My name is John Dugan, and I am a partner with the law firm of Covington & Burling. I am testifying today on behalf of the Financial Services Coordinating Council ("FSCC"), whose members include the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. These organizations represent thousands of large and small banks, insurance companies, and securities firms that, taken together, provide financial services to virtually every household in America. I have represented the FSCC on financial privacy issues since the organization was formed in late 1999, and in that capacity I have advised on implementation issues involving the privacy provisions of the Gramm-Leach-Bliley Act ("GLB Act") and related regulations; participated in the Federal Trade Commission’s interagency task force on notices; helped coordinate our task force devoted to improvements in privacy notices; and testified on a number of occasions before Congress and state legislatures on GLB Act issues and various financial privacy legislative proposals.
The FSCC appreciates the opportunity to testify before this committee on the status of financial privacy regulation, in our case from the perspective of the financial services industry. Our testimony focuses on (1) the balance Congress struck in the Gramm-Leach-Bliley Act ("GLB Act"); (2) our experience with implementing the Act, including the reaction of our customers; (3) our views on the appropriate relationship between federal and state privacy laws; and (4) some thoughts going forward.
The Balance Struck in the GLB Act
Every commercial privacy law strikes a balance between protecting the privacy interests of consumers and preserving the clear consumer benefits that arise from the free flow of information in the economy. While consumers expect limits on the disclosure of their information, they also expect companies to provide them with benefits that can only be provided through information sharing. For example, a loyal, long-time depositor in a bank wants and expects to receive a discount on a mortgage loan offered by a related mortgage company affiliate, and such "relationship discounts" can only be provided through information sharing. Privacy laws try to balance these competing consumer expectations.
In terms of financial privacy, we believe that Congress struck the right balance in 1999 when it adopted the privacy provisions of the GLB Act against the backdrop of the pre-existing privacy protections provided by the Fair Credit Reporting Act and other federal and state statutes. Through exceptionally broad definitions, the GLB Act’s protections apply to virtually all personal information held about the individual consumers of more than 40,000 financial institutions in this country -- including less traditional "financial institutions" such as check cashers, information aggregators, and financial software providers. Coupled with protections mandated by the Fair Credit Reporting Act ("FCRA"), these consumers now must be provided--
In addition to these protections, customers of financial institutions that handle personal health information, i.e., insurance companies, receive the extensive privacy protections of federal and state medical privacy laws. Taken together, the FSCC believes that this set of provisions forms the most comprehensive set of privacy protections that has yet been implemented in the United States.
We recognize that these protections are not as restrictive as some would have wanted, including some of the witnesses on today’s panel. But by any measure, compared to three years ago consumers have much more meaningful information, choice, and security regarding the way that financial institutions handle their personal information.
At the same time, the GLB Act appropriately allows financial institutions to share information with others for a variety of plainly legitimate purposes without separate consumer consent, e.g., to carry out transactions requested by the consumer, to deter and detect fraud, to respond to regulators and judicial process, etc. While many of these "doing business" exceptions were viewed suspiciously by critics at the time the Act was passed, they have proven to be sensible and non-controversial provisions covering sharing for which consumer consent is simply inappropriate.
The FSCC also continues to support Congress’ decision to treat information sharing by companies under common control in the same manner as sharing within a single institution; both are situations in which the GLB Act’s opt-out requirement does not apply. The fact is that many financial institutions operate through affiliated financial entities, often with very similar names, rather than through divisions of a single institution. For purposes of the opt-out, Congress sensibly elected to ignore such artificial separations and treat affiliates as part of a single organization rather than as entirely distinct entities. This decision reflected the fact that consumers are unlikely to distinguish between, for example, a community bank and the community bank’s affiliated mortgage lending company. Instead, consumers are likely to expect that both affiliates are part of a single community banking organization where information is shared within that corporate family. The decision also reflected the fact that the sharing of sensitive credit and insurance application information with affiliates is already subject to an opt-out requirement under the Fair Credit Reporting Act.
Finally, we also continue to believe that Congress made the right choice in requiring that a financial institution provide its consumers with the right to opt out of the financial institution’s sharing of the consumers’ personal information with third party commercial companies. This decision reflected the view that sharing personal information with such nonaffiliated third parties (other than for the exceptions described above) is different in nature than sharing information with companies within a corporate family or with financial institution marketing partners -- and that it is sufficiently different from consumer expectations that a consumer ought to be given the choice to opt out of such sharing.
In making this choice, however, Congress rightly rejected an opt-in approach, because there is a fundamental flaw with the way such requirements work. Opt-in provisions deprive consumers of benefits from information sharing (such as the depositor’s relationship discount on a mortgage loan described above), because consumers rarely exercise opt-in consent of any kind—even those consumers who would want to receive the benefits of information sharing if they knew about them. In essence, an opt-in creates a "default rule" that stops the free flow of information. This in turn makes the provision of financial services more expensive and reduces the products and services that can be offered, which actually frustrates consumer expectations. In contrast, an opt-out gives privacy-sensitive consumers just as much choice as an opt-in, but without setting the default rule to deny benefits to consumers who are less privacy-sensitive.
Implementation of the GLB Act
The privacy provisions of Gramm-Leach-Bliley were enacted in 1999, and financial institution regulators subsequently issued detailed privacy regulations that became effective just over a year ago. This appears to be the first time that the federal government has implemented such a comprehensive commercial privacy regulatory regime affecting such an important sector of the nation’s economy. In a sense, financial institutions have been the "guinea pigs" for this process, and much has been learned by both the regulators and our industry.
The implementation process has been massive, involving eight federal regulators, 51 state insurance regulators, and over 40,000 financial institutions. Companies have conducted detailed auditing of their information practices; developed and issued over 2.5 billion privacy notices; established new compliance systems; trained personnel; and reconfigured systems to handle and monitor consumer opt-outs.
Financial institutions have also upgraded their already extensive security policies, procedures, and systems to comply with the security mandates of the Act. For example, company employees with access to confidential customer information are often required to adhere to many different types of procedures designed to protect the physical security of that information, including disclosing information to other employees only on a "need to know" basis; locking confidential files and clearing desks before going home; and using special passwords to access information. In addition, some companies control access through use of security systems and computing platforms, where users are authenticated by means of logon identifications and/or secret passwords. In some cases digital certificates are also used for purposes of authentication and non-repudiation; access control lists limit levels of access based on job employee functions; and formal data classification schemes ensure that sensitive data is stored only on secure platforms. These are just a sample of the many steps that firms are taking in the security area.
In short, while tremendous progress has been made, GLB implementation is still very much a work in progress, and financial institutions continue to learn, adjust, and improve their privacy and security practices over time. One thing is certain, however: as the result of the Gramm-Leach-Bliley’s notice, choice, and security requirements, financial institution customers are far more privacy and security-protected than they were three years ago, and far more protected than the customers of most other types of companies. We believe that consumers have responded favorably by continuing to put their trust in the companies that handle their financial assets and their financial needs.
Indeed, despite generic polls showing that consumers remain concerned about their privacy, financial institutions have received a miniscule number of customer complaints about the GLB Act procedures or other privacy concerns. The same is true of financial regulators. For example, in response to a Freedom of Information Act request regarding all financial institution complaints received in 2001, the Federal Reserve reported that it had received only 25 privacy-related complaints out of the 4,503 complaints it received, or .0056% of the total, with similarly low numbers reported by the Office of Thrift Supervision (6 of 4,921, or .0012%), Federal Deposit Insurance Corporation (137 of 6849, or .02%), and Office of the Comptroller of the Currency (368 of 17,228, .0214%).
In addition, most financial institutions do not share information with third parties, such as commercial companies, in a way that triggers the need for the GLB Act opt-out requirement. For example, roughly 89 percent of a recent sample of approximately 400 banks conducted by the American Bankers Association did not share information in this way. For those institutions that do share with third parties in a way that requires providing the opt-out to consumers, the opt-out rates have generally been low, and in nearly all cases under 10 percent. The FSCC strongly disagrees with those who suggest that low opt-out rates mean that the GLB process is not working. To the contrary, our members believe that the low rates show that consumers trust their financial institutions to share their information in an appropriate manner, or that they are less sensitive to privacy concerns than has been suggested.
Based on initial implementation experience, the FSCC recognizes that the privacy notices constitute one area in which improvements can be made. This is by no means as easy as it sounds, however, because the notice requirements of the GLB Act are quite detailed. The financial institution regulators tried hard to simplify these requirements in their implementing regulations, including through the use of sample clauses, and they told institutions that a notice complying with the GLB Act could fit on a six-page, "tri-fold" brochure. In their first round of notices, financial institutions generally took this approach and used the sample clauses, while at the same time carefully scrubbing the language to ensure compliance will all requirements of the statute and regulations.
Proceeding this way was absolutely necessary to ensure that the notices satisfied the regulators’ "clear and conspicuous" requirement and minimized exposure to legal liability. Indeed, the regulators have challenged very few notices as failing to comply. Nevertheless, a six-page notice is not short, and language from the sample clauses such as "nonaffiliated third party" and "nonpublic personal information" are obviously the type of "legalese" that some consumers and critics have found difficult to understand.
Unfortunately, financial institutions now find themselves in a bit of a "Catch 22." They spent hundreds of millions of dollars to carefully develop the first round of compliant notices and mail them to consumers, and financial institution consumers received more information about company privacy practices than consumers of virtually any other industry in the country. Yet these very same notices, because of their length and use of legalistic terms suggested by the regulations, have received a great deal of negative attention in the media.
To address these concerns, the financial services industry is proceeding down two paths simultaneously. First, a number of institutions have simplified the language used in their second round of annual privacy notices, though carefully so as not to stray from the requirements of the regulation. We believe the second round of notices will be more "user friendly" than the initial notices.
Second, both financial institutions and their regulators have focused on the idea of exploring a simplified "short form" version of the notice that would supplement, but not replace, the longer "legal notice" required by the GLB Act and regulations. The FTC convened an interagency and industry workshop to discuss this and other notice issues, and industry efforts are underway to examine the short-form concept more carefully. The basic idea of the short-form notice is to use simplified terms, be much less legalistic than the longer notice, keep the length to one page, and use common language that would make it easier for consumers to compare institution privacy policies over time.
The FSCC is leading a project on the short-form notice. We have convened a task force representing a cross-section of institutions from the banking, insurance, and securities industries; hired a well-known language expert to advise on short-form issues; and have nearly completed the initial drafting phase of several possible alternatives.
While we believe this project is promising, it is by no means simple, as I mentioned previously. There is no true "one-size-fits-all" solution, because institutions have different privacy practices that call for different types of disclosures.
Relation Between Federal and State Privacy Laws
There seems to be a great deal of misunderstanding about Gramm-Leach-Bliley’s effect on state privacy laws, as well as on the amount of state legislative action that has occurred on financial privacy issues generally. On the first point, section 507 of the GLB Act makes clear that its privacy provisions would not preempt any state law in effect simply because the state law affords greater privacy protections to consumers than the Act’s provisions. Of course, this provision by its terms does nothing to limit the preemptive effect of any other federal statute, specifically including the Fair Credit Reporting Act’s preemption provision that applies to state law restrictions on affiliate information sharing.
Some state legislators seemed to interpret section 507 as an affirmative invitation by the federal government to the states to adopt more restrictive financial privacy laws than Gramm-Leach-Bliley. This interpretation spawned a great deal of state legislative interest in new financial privacy laws immediately after passage of the GLB Act in 1999. The FSCC and numerous other representatives disagreed with that interpretation and testified to that effect before a number of state legislatures. Our position consistently has been that there was no such federal invitation for states to act in Gramm-Leach-Bliley; that states should not rush to act before the GLB Act has been fully implemented and given a chance to work; and that a patchwork, uneven body of differing state privacy regulation would be extremely costly and counterproductive. In short, we believe that a single uniform standard in federal law is the most appropriate method for regulating financial privacy.
This leads me to the second point of confusion. While there has been a flurry of activity and debate at the state level in the wake of passage of the GLB Act in 1999, during this period no state legislature has adopted a comprehensive financial privacy statute that has exceeded the obligations of the GLB Act. Nearly 40 states considered such privacy legislation in 2000, but no such statute was enacted. About half that number revisited the issue in 2001, again without final action. And this year, only California has come close to enacting a new privacy law, but for the third time in three years, the legislature has chosen not to act.
We recognize that North Dakota first chose to conform a pre-existing bank privacy opt-in law to the limits of Gramm-Leach-Bliley, only to have an initiative restore the pre-existing law. In addition, regulators (but not legislatures) in New Mexico and Vermont have issued additional financial privacy regulations (though the Vermont legislature had earlier rejected an effort to increase financial privacy restrictions, and a lawsuit has been filed to challenge the Vermont regulation as beyond the scope of Vermont statutory authority). But taken together, these few actions simply do not constitute a groundswell of state action to impose more restrictive financial privacy regulation.
To the contrary, with the notable exception of California, the state focus on financial privacy legislation has diminished considerably over time since the GLB Act was enacted. The FSCC believes this is due in large part to an increased understanding that (1) the Gramm-Leach-Bliley protections are substantial and need to be given a chance to work before states decide to act further; and (2) it is not nearly as easy as it seems at first blush to adopt financial privacy restrictions without causing unintended consequences that increase costs and deprive consumers of real benefits.
Actions in the Future
The Gramm-Leach-Bliley’s privacy protections are real, and the implementation, adjustment, and enforcement process is ongoing. This is not to say that improvements cannot be made, however. In particular, the FSCC believes that the process for improving the privacy notices is well worthwhile, and we plan to pursue that process actively in the coming months, both within the industry and with our regulators.
In terms of federal legislation, we believe that any additional action that Congress considers with respect to privacy issues should be targeted to specific harms rather than take the form of sweeping data protection restrictions. If the harm to consumers is identity theft, then the focus of legislation should be on deterring and remedying that problem specifically. Similarly, if consumers are most concerned about excessive telemarketing calls resulting from information sharing, then we believe that solutions should address that issue specifically. To do otherwise by imposing broad restrictions on information use and sharing (1) may do little to solve the specific harms at issue; and (2) may have very negative unintended consequences. Accordingly, the FSCC stands ready to work with this committee and other public policymakers to address specific consumer harms.
In this regard, however, the FSCC could not support any new financial privacy legislation that did not include federal preemption to ensure a uniform national privacy standard. The FSCC has similar concerns with respect to the FCRA provision that preempts state restrictions on affiliate sharing, but is scheduled to sunset by the end of 2003. The FSCC supports extending the sunset, as we believe that the uniform national affiliate-sharing provision has allowed financial institutions to serve their customers in the most efficient manner possible.
Thank you for allowing me to present the views of the FSCC today. I would be happy to answer any questions.
Home | Menu | Links | Info | Chairman's Page