Good morning, and thank you for inviting me to speak with you today on the important issue of financial privacy. I would like at the outset to recognize and express my gratitude for the critical role played by this Committee in the protection of consumers' financial privacy. Unfortunately, the Gramm-Leach-Bliley Act (GLB) (1) does not protect consumers' financial privacy as intended by this Committee. I recommend that this Committee take further action to ensure that its previous good work results in real protections for consumers.
In these comments I address the following topics:
GLB Does Not Protect Consumers from Harms Associated With Sharing Nonpublic Financial Information.
Congress intended Title V of GLB to protect consumers from abuses associated with sharing of nonpublic personal financial information. As a result of enforcement actions brought by State Attorneys General against information sharing practices of major banking institutions, Congress created Title V to protect consumers with respect to such sharing of their financial information. However, the provisions of Title V are insufficient to protect consumers from the harms associated with these practices, and pose considerable risks to consumers. The provisions that allow financial institutions to share encrypted account numbers and other forms of billing information for marketing purposes are particularly troublesome. Moreover, the notices issued by financial institutions under GLB have been dense and require a high reading level to comprehend, resulting in consumer confusion and inability to exercise informed choice. Congress should act to correct these problems, thus ensuring Title V's capacity to protect consumers in the area of financial privacy.
A. GLB Does Not Protect Consumers from Fraudulent Telemarketing.
The information held by financial institutions about their customers is highly valuable. While financial institutions might not disclose this highly valuable information to their competitors, they do disclose this information to marketing partners and third parties for the purpose of jointly marketing products and services unrelated to the customers' current service selection, and even unrelated to the particular type of services performed by the financial institution itself. The harm to a consumer resulting from this type of information sharing stems from the tactics sometimes used in marketing new products to the consumer, who usually does not realize that the marketer already has the consumer's credit card number, or access to the credit card account through an encrypted number or other unique means of identification.
Indeed, it was well known in 1999 that practices of sharing customer financial information by major banking institutions facilitated these telemarketing abuses. In the spring of 1999, the Minnesota Attorney General announced a settlement with US Bancorp, resolving allegations that US Bancorp misrepresented its practice of selling highly personal and confidential financial information regarding its customers to telemarketers. One year later, thirty-nine additional states and the District of Columbia entered into a similar settlement. (2) The states' investigation focused on the bank's sale of customer information - including names, addresses, telephone numbers, account numbers, and other sensitive financial data - to marketers. Based on this confidential information, the marketers made telemarketing calls and sent mail solicitations to the bank's customers in an effort to get them to buy the marketers' products and services, including dental and health coverage, travel benefits, credit card protection, and a variety of discount membership programs. Buyers were billed for these products and services by charges placed on their US Bancorp credit card. In return for providing confidential information about its customers, US Bancorp received a commission of 22% of net revenue on sales with a guaranteed minimum payment of $3.75 million.
As a result of the evidence uncovered through the US Bancorp case, Congress intended to limit the ability of financial services companies to sell or give their customers' nonpublic personal information to third party telemarketers. Congress intended to forestall these abusive telemarketing practices by specifically prohibiting financial institutions from sharing an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer with any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. (3)
However, the regulations adopted to implement GLB allow financial institutions to sell or share encrypted credit card numbers or other unique identifiers, which enables the telemarketing abuses that were at the heart of Congressional concern to continue unabated. The federal agencies' rules implementing this section on sharing of account numbers sets forth two "examples," the first one of which states:
Account number. An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the bank does not provide the recipient with a means to decode the number or code.
C.F.R. § 40.12(c) (emphasis added).
Thus, a telemarketer or other recipient of an encrypted account number or unique identifier is able to notify a financial institution that a particular consumer indicated a desire to purchase an item, thus causing the consumer's account to be charged, without ever asking the consumer for permission to charge the account. The financial institution then uses its decode mechanism, which it never shares with an unaffiliated party, to determine which account to charge. This type of marketing is known as "preacquired account" telemarketing. The possibility of unauthorized charges and fraudulent practices in such circumstances is greatly increased over situations where the consumer must affirmatively give a credit card number for the account to be charged.
Preacquired account telemarketing is inherently unfair and susceptible to causing deception and abuse, especially with elderly and vulnerable consumers. Preacquired account telemarketing turns on its head the normal procedures for obtaining consumer consent. Other than a cash purchase, providing a signature or an account number is a readily recognizable means for a consumer to signal assent to a deal. Preacquired account telemarketing removes these shorthand methods of consumer control. The telemarketer not only establishes the method by which the consumer will provide consent, but also decides whether the consumer actually consented.
The Federal Trade Commission, in its recent Notice of Proposed Rulemaking regarding the Telemarketing Sales Rule, has proposed prohibiting "preacquired account" telemarketing. (4) Forty-nine States, the District of Columbia and three Territories recently filed comments with the Federal Trade Commission that strongly support this proposal. (5) In their comments, these States, Territories, and the District of Columbia noted that the consequence of this fundamentally unfair selling method is clear: consumers are assessed charges for products they did not want, and did not understand they were purchasing.
Fleet Mortgage Corporation, for instance, entered into contracts in which it agreed to charge its customer-homeowners for membership programs and insurance policies sold using preacquired account information. If the telemarketer told Fleet that the homeowner had consented to the deal, Fleet added the payment to the homeowner's mortgage account. Angry homeowners who discovered the hidden charges on their mortgage account called Fleet in large numbers. (6) …. Approximately one-fifth of all calls by Fleet customers were about these preacquired account "sales." Customers overwhelmingly told Fleet that they did not sign up for the product, and wanted to know how it was added to their mortgage accounts without their approval, consent, or signature. (7)
This Committee should take the lead in protecting consumers from such abusive telemarketing practices by prohibiting the use of encrypted numbers, unique identifiers, and other means for accessing a consumer's account.
Moreover, it seems likely that, as information sharing increases, the risk of misuse or misappropriation of such information increases as well. It may well be that the greater the quantity and level of detail of confidential information, and the more entities that possess such information, the higher the chance that the information will be stolen or misappropriated, or used for other inappropriate purposes, such as the improper denial of credit, insurance, or employment. I therefore urge this Committee to look beyond the known risks of telemarketing abuses to identify and evaluate less obvious risks, including potential identity theft.
GLB Notices are Inadequate to Advise Consumers of Their Rights With Respect to Information Sharing.
The notices to consumers that are required under GLB (8) are woefully inadequate. Consumers have been greatly confused by the dense information in the notices, which require a high education level to comprehend. As a result, consumers have not been adequately informed about their rights to opt out of information sharing with third parties.
The opt-out notices provided by financial institutions in their effort to comply with GLB have not been "clear and conspicuous," as those terms are commonly understood. Opt-out notices mailed by many financial institutions have been unintelligible and couched in language several grade levels above the reading capacity of the majority of Americans. (9) Experts have highlighted the inadequacy of such statements. Mark Hochhauser, Ph.D., a readability expert, reviewed sixty GLB opt-out notices. Dr. Hochhauser determined that these notices were written at an average third or fourth year college reading level, rather than the junior high level comprehensible to the general public. (10) For example, the notice sent to customers by one financial institution stated:
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). (11)
Recent surveys demonstrate that consumers either never see and read such complicated opt-out notices, or they don't understand them. A survey conducted by the American Bankers Association (12) found that 41% of consumers did not recall receiving their opt-out notices, 22% recalled receiving them but did not read them, and only 36% reported reading the notice. Another survey, conducted by Harris Interactive for the Privacy Leadership Initiative, announced its results in early December 2001. (13) The Harris Survey indicated that only 12% of consumers carefully read GLB privacy notices most of the time, whereas 58% did not read the notices at all or only glanced at them. The Harris Survey further indicated that lack of time or interest and difficulty in understanding or reading the notices top the list of the reasons why consumers do not spend more time reading them.
Those consumers that do read the GLB notices have voiced numerous complaints, raising concerns that the financial institutions' unintelligible notices are an attempt to mislead them. (14) The opt-out approach promulgated under GLB has proven so problematic that the federal agencies that administer the regulations under GLB convened an Interagency Public Workshop to address the concerns that have been raised "about clarity and effectiveness of some of the privacy notices" sent out under GLB. (15) The agencies noted that consumers have complained that "the notices are confusing and/or misleading and that the opt-out disclosures are hard to find." (16)
Where the vast majority of consumers don't even read opt-out notices, and those who read the notices cannot understand them, it cannot be said that they are able to understand their rights and exercise their choices intelligently. As a result, the Attorneys General of forty-two States, the District of Columbia, and two Territories called on the FTC and other federal regulatory agencies to create standard notices and require much simpler language so that consumers can understand them. (17)
Congress should step in and require the federal agencies to create standard notice forms for use by the financial services industry under GLB. Standard notices for financial privacy could be modeled on the nutritional labeling required by Congress under the Nutritional Labeling and Education Act. Use of such standard notices would enable consumers to much more easily understand their rights, and to exercise their choices allowed under federal law.
II. The FCRA Does Not Adequately Protect Consumers From Abuses Associated with Sharing of Nonpublic Personal Financial Information Among Affiliates.
The concerns with respect to sharing of information with unaffiliated third parties - abusive telemarketing practices and incomprehensible notices - apply with equal force with respect to sharing of nonpublic personal financial information among corporate affiliates. The breadth and number of affiliates of some financial institutions is breathtaking, yet most consumers remain unaware of the existence or identity of their financial institutions' affiliates. Consumers should be better protected from the harms associated with affiliate sharing by giving consumers an effective choice before credit-related information can be shared throughout a vast corporate complex.
Under the FCRA, consumers have no choice as to whether their transaction and experience information will be shared with their financial institution's corporate affiliates. Moreover, once they are given a notice and opportunity to opt out, all other information can also be shared with the corporate affiliate group. Thus information about the consumer's income, employment history, credit score, marital status, and medical history can be shared with ease among corporate affiliates.
GLB greatly expanded the activities that were permissible under one corporate umbrella, as it allowed insurance, securities, and banking institutions to affiliate with each other. Even prior to enactment of GLB, financial institutions were allowed to affiliate with a broad spectrum of companies. The list of activities that are identified by the Federal Reserve Board in its rulemaking as "financial" in nature or closely related to financial activities, and therefore permissible for inclusion within a financial holding company, goes well beyond traditional financial activities, and includes the following:
(1) insuring, guaranteeing, or indemnifying against loss, harm, damage, illness,
disability, or death, or providing and issuing annuities, and acting as principal,
agent, or broker for purposes of the foregoing, in any State;
(2) providing financial, investment, or economic advisory services, including advising an investment company (as defined in section 3 of the Investment Company Act of 1940);
(3) issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly;
(4) underwriting, dealing in, or making a market in securities;
(5) leasing real or personal property (or acting as agent, broker, or advisor in such leasing) without operating, maintaining, or repairing the property;
(6) appraising real or personal property;
(7) check guaranty, collection agency, credit bureau, and real estate settlement services;
(8) providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management;
(9) management consulting and counseling activities (including providing financial career counseling);
(10) courier services for banking instruments;
(11) printing and selling checks and related documents;
(12) community development or advisory activities;
(13) providing financial data processing and transmission services, facilities (including hardware, software, documentation, or operating personnel), databases, advice, or access to these by technological means;
(14) leasing real or personal property (or acting as agent, broker, or advisor in such leasing) where the lease is functionally equivalent to an extension of credit;
(15) providing investment, financial, or economic advisory services; and
(16) operating a travel agency in connection with financial services. (18)
Thus the types of businesses with which traditional financial institutions may now affiliate themselves, in addition to banking, insurance and securities brokerage, include:
Also included among the list of permissible affiliates are institutions that are "significantly engaged in financial activities," such as:
The number and breadth of affiliates currently associated with some of the country's major financial institutions is astounding. Submitted with these comments for the Committee's official record are the corporate affiliate lists for Bank of America Corporation, CitiGroup, Inc., and KeyCorp, (21) which serve as three examples of the level of affiliation at large- and mid-sized banking institutions in this country.
Bank of America lists 1,476 corporate affiliates; CitiGroup lists 2,761 corporate affiliates; and KeyCorp lists 871. A perusal of these corporate affiliate lists demonstrates that these holding companies appear to be involved in widely disparate activities, including insurance, securities, international banking, real estate holdings and development, and equipment leasing. Some of these affiliate operations may, in the normal course of their business, gather highly personal health information about consumers. A consumer holding a credit card with the lead bank or a property and casualty insurance policy with a major insurer in any of these affiliate groups would not expect that his or her transaction and experience information would be spread throughout the corporate affiliate structure for the purpose not of servicing the consumer better, but of marketing products to the consumer.
The only appropriate mechanism for giving consumers control over sharing of information within such broad affiliate groups is to require that consumers be given effective notice and choice before their information may be shared with affiliates.
Unfortunately, current notices to consumers about their rights under the FCRA with respect to sharing of nonpublic personal financial information with affiliates are highly inadequate, just like the notices about consumers' rights under GLB. Indeed, both GLB and the FCRA require that notices about information sharing practices and information about how consumers can exercise their opt out rights must be written in a "clear and conspicuous" manner. (22) The federal regulatory agencies have not yet issued any guidance on how these two notice requirements work together. Many financial institutions have incorporated their affiliate sharing notices required under the
FCRA within their notices about sharing of information with unaffiliated third parties required under GLB. Consumers have experienced the same problems outlined in Section I.B., above, with respect to affiliate sharing notices as they have experienced with notices about sharing of information with unaffiliated third parties.
Accordingly, Congress should require financial institutions to give consumers an effective choice before nonpublic personal financial information can be shared among affiliates. Moreover, Congress should direct that the standard financial privacy notices to be created by the federal Regulatory Agencies contain a standard format for information about affiliate sharing practices and consumers' choices to control such sharing.
III. Congress Should Continue To Allow States To Enact More Protective Laws With Respect To Financial Privacy.
Prior to GLB, states had enacted provisions relating to financial privacy that were more protective than the provisions of federal law. This Committee ensured the ability of states to continue to protect their citizenry by enacting Section 507 of GLB, which allows states to adopt financial privacy laws relating to sharing with unaffiliated third parties that are more protective than Title V. Due to the inadequacies of GLB discussed above, states and localities have been exercising this authority to ensure that their consumers' financial information is protected. Moreover, under the FCRA, the current preemption of more protective state laws relating to affiliate sharing is due to sunset on December 31, 2003.
This Committee should ensure that states continue to be entitled to enact more protective laws with respect to sharing of financial information with third parties and affiliates.
State Law on Information Sharing with Unaffiliated Third Parties
Recognizing that many of the problems inherent with GLB stem from the federal law's acceptance of consumer "opt out" as an appropriate means of registering consumer choice, states and local governments have been actively adopting laws that require consumers to opt in before their information can be shared. There are currently six states that have enacted laws that require some form of opt in before financial information can be shared by banks. (23) Fourteen states have enacted laws or regulations that require some form of consumer consent before financial information can be shared by insurance companies. (24)
In addition, North Dakota voters recently adopted a referendum reversing the state legislature's repeal of that state's opt-in law, putting that state's banking opt-in law back on the books. Two California localities - San Mateo County and Daly City - also have recently adopted ordinances requiring affirmative consumer consent before financial information can be shared. These laws are a reaction by state and local governments to the problems associated with GLB, and an effort by these governments to provide consumers with protections greater than those afforded under federal law.
Some states have adopted laws or regulations that are designed to address some of the specific problems consumers face under federal law. For example, Vermont's new financial privacy regulations specifically prohibit banks, insurance companies, and securities firms from sharing encrypted account numbers or other unique identifiers that would allow telemarketers and others to access a consumer's account. See, e.g., Vermont Department of Banking, Insurance, Securities and Health Care Administration Regulation B-2001-01, Section 13 (available at http://www.state.vt.us/atg/Banking%20Adopted%20Rule.pdf).
Congress should ensure that states can continue to be allowed to protect their consumers with respect to sharing of financial information with third parties by enacting laws that are more protective than GLB's Title V.
B. State Law on Affiliate Sharing
Similarly, Congress should ensure that States can adopt laws that are more protective than the FCRA with respect to affiliate sharing. The FCRA prohibits states from enacting or enforcing provisions with respect to sharing of information among affiliates until January 1, 2004. (25) Congress should allow this preemption provision to sunset, as scheduled, on January 1, 2004. After that date, states will be allowed to enact laws with respect to affiliate sharing if two conditions are met:
The state provision explicitly states that it is intended to supplement the federal FCRA; and
The state provision gives greater protection to consumers than is provided under the federal FCRA. (26)
Currently, Vermont is the only state that has a law directly regulating affiliate sharing. Vermont law, like federal law, allows affiliates to share transaction and experience information without any notice to a consumer and without any way for a consumer to prevent the sharing. However, before financial institutions can share credit reporting information about Vermont consumers with their affiliates under Vermont law, the institutions must obtain affirmative consent - or opt in - from the consumer.
Because Vermont was the only state to have addressed the issue of affiliate sharing at the time of the 1996 revisions to the FCRA, Congress specifically exempted Vermont's state consent provision from FCRA preemption "with respect to the exchange of information among persons affiliated by common ownership or common corporate control." (27) Congress should allow other states to address concerns with respect to affiliate sharing by allowing the preemption of such states laws to sunset as scheduled.
IV. Recommendations for Congressional Action
In sum, I recommend the following as appropriate steps for this Committee to take to ensure that consumers' financial privacy is protected:
1. Pub. L. No. 106-102 (1999).
3. Gramm-Leach-Bliley Act, Pub. L. 106-102, Nov. 12, 1999, 113 Stat. 1338, Section 502(d).
4. 67 Fed. Reg. 4491
5. Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing Sales Rule, April 12, 2002, available at www.naag.org.
6. The mortgage statements issued by Fleet hid the charges under the rubric "opt. prod." at the very bottom of the bill in small print, such that it was extremely difficult to discover the charge or discern the purpose of the charge. For consumers on auto-draft from their checking or other bank account, Fleet gave no written notice of the charge.
7. Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing Sales Rule, supra note 5.
8. 15 U.S.C. § 6802(b)(1)(A).
9. See Robert O'Harrow, Jr., "Getting a Handle on Privacy's Fine Print: Financial Firms' Policy Notices Aren't Always 'Clear and Conspicuous,' as Law Requires," The Washington Post, June 17, 2001, at H-01.
10. Mark Hochhauser, Ph.D., "Lost in the Fine Print: Readability of Financial Privacy Notices," http://www.privacyrights.org/ar/GLB-Reading.htm (2001).
11. See Hochhauser, supra n.10.
12. Available at http://www.aba.com/Press+Room/bankfee060701.htm
13. Available at http://www.ftc.gov/bcp/workshops/glb (hereinafter "Harris Survey").
14. Harris Survey, supra n. 13.
15. Interagency Pubic Workshop, "Get Noticed: Effective Financial Privacy Notices", http://www.ftc.gov/bcp/workshops/glb/; see also Press Release, "Workshop Planned to Discuss Strategies for Providing Effective Financial Privacy Notices," http://www.ftc.gov/opa/2001/09/glbwkshop.htm (Sept. 24, 2001).
16. See Joint Notice Announcing Public Workshop and Requesting Public Comment, "Public Workshop on Financial Privacy Notices," at 3.
17. See Comments of 44 Attorneys General to Federal Trade Commission Regarding GLB Notices, dated February 15, 2002, available at www.naag.org.
18. Examples 1-4 are from 12 U.S.C. § 4(k); examples 5-13 are from 12 C.F.R. § 225.28; and examples 14-16 are from 12 C.F.R. § 211.5(d).
19. 16 C.F.R. § 313.1 (b)
20. 16 C.F.R. § 313.3 (k)(2)
21. These lists, as well as other corporate affiliate lists for bank holding companies can be obtained at http://220.127.116.11/nicSearch/servlet/NICServlet?$GRP$=INSTHIST&REQ=MERGEDIN&MODE=SEARCH
22. 15 U.S.C. § 6802(b)(1)(A); 15 U.S.C. § 1681a(d)(2)(A)(iii).
23. Alaska (Alaska Stat. § 06.05.175); Connecticut (Conn. Gen. Stat. Ann. § 36a-42); Illinois (205 Ill. Comp. Stat. Ann. 5/48.1); Maryland (Md. Code Ann., Financial Institutions § 1-302); North Dakota (N.D. Cent. Code § 6-08.1-04); and Vermont (VT. Stat. Ann. tit. 8, § 10201 and BISHCA Regulation B-2001-01)
24. Arizona (Ariz. Rev. Stat. Ann. § 20-2113); California (Cal. Ins. Code § 791.13); Connecticut (Conn. Gen. Stat. Ann. § 38a-988); Georgia (Ga. Code Ann. § 33-39-14); Maine (Me. Rev. Stat. Ann. tit. 24-A, § 2215); Massachusetts (Mass. Gen. Laws Ann. ch. 175I, § 13); Minnesota (Minn. Stat. Ann. § 72A.502); Montana (Mont. Code Ann. § 33-19-306); Nevada (Nev. Admin. Code ch. 679B §§ 679B.560 - 679B.750); New Jersey (N.J. Stat. Ann. § 17:23A-13); New Mexico (N.M. Admin. Code tit. 13, §§ 18.104.22.168 - 22.214.171.124); North Carolina (N.C. Gen. Stat. § 58-39-75); Ohio (OHIO Rev. Code Ann. § 3904.13); Oregon (Or. Rev. Stat. § 746.665); and Vermont (VT BISHCA Regulation IH-2001-01.)
25. See 15 U.S.C. §§ 1681t(b)(2) and (d).
26. 15 U.S.C. § 1681t(d).
27. 15 U.S.C. §1681t(b)(2).
Home | Menu | Links | Info | Chairman's Page