple matter. It requires a considerable investment of
effort and time, as one checking account must be run off as another is created,
as direct deposit orders must be reissued, as checks must be reprinted, as new
codes must be memorized, as stocks must be transferred. It is a change that most
of us make only when we are extremely dissatisfied with our current
circumstances. For that reason, the Administration believes that choice must be
guaranteed by law. In most cases, we support the notice of "opt out" choice --
that the sharing may occur so long as the customer is given notice and the
opportunity to object. In some cases, with particularly sensitive information
such as medical information, an opt in may be appropriate. We also believe that
these choices should not be circumvented by allowing a financial institution or
an affiliate to do the marketing itself, on behalf of the third party. Choice
would allow consumers to make their own decisions as to the potential tradeoff
between their financial privacy and the various marketing opportunities and
other potential benefits of information sharing. This is a very personal
decision which is most appropriately left to an individual. Exceptions While the
Administration is firmly for choice, we also believe that there is a need for
balance. There are some types of information sharing where customer choice may
not be appropriate -- where allowing customers to opt out of information sharing
is counterproductive or too costly. The most obvious case is sharing of
information with appropriate law enforcement authorities. Another example is the
sharing of information in order to facilitate the processing of individual
transactions -- clearing checks, for example. Other types of information sharing
present difficult tradeoffs. In approaching any exceptions and the general
policy of choice, we think three questions are appropriate: $ First, what is the
consumers reasonable expectation of privacy? This in turn largely depends on the
type and sensitivity of the information. Most people expect that their checks
will be processed efficiently -- even if by third parties -- but not that anyone
processing the data will be able to learn how they live their lives. They also
dont expect that information to be sold without their consent. $ Second, what is
the purpose of the transfer? Does it directly benefit the consumer or mostly
just the company? Is the company using the information to directly serve the
customer, or is the company primarily using or sharing the customer's
information for another purpose? $ Third, what are the costs of allowing choice?
Does it significantly (i) disrupt the functioning of the enterprise, (ii) raise
costs to consumers, or (iii) disrupt markets? Any decision should be based on a
balance of these factors. The Administration strongly believes that in most
cases the balance counsels for choice, whether the sharing be with a third party
or an affiliate. We also support strict limits on re-use of information shared
pursuant to any exception, to the extent that such use exceeds the excepted use.
Perhaps the clearest case for choice is in the area of medical privacy. Although
a company may have economic incentives to share medical information, no consumer
expects that in consenting to a physical examination for an insurance policy, he
or she is endangering an ability to obtain credit or employment. For that
reason, the Administration favors strong restrictions on the ability of any
company, including insurance companies, to share medical
information. We strongly oppose, however, the medical
privacy provisions of H.R. 10. These provisions contain significant
exceptions that would, for example, allow re-use of medical information by
companies with whom the information is shared, preempt state law, and allow an
insurance company to ship information to other companies under the rubric of
marketing research in circumstances that neither current practice nor future
regulations would likely permit. The provisions also would create uncertainty
about the authority of the Department of Health and Human Services to establish
stronger protections for customers of financial services companies. Notably, the
provisions in H.R. 10 apply to insurers, who are central to the functioning of
the medical system. Such a broad scope would significantly undermine efforts to
craft meaningful, comprehensive medical privacy legislation, and would erode
existing protections. The Administration strongly urges that these provisions be
stricken from the bill in conference. The sale of marketing information to a
third party -- or using such information on behalf of a third party -- also
appears to be a clear case where no exception to notice and choice is
appropriate. A consumer doing business with a financial institution would not
expect the information generated through that relationship be sold for
unrelated, especially non- financial, purposes. In such a case, the financial
institution would be selling the information primarily for its own profit, not
the customers benefit. Due to advances in technology, maintenance of a "do not
market" list has become more easily achievable. In some cases, though, the case
for an exception may be stronger. Financial services firms may wish to provide
customers a consolidated account statement including accounts from different
affiliates within the organization. Here, the case for an exception from opt out
appears appropriate. Customers could reasonably expect to have their financial
information presented to them in a comprehensive way; the consolidated statement
is done for the convenience of the customer, who is able to correct any errors;
and the cost of requiring separate mailings for each account could be
considerable. Other cases present more difficult tradeoffs. For example, with
respect to risk management, one could conclude that a customer who has defaulted
on one loan from a financial organization should not reasonably expect to be
able to shield that information from an affiliate considering a second loan.
Allowing the information to be shared protects the depository institution from
loss, and should result in lower prices for creditworthy borrowers. The same
also could be said of information on the timeliness of a customers payments to
the institution -- assuming that such an exception is implemented in a way that
ensures that the customer receives notice that such information sharing is
occurring and has access to and the ability to correct such information. The
idea that a sister bank could, however, deny a loan because a consumer's credit
card reveals risk-taking behavior -- say, the recent purchase of a skate board
or a sports car -- is far more troublesome. Thus, any information about where a
consumer is spending money, or the purposes for which the consumer is obtaining
credit, should remain subject to notice and opt out. How we live our lives, what
we believe, the choices we make -- all of these very personal pieces of
information should not be shared without our consent. The Need for Regulatory
Flexibility Each of the issues we have just discussed is complicated, and the
answers may well change as technology and business practices advance. The
complexity and uncertainty of the task at hand suggest two further points.
First, we should allow many of the details to be worked out by the regulators
that know the financial services industry best, after taking into account public
comment. The agencies that examine financial services firms and follow industry
trends should be responsible for writing and enforcing privacy rules applicable
to the firms that they regulate. Second, a transition period would be
appropriate so that financial institutions can reprogram their systems to take
account of customer choices. Conclusion Thank you for allowing me to appear
today on an issue of such importance to the Administration. I welcome your
questions.
LOAD-DATE: July 24, 1999