PREPARED STATEMENT OF THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS AND
FINANCIAL PRIVACY, THE FAIR
July 21, 1999
Chairwoman Roukema and members of the Subcommittee, I am Robert Pitofsky, Chairman of the Federal Trade Commission ("FTC" or "Commission"). I appreciate this opportunity to present the Commission's views on H.R. 10, the Fair Credit Reporting Act ("FCRA") and financial privacy.(1) The Commission supports the work of the Committee in striving to provide financial privacy protections for consumers and supports such provisions currently in H.R. 10.
We live in a burgeoning information economy. The personal computer revolution of the 1980s, and the explosive growth of interactive technologies in the 1990s, have made it possible for businesses to collect, aggregate, store, and market personal information in ways unthinkable only a generation ago. The commercial use of this information can have great benefits for consumers and industry, by allowing more cost-effective marketing systems. At the same time, it raises concerns because of the speed and ease with which vast amounts of sensitive information can be aggregated and disseminated.
It is not surprising to learn that, of all the types of information collected about them, American consumers view their financial information as extremely sensitive, indeed as sensitive as their medical histories.(2) Congress has long recognized this fact in enacting laws to protect financial information, such as the FCRA and the Right to Financial Privacy Act. As custodians of sensitive financial information, financial institutions must take their customers' privacy concerns into account. The Commission has extensive experience dealing with privacy and consumer protection issues, including those related to the financial services industry, and I am pleased to present the Commission's perspective in this complex area.
II. THE COMMISSION'S CONSUMER PROTECTION MISSION
The FTC is a law enforcement agency whose mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and increasing consumer choice by promoting vigorous competition. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.(3) The Commission's authority over banks, other depository institutions and insurers is limited to the extent they are regulated by federal bank or state insurance regulatory agencies.(4) The FTCA generally provides the Commission with broad law enforcement authority over entities engaged in or whose business affects commerce and with the authority to gather information about such entities.(5) The Commission also has responsibility under approximately forty additional statutes governing specific industries and practices.(6) Recently, for example, the Identity Theft and Assumption Deterrence Act of 1998 made identity theft a federal crime and authorized the Commission to serve as a central clearinghouse to receive complaints from, and provide information to, victims of identity theft.(7)
III. FAIR CREDIT REPORTING ACT
The Subcommittee has requested that the Commission provide a discussion of its regulatory authority in the area of financial privacy, particularly under the FCRA, and its views on the privacy protections in H.R. 10, recently passed by the House.(14)
The FCRA provides critical privacy protection for consumers by limiting the circulation and use of their personal financial information by private firms, including banks. While this law provides strong protections, it does have limits and exceptions. We are aware that the question of how those limits and exceptions should be addressed has been the focus of considerable debate in the context of H.R. 10.
A. Scope of the FCRA
The FCRA primarily governs the accumulation and distribution of information that bears on individuals' creditworthiness by regulating consumer reporting agencies, such as credit bureaus, and establishing important protections for consumers with regard to the privacy of their sensitive financial information.(15) The FCRA was enacted, in part, to address privacy concerns associated with the sharing of consumers' financial and credit history contained in consumer credit reports.(16) The FCRA limits the disclosure of consumer reports only to entities with specified "permissible purposes" (such as evaluating individuals for credit, insurance, employment, or similar purposes) and under specified conditions (including certification of the permissible purpose by the user of the report).(17) In these ways, the FCRA operates generally to limit disclosure of consumer reports primarily to instances where a consumer initiates a transaction, such as an application for credit, employment, or insurance.(18) The FCRA also provides consumers with certain rights in connection with the information maintained by consumer reporting agencies.(19)
The FCRA imposes civil liability for both willful and negligent noncompliance by consumer reporting agencies and parties who procure reports from (or furnish information to) such agencies.(20) It grants civil enforcement authority to the Commission, other federal agencies, and the states, to seek both monetary and injunctive relief for violations of the Act.(21) The potential monetary penalties include, for those who knowingly violate the FCRA, up to $2,500 per violation in a civil action brought by the Commission in district court,(22) or damages incurred by residents of a state in an action brought by the attorney general (or other official or agency designated by the state) on their behalf.(23) The FCRA also provides for criminal sanctions against parties who infringe on consumer privacy by unlawfully obtaining consumer reports.(24)
The Commission has undertaken FCRA enforcement actions against the three major credit bureaus in the last eight years,(25) including one matter currently pending before the Commission.(26) It has dedicated a portion of its website to the FCRA (www.ftc.gov/os/statutes/fcrajump.htm), where the public can access the statutory text, Commission proceedings relating to the FCRA, consumer education materials, press releases, and the text of over 60 informal FCRA opinion letters the staff has published since major changes to the statute became effective in September 1997.
B. Where the FCRA Does Not Apply
There are two important types of communications among businesses that the FCRA specifically exempts from the full protections that apply to consumer reports. First, a business is free to distribute without limitation information about its own "transactions and experiences" with a customer.(27) Without this exception, the many thousands of firms that report information about their customers each month to credit bureaus might themselves legally be viewed as credit bureaus. Thus, the FCRA does not restrict a financial services (or any other) firm's ability to sell to third parties and affiliates virtually any and all information about its transactions and experiences with its customers, including number and types of accounts, account balances, credit limits, detailed payment history and method of payment -- information many, if not most, customers would view as highly sensitive. Allegations in a recent case suggest that at least some financial services firms are selling that type of information.(28) The sale or transfer of such sensitive "transactions and experiences" information, with appropriate exceptions, raises serious privacy concerns.
Second, the 1996 amendments to the FCRA include a provision that permits affiliated companies to share consumer report information free from many of the FCRA's restrictions, so long as a notice and the opportunity to opt-out is provided before such non-transaction and non-experience information is shared.(29) Most importantly, affiliated companies are permitted to share any information included in a credit report procured by one of the affiliates.(30) Prior to this change, an affiliate that regularly communicated consumer report information to related companies (beyond its own transactions and experiences), which then used this information to make decisions in consumer transactions would have been a consumer reporting agency; the consumer would have had full FCRA rights, including access and dispute rights, as to that information.(31) Under the amendments, that is no longer the result, if notice and the opportunity to opt out are provided. Thus, a consumer who is denied a loan by Company A, based on erroneous consumer information obtained from its Affiliate Companies B and C now has no right to see and correct the information, and has a right to only a limited adverse action notice.(32) Stated more generally, a consumer could be repeatedly denied the benefits of obtaining credit or other services with no right to challenge the accuracy of pooled information kept in the files of a company not involved with the consumer's transaction.
IV. THE PRIVACY PROVISIONS OF H.R. 10
While the Commission generally supports the privacy provisions in H.R. 10, it believes that one specific additional consumer protection should be provided and that the bill's current provisions could be improved in two ways to ensure that legislation adequately protects consumers.
First, we suggest that H.R. 10's privacy protections requiring notice and opt-out before personal financial information is disclosed to nonaffiliated entities be extended to cover the disclosure of such information among affiliated companies.(33) This extension makes sense because consumers likely view different companies as separate entities, and are largely unaware of the fact or consequences of common ownership.(34) Thus, the distinction between the disclosure of personal financial information to an affiliated entity versus disclosure to a nonaffiliated one is not likely to be significant to consumers or to affect consumers' privacy interests in the underlying information. In sum, consumers should have the right to know about, and prevent if they so choose, transfers of sensitive personal financial data to any third parties, affiliated or non-affiliated.(35)
Next, with respect to two possible improvements to the bill, the Commission is concerned with the broad exception provided for information transmitted "with the consent . . . of the consumer."(36) H.R. 10's notice and opt-out model for the sharing of personal financial information is already premised on the implied consent of the consumer -- if the consumer does not opt out, the consumer has impliedly consented to the information transfer -- so no additional exception for consent should be necessary. If there is a discrete need to obtain consumer consent for the sharing of the information in particular circumstances, such a need should be addressed with a more limited exception. Most importantly, any consent that overrides the privacy protections of this bill should be permitted only where there is clear and conspicuous notice to the consumer of specifically what information sharing will be permitted by their consent and a clear expression from the consumer of that consent.
Finally, the bill should make it clear that its privacy provisions do not limit the FCRA's protections to the extent they apply to financial institution files. H.R. 10's broad definition of "nonpublic personal information," which covers personally identifiable information "obtained by the financial institution,"(37) can include the type of information that would otherwise constitute a credit report; in fact, it could even include credit reports obtained from credit bureaus. Distribution of such information to third parties today should be subject to the full protections of the FCRA, and not just the notice and opt-out regime included in H.R. 10. If construed to supersede the FCRA, the H.R. 10 privacy provisions would be a major retreat in privacy protections for consumers. Credit reports could be distributed to firms that had no permissible purpose to see them if the consumer did not take the affirmative step of stopping that practice. The Commission believes it essential to eliminate the potential for such an interpretation by adding a savings clause indicating that, notwithstanding any provisions of H.R. 10, the full protections of the FCRA continue to apply where applicable.
It is clear that financial modernization can bring great benefits to consumers. It is also clear that consumers are extremely concerned about the privacy of their sensitive financial information. At the same time, the provision of financial services is dependent upon efficient, fair and accurate reporting of consumer credit information. A principal goal of the FCRA is to protect consumer privacy, while avoiding negative impacts on industry.(38) The Commission is pleased to serve as a resource as this Subcommittee and others consider how to strike the proper balance between these important competing interests.
My oral testimony and responses to questions you may have reflect my own views and are not necessarily the views of the Commission or the other Commissioners.
2. Testimony of Alan F. Westin on "Electronic Payment Systems, Electronic Commerce, and Consumer Privacy" before the Subcommittee on Financial Institutions and Consumer Credit, House Committee on Banking and Financial Services, at 4 (September 18, 1997).
3. 15 U.S.C. § 45(a).
4. Moreover, the Commission's authority to conduct studies and prepare reports relating to the business of insurance is limited. 15 U.S.C. § 46(a).
5. 15 U.S.C. §§ 45(a), 46(a).
6. These include, for example, the Truth in Lending Act, 15 U.S.C. §§ 1601 et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. §§ 1666 et. seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 30 rules governing specific industries and practices.
7. Public Law No. 105-318, 112 Stat. 3007, amending 18 U.S.C. § 1028 (1998). Specifically, the Act requires the Commission to establish procedures to (1) log the receipt of complaints by victims of identity theft; (2) provide these victims with informational materials; and (3) refer complaints to appropriate entities, including the major national consumer reporting agencies and law enforcement agencies.
8. Commission cases involve claims of, for example, aiding and abetting a merchant engaged in unfair and deceptive activities, Citicorp Credit Services, Inc., 116 F.T.C. 87 (1993),discrimination based on race and national origin in mortgage lending, United States v. Shawmut Mortgage Co., 3:93CV-2453AVC (D. Conn. Dec. 13, 1993), failure to provide required notices of adverse actions to credit applicants, United States v. J.C. Penney Co., CV964696 (E.D.N.Y. Oct. 8, 1996), and engaging in unfair and deceptive practices in its collection of credit card debts after the filing of consumer bankruptcy, Sears, Roebuck and Co., C-3786, 1998 FTC LEXIS 21 (Feb. 27, 1998); Montgomery Ward Corp., C-3839 (Dec. 11, 1998); May Department Stores Co., File No. 972-3189, 1998 FTC LEXIS 117 (Nov. 2, 1998).
9. The Commission has held a series of public workshops on privacy since April 1995. It also has examined Web site practices in the collection, use, and transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children; issues raised by individual reference ("look up") services, as well as issues relating to unsolicited commercial e-mail. These efforts have served as a foundation for dialogue among members of the information industry and online business community, government representatives, privacy and consumer advocates, and experts in interactive technology. Self-Regulation and Privacy Online: A Report to Congress (July 1999); Privacy Online: A Report to Congress (June 1998). Further, the Commission staff has issued reports describing various privacy concerns in the electronic marketplace. See, e.g., FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (December 1996); FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996).
10. In 1997, the Commission conducted a study of database services, known as "look-up services" or "individual reference services," that make commercially available personal information used to locate and identify individuals. The study examined how such services operate and how they may create detailed profiles on consumers containing financial and other sensitive personal information. The Commission then reported to Congress what it had learned about the individual reference services industry and assessed the viability of a proposed set of industry self-regulatory principles, designed to provide some controls on the disclosure of sensitive personal information. Individual Reference Services: A Report to Congress (December 1997).
12. Commission staff also participates in numerous task forces and groups concerned with, for example, fair lending, leasing, subprime lending, electronic commerce, and commerce on the Internet, all of which have an impact on the financial services industry.
14. H.R. 10 also includes important provisions to outlaw the practice of obtaining personal financial information by deceit, or "pretexting." The Commission, as noted in prior testimony, supports civil and criminal sanctions against pretexting. Testimony of Federal Trade Commission, as presented by Commissioner Mozelle W. Thompson on "Obtaining Confidential Financial Information by Pretexting" before the House Committee on Banking, at 13-15 (July 28, 1998). Quite properly, in the Commission's view, H.R. 10 does not require a showing of knowledge or intent as part of civil enforcement actions. Those are standards more properly made part of criminal sanctions. Addition of those requirements in a civil suit would have had the effect of making it harder for the Commission to take civil action against "pretexting" misrepresentations. The Federal Trade Commission Act reaches many aspects of pretexting and does not include knowledge or intent as part of the violation.
In April 1999, the Commission brought a federal court action against James and Regana Rapp, doing business as Touch Tone Information, Inc., involving "pretexting." The complaint alleged that they violated Section 5 of the FTCA when they obtained consumers' private financial information by (1) impersonating bank account holders and making false statements to financial institutions and others to induce the disclosure of consumers' private financial information and (2) selling or disclosing that information, to anyone who requested it, without consumers' knowledge or consent. Federal Trade Commission v. Rapp, No. 99-WM-783 (D. Colo. filed April 21, 1999)(authorized by 3-1 vote, Commissioner Swindle dissenting).
15. 15 U.S.C. §§ 1681 et seq. Some states also have their own laws dealing with the same issues. Section 624 of the FCRA specifies certain matters with respect to which the federal law preempts any such state law.
16. See, e.g., 15 U.S.C. § 1681(a)(4) ("There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.").
17. 15 U.S.C. § 1681-1681u. The 1996 amendments specifically authorized the practice of creditors and insurers who use credit bureau files to "prescreen" consumers they solicit for their products under specific procedures, most importantly that consumers be notified of the process and be allowed to "opt out" of future credit bureau prescreens. 15 U.S.C. §§ 1681a(m), 1681b(c), 1681b(e), and 1681m(d).
18. 15 U.S.C. § 1681b.
19. 15 U.S.C. §§ 1681-1681u. Most importantly, the FCRA requires creditors and other businesses to notify consumers when they take adverse action, in whole or in part, because of a consumer report from a consumer reporting agency (15 U.S.C. § 1681m), and compels consumer reporting agencies to disclose data in their file to consumers upon request (15 U.S.C. § 1681g) and to reinvestigate items disputed by the consumer in good faith. (15 U.S.C. § 1681i).
20. 15 U.S.C. §§ 1681n-1681o.
21. 15 U.S.C. § 1681s.
22. 15 U.S.C. §1681s(a)(2). The Act creates a private right of action for actual damages proven by a consumer, plus costs and attorneys fees. In the case of willful violations, the court may also award punitive damages to a consumer. 15 U.S.C. § 1681n(a)(2). Any person who procures a consumer report under false pretenses, or knowingly without a permissible purpose, is liable for $1000 or actual damages (whichever is greater) to both the consumer and to the consumer reporting agency from which the report is procured. 15 U.S.C. § 1681n(b).
23. 15 U.S.C. § 1681s(c)(1)(B)(i-ii).
24. "Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses ..." may be fined and imprisoned for up to 2 years. 15 U.S.C. § 1681q. The Computer Fraud and Abuse Act prohibits unauthorized entry into credit bureau files, providing for fine and imprisonment (up to one year for a first offense, up to ten years for a second offense) of a person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in . . . a file of a consumer reporting agency on a consumer, as such terms are defined in the [FCRA]." 18 U.S.C. § 1030(a)(2).
25. Equifax Credit Information Services, Inc., 120 F.T.C. 577 (1995); FTC v. TRW, Inc., 784 F. Supp. 361 (N.D. Tex. 1991).
26. Matter of Trans Union Corporation, FTC Docket No. 9255. The Commission is currently considering an appeal of an initial decision of Administrative Law Judge James P. Timony, 1998 FTC LEXIS 88 (July 31, 1998).
27. Section 603(d) of the FCRA, 15 U.S.C. § 1681a(d)(2)(A)(i) ("The term 'consumer report' . . . does not include any report containing information solely as to transactions or experiences between the consumer and the person making the report.").
28. Hatch v. US Bank Nat'l Ass'n ND (D.Minn, filed June 9, 1999).
29. 15 U.S.C. § 1681a(d)(2)(A). As noted earlier, the FCRA does not in any way restrict the ability of an entity to share "transaction and experience" information with its affiliates.
30. Also, the exception allows affiliates to freely share other information beyond their transactions and experiences with the consumer, including information included on a loan application, or information that one of the affiliates has obtained directly from a third party.
31. Before the affiliate sharing exemption became law, Company A would have been required to notify the consumer he or she had been denied credit because of a consumer report (information other than "transaction or experience" data) received from a consumer reporting agency (Company B). The consumer would have the right to obtain a disclosure of the information maintained in Company B's file, and to dispute it if he or she believed it was inaccurate or incomplete. See footnote 19 above.
32. Company A would be required only to notify the consumer of the adverse action, and that he or she has a right to make a written request for a statement of the "nature of the information" that caused the action. 15 U.S.C. § 1681m(b)(2).
33. As noted above, the FCRA currently sets out a notice and opt-out mechanism for affiliate sharing of information that is not "transactions and experiences" information. As discussed infra, there is a need to clarify that H.R.10 does not undermine the protections currently afforded by the FCRA.
34. This is particularly true as the barriers are removed between banking and other types of businesses, and as the size of those corporate families expands. In fact, given such expansion and diversification, consumers have no reason to know that the information they give to an insurance company one day may find its way into the files of a bank or securities firm, which happens to be affiliated with that insurance company, the next day.
35. The Commission supports H.R. 10's notice, choice and security provisions and notes that in other contexts, it also has encouraged consideration of additional fair information practices.
36. Title V, Subtitle A, Section 502(a)(2).
37. Title V, Subtitle A, Section 509(4)(A)(iii).
38. 15 U.S. C. § 1681(a).