A copy of the testimony is presented below.
Thank you for the opportunity to present testimony regarding issues of financial privacy. Your hearings, Madam Chairwoman, will provide a forum for a comprehensive discussion and analysis on how best to proceed with any privacy legislation.
The Electronic Financial Services Council was established in January of 1999. Its mission is to meet consumer needs for easier access to financial products and services by updating laws and regulations to facilitate electronic commerce. The Council seeks to promote legislation and regulations designed to ensure that electronic commerce continues to revolutionize the availability and delivery of financial services, including mortgage loans, insurance products, investment products, consumer loans and on-line banking.
Membership in the Council is open to businesses regularly engaged in offering, originating, servicing, investing in or facilitating the delivery of financial services through electronic commerce. The Council does not restrict its membership based on a company's charter or license, but seeks to bring together leading companies from various sectors within the financial services industry which share the goal of promoting electronic commerce.
While this testimony presents the views of the Council, individual members may on some issues adopt positions differing from those expressed herein.
Perspectives on Financial Privacy
As companies providing financial services both on and offline, members of the Council are sensitive to the need to protect the privacy of customer information as is shown by the business policies and practices voluntarily adopted by its Council members. The availability of privacy protections increasingly is becoming a competitive feature in the offering of financial products through electronic commerce.
In fashioning any privacy policy, both the private sector and the government need to consider the extent to which the collection and use of individual information has direct benefits to consumers. In the financial services industry, the collection, analysis and use of individual customer information lowers the cost of credit and other financial services to consumers in numerous ways:
• It enables the development
and use of credit scoring models and automated underwriting systems.
• It facilitates secondary market sales.
• It assists anti-fraud efforts.
• It facilitates the development of new products tailored
to consumer needs.
• It allows marketing to be targeted to consumer preferences
rather than being wastefully broadcast.
As technology improves, the uses of individual customer information will increasingly influence the creation and delivery of innovative financial services helping to produce better and more responsive services, and making their delivery more effective and responsive to consumer preferences and needs. In our efforts to protect the privacy of individual consumer data, we should be careful not to adopt standards which impair the beneficial uses of data regarding consumer preferences.
As noted in the recent Federal Trade Commission Report on online privacy (July 13, 1999), the flexibility inherent in a market-driven, market-enforced system should not be overlooked. Companies that do not adequately respect consumer privacy concerns as those concerns develop may be expected to lose market share. It has been the experience of our members that those companies that respond quickly and effectively to consumer demands for privacy are more likely to prosper. In a world where consumer privacy expectations are continually evolving, one can make a strong case that the best system for dealing with consumer privacy concerns is a market-driven one like that developing in the online world.
In addition to market forces, it should be noted that specific statutes already in place related to unfair and deceptive practices give state attorneys general and the FTC the ability to deal with abuses or the failure of a company to comply with its stated privacy policy, and they are doing so.
Although we believe that market forces are addressing privacy concerns and will continue to bring about enhancements in the privacy protections provided by financial services firms to the public, we recognize the desire expressed by the House to adopt national standards. In this regard, if Congress chooses to legislate with respect to privacy standards, it would be desirable that such legislation take the form of a uniform national privacy standard. Such a standard would be particularly appropriate in a borderless environment such as the Internet. Even in the absence of a uniform national standard, however, we would ask that any legislation adopted by the Congress be clear and effective, and to that end we would like to suggest some areas which we believe might benefit from clarification.
Comments on H.R. 10's Financial Privacy Provisions
This hearing provides the first opportunity to comment on the provisions on financial privacy contained in H.R. 10, the "Financial Services Act of 1999." Because these provisions represent the first statement of Congressional intent with respect to financial privacy regulation, we believe that a careful review of the specific provisions of this proposal will greatly assist in developing and refining a record of such Congressional intent. Your foresight in calling these hearings, Madam Chairwoman, is to be commended. You have provided the first Committee forum for expression of views by the public on this important issue.
Scope of Coverage of the Privacy Provisions
1. Definition of Financial Institution
H.R. 10's definition of "financial institution" would cover all institutions that engage in financial activities or activities "incidental" to financial activities, as defined by H.R. 10. Is the term "financial institution" intended to be restricted to companies which are chartered or licensed to provide financial services or is it intended to cover any business which may engage in an activity in which a financial services holding company is permitted to engage? For example, the Comptroller of the Currency recently ruled that a bank may act as a retail website host because the provision of such service is deemed to be the "business of banking." Would all website hosts be deemed to be "financial institutions" for the purposes of the privacy provision of H.R. 10?
If it is the intent of Congress to regulate "financial institutions" as that word is commonly understood, the term probably should be defined to include entities which are chartered or licensed by a state or the federal government to provide financial services to the public. This definition would be broad enough to cover not only the traditional, chartered providers of financial services such as banks, insurance companies and securities firms, but also mortgage brokers, small loan companies and others who are licensed to provide financial services to the public. The scope of the definition should include any company receiving non-public, personal financial information from a financial institution, but would not sweep in any company, whether affiliated with a financial institution or not, that does not receive non-public, personal financial information from a financial institution.
In the alternative, if it is the intent of Congress that any person or entity receiving "nonpublic personal information" should be covered by the privacy provisions of H.R. 10, then that should be made clear and there would be no need to introduce the concept of "financial institution" into the privacy amendment. Such an approach would, of course, encompass a broad range of business entities who receive information that may be characterized as "nonpublic personal information." This would put a high premium on defining very precisely what constitutes "nonpublic personal information," and it would be important that all persons required to comply with H.R. 10's privacy provisions be given an opportunity to comment on the effect of the legislation on their operations.
2. Definition of Nonpublic Personal Information
The privacy subtitle defines "nonpublic personal information" to include personally identifiable financial information that is:
• provided to a financial
institution by a consumer,
• resulting from any transaction with the consumer, or
• "otherwise obtained by the financial institution."
The third category could encompass information obtained by a financial institution outside the context of any customer relationship. Although publicly available information is exempt from regulation, the legislation leaves it to the regulators to define what constitutes publicly available information.
The legislation also leaves to the regulatory process a precise definition of what constitutes personally identifiable financial information. Because this concept is so central to legislative intent, it would be desirable to give these words more precise meaning. One way to do so would be to exclude from the definition information which is "otherwise obtained by the financial institution," thus confining the protected information to information relating to a person's finances supplied to a financial institution by a customer or generated by the financial institution in connection with a transaction with the customer, including the fact that the customer has established an account or other relationship with the financial institution. This would exclude information on potential customers which is obtained by a financial institution outside of the context of any customer relationship.
In addition, Section 509(4)(C) of the legislation states that the term "nonpublic personal information" shall include any . . . "grouping of consumers (and publicly available information pertaining to them) that is derived from using personally identifiable information other than publicly available information" (emphasis added). Can nonaffiliated companies aggregate individual data into a larger shared inter-company database (for purposes of analysis only) without receiving consent? This provision could make the business of aggregating and analyzing information, which is essential to the effective use of information, cumbersome and expensive outside of a single financial services institution.
3. Retroactive Impact
H.R. 10 does not discuss what restrictions, if any, apply to information collected prior to the enactment of the bill's privacy protections. It would seem to apply to all "nonpublic personal information" which may have been obtained by any means by a "financial institution." While it might be feasible to disclose privacy policies and offer an opt out to consumers on a going forward basis, the burden of offering an opt out to present and former customers before sharing, for example, information "derived" from "nonpublic personal information" could hamper any effective use of historical data regarding consumer preferences and performance. If this information is made inaccessible or difficult to use, the law could have the effect of frustrating important research needed for financial product development and enhancement of the delivery of financial services. We doubt that this is the intent of Congress, but clarification on this point would seem to be appropriate.
4. "Opt Out" Consent Requirement
Any consent requirement related to consumer data sharing could generate litigation unless legal requirements are very precisely defined. For example, questions may arise as to whether the consent was "informed?" Was the disclosure complete? Must companies seek a general consent or can they limit the proposed use of data subject to consent by describing uses? Can consent be revoked?
5. Timing of Privacy Notice
The bill provides that the consumer must receive information concerning the financial institution's privacy policy when the customer relationship "is established." This is a hard thing to pinpoint especially in an electronic context or in the more familiar telemarketing context. Would the relationship be "established" when you visit a website, when you use the Internet to shop for financial information, or when you provide nonpublic personal information?
Conclusion
The action of the House in early July to include privacy provisions in H.R. 10 reflects strong public demand that consumer privacy be protected by legislation. Because the members of the Council have adopted privacy policies along the lines of those which the House has provided for in the privacy amendment to H.R. 10, we understand the motivation for these provisions. However, we believe that it is important that Congress provide clear definitions regarding what companies are covered and what they must do to comply.