ASSOCIATION OF AMERICA
William D. Sones
Secretary, Federal Trade Commission
Re: Consumer Privacy 1997- Comment, P954807
The Independent Bankers Association of America (IBAA) is pleased to comment on the Federal Trade Commission's (FTC) workshop on consumer on-line privacy. The IBAA is the only national trade association that exclusively represents the interests of the nation's community banks. IBAA represents 5,500 independent community banks nationwide with 9,823 branches that hold nearly $375 billion in insured deposits, $445 billion in assets, and more than $240 billion in loans for consumers, small businesses and farms in the communities they serve. IBAA members also employ more than 200,000 people in their communities.
The IBAA is particularly concerned with privacy issues with the electronic developments in the banking industry, such as on-line banking. We support a regulatory and legal framework which protects privacy for banks, their customers and any other party to a transactional. Technological innovations in computers and telecommunications are rapidly transforming bank operations and financial services. These innovations must include firewalls which assure all participants that only the appropriate parties will have access to sensitive personal, medical and business information.
The IBAA addressed a number of privacy concerns in a letter to the Federal Reserve in response to its study concerning the public availability of sensitive identifying information about consumers, whether such information could be used to commit financial fraud, and if so whether there is an undue potential risk of loss to insured depository institutions. In a letter dated January 31, 1997, the IBAA emphasized that, with the advancement of electronic technology, protecting sensitive consumer information will become a much harder task. We strongly recommended that employees be properly trained on confidentiality and consumers be educated about the risk of financial fraud. We stressed that providing stricter penalties and more standardized guidelines for credit reporting agencies and other companies providing sensitive information would reduce the potential for financial fraud. A copy of letter is attached.
We are very interested in attending the workshop session two entitled "Consumer Online Privacy" on June 11-12 1997.
Thank you for the opportunity to comment on this study.
Elizabeth A. Aaron
WASHINGTON OFFICE One Thomas Circle, N.W., Suite 950, Washington, D.C. 20005-5802 202/659-8111 Fax: 202/659-1413 Info@IBAA.org
William D. Sones
William W. Wiles, Secretary Treasurer
Re: Fair Credit Reporting; Docket No. R-0953
Dear Mr. Wiles:
The Independent Bankers Association of America (IBAA) is pleased to provide comments to assist the Board of Governors of the Federal Reserve System, along with the Federal Trade Commission and the federal banking agencies in conducting a study to determine the amount of sensitive identifying information that is available to the public about consumers, such as social security numbers, mothers' maiden names, prior addresses and dates of birth. Additionally, the Federal Reserve is seeking comment to determine the possibility that the information could be used for financial fraud and the potential fraud or risk of loss to an insured depository institution. IBAA is the only national trade association that represents the interests of the nation's community banks.
Congress is concerned after a widely publicized incident in which a large database service offered personal information for sale including social security numbers from one of its electronic databases. The service discontinued providing social security numbers after a few days, but continued to permit searches by social security number. Around the same time, Congress learned how this information is used for financial fraud. For example, criminals can receive credit or negotiate checks in the consumer's name with devastating results using the practice commonly referred to as "identity theft".
IBAA is concerned with the potential for fraud or risk of loss to an insured depository institution should sensitive identifying information about consumers be misused. Although we believe Congress has taken measures to protect sensitive identifying information about consumers through the Fair Credit Reporting Act (FCRA), we believe the rapid growth of electronic technology will make it even harder to prevent sensitive information from being provided to the public or being available to unauthorized persons.
We recommend that substantial fines be assessed for those who provide sensitive consumer information illegally and for those who use the information illegally. We therefore, recommend that additional penalties be implemented and more strictly enforced under FCRA section 616, Civil Liability for Willful Noncompliance, and section 620, Unauthorized Disclosures by Officers or Employees, when a consumer reporting agency or user of information willfully fails to comply with FCRA requirements. Another suggestion would be to place more restrictions under FCRA section 604, Permissible Purposes of Reports, in order to make reports more standardized and less accessible. This would help ensure that certain sensitive information is released only for its intended purpose. The Board should also consider recommending that Congress explore other ways to discourage misuse of sensitive information, for example, by empowering regulators and other law enforcement entities to prohibit individuals who have misused information in the past from having access to it.
In addition, we understand that the banking industry has a responsibility to properly educate its employees of the provisions of the FCRA and the importance of confidentiality. It is also crucial that banks implement internal controls to prevent financial fraud due to due to a breach in confidentiality.
For purposes of the study, IBAA believes that the following information should be considered sensitive consumer information: social security number, bank account number, telephone number, mother's maiden name, address, date of birth, work history, income, credit card numbers, medical history, driver's license, and pin number. We emphasize that a social security number, a date of birth and a mother's maiden name are the type of identifying information that are most meaningful in granting and verifying credit and in obtaining access to financial or account information. A person with access to this information can obtain an abundance of personal information that could lead to financial fraud. We, therefore, strongly recommend that Congress consider measures to protect social security numbers from disclosure by, for example, making it illegal for States, such as Virginia, to use a social security number as a driver's license number.
A credit bureau is a primary source to obtain the above sensitive information about an individual. The cost is approximately $2-$10 for an individual and $10-$50 for a business. More specifically, companies or organizations that provide sensitive information to the public include TRW, TransUnion, Equifax, Lexis-Nexis, Prentice Hall, and Dunn and Bradstreet. The information from these companies can be obtained through computer, telephone, mail, or fax. Most local credit bureaus do require a signed contract restricting the use of information for loan purposes or employment only. Some even provide a password for accessing information. Although through contracts credit bureaus do place many restrictions on this data when they sell it, there is no way to ensure the information is limited to its intended purpose.
Information provided by the above listed companies can be used legitimately by a bank in making lending decisions, a landlord inquiring about prospective tenants, or an employer verifying information on a new employee. However, the information can also be used in a variety of fraudulent matters such as to obtain loan applications, cash advances, checking accounts, mail order purchases, driver's licenses, and credit cards. The IBAA does not have any data at this time that would substantiate the amount of financial loss to our member banks attributed to fraudulent use of consumer information.
With the continued advancement in electronic technology, such as the Internet, protecting sensitive consumer information will become a much harder task. IBAA emphasizes that banks must properly train their employees on confidentiality to guard against unauthorized use of information which could result in financial fraud. It is also extremely important to educate consumers about the risk of financial fraud so that they will be more judicious in providing information, such as their social security number. We believe that providing stricter penalties and more standardized guidelines for credit reporting agencies and other companies providing sensitive consumer information could reduce the potential for financial fraud. Thank you for the opportunity to comment.
WASHINGTON OFFICE One Thomas Circle, N.W. Suite 950, Washington, DC. 20005-5802 202/659-8111 Fax: 201 659-1413