Segment 1 Of 2     Next Hearing Segment(2)

 Page 1       TOP OF DOC    Segment 1 Of 2  


TUESDAY, JULY 20, 1999
U.S. House of Representatives,
Subcommittee on Financial Institutions and Consumer Credit,
Committee on Banking and Financial Services,
Washington, DC.

    The subcommittee met, pursuant to call, at 10:00 a.m., in room 2128, Rayburn House Office Building, Hon. Marge Roukema, [chairwoman of the subcommittee], presiding.

    Present: Chairwoman Roukema; Representatives Royce, Leach [ex officio], Vento, Bentsen, Sherman, Moore, Gonzalez, Schakowsky, and LaFalce.

     Also Present: Representative Lucas of Oklahoma.

    Chairwoman ROUKEMA. We have a well scheduled, long, intensive hearing today, so we will get started.

    We fully expect that there will be more Members arriving, although I am sorry they are not here at this moment. But we need to start this hearing. Let me assure all the witnesses that Mr. Vento and I and others will be listening very intently to everything.

    Let me set the scene for this hearing today. I think it is an extremely important hearing. It is the first of two hearings on financial and medical privacy for this week. I fully expect that we will have several more hearings, as the privacy issue is both compelling and complicated. I don't think I have to go into a lot of detail about why the question of privacy is important. It touches all of our lives, and all the issues relating to them—financial, medical, or otherwise. Privacy is all-encompassing and involves literally, as I have said, every aspect of our lives.
 Page 2       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    During the consideration of H.R. 10, I worked with my colleagues Mr. Vento, Ms. Pryce, Mr. Oxley, Mr. LaFalce and Mr. Frost on an amendment to enhance H.R. 10 with what we considered to be workable privacy protections. In the end, the House approved that amendment by a vote of 427-to-1. The privacy provisions require banks, securities firms, and insurance companies to disclose their privacy policies and provide consumers with the ability to ''opt-out'' of sharing their non-public personal information with non-affiliated third parties. In addition, the privacy provisions in H.R. 10 prohibit financial institutions from sharing customer account numbers for the purpose of third-party marketing.

    The question, of course, arises: Does this address all of the concerns relating to privacy? And it is quite obvious that it does not. In fact, Congressman Inslee—and I would hope that he would be here shortly—offered an amendment during the Banking Committee markup of H.R. 10 which was much broader than the language contained in H.R. 10 as it passed the House. I would like to remind everyone that I supported that Inslee amendment at the time.

    However, I do feel that first a comprehensive, rational discussion must be engaged in before we proceed further with issues relating to privacy. Such discussions and debates are necessary to ensure that any new legislation does not create unintended consequences, such as inhibiting an institution's daily operational needs, which is frequently cited as a concern by the industry.

    Our hearings this week largely will focus on privacy as it relates to the financial services industry. Our financial services industry is growing rapidly. Services are being offered in many different ways, including over the Internet, which raises a host of privacy issues that this subcommittee, I believe, is compelled to address. The hearings this week are intended to be only the beginning of a series of hearings in order to give due attention and hopefully proper legislation in the future on this issue of privacy.
 Page 3       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The debate has raised many questions regarding the extent to which we as consumers can trust that our financial, medical and other personal information is maintained in a confidential manner. A breakdown in that trust would result in severe consequences for the business world and for our economy. I think the business world and the financial services industry must understand that there is the danger of consumer backlash here. Consumers want to know who is collecting their information, what kind of information is being collected, and who has access to that information. For example, consumers may not object if their information is being shared so they can be offered a product or a service, but consumers do want to know under what circumstances such information is being shared. That raises the disclosure question: What is the definition of disclosure?

    Further, consumers want to know how they can maintain a reasonable degree of control over who collects their personal information. And that, of course, leads to the sharing of information with third-party question and the question of information-sharing with affiliates. The industry has expressed significant concerns about new legislation that would have, as I stated, ''unintended consequences'' on their business operations. This is the time for industry to be precise as to what they expect the unintended consequences of limiting information-sharing with third parties to have on their business operations.

    Rather than general rhetoric, I hope that we can be quite precise. I am sure those on the panels today and tomorrow will do that. The industry received a wake-up call last month when the Minnesota attorney general filed suit against U.S. BanCorp for practices related to sharing customer account information with third parties. The information was used for the purpose of marketing non-financial products and services, such as marketing of low-cost medical and dental plans that could be paid for by automatic debits from consumers checking accounts or automatic charges to their credit cards. Once aware of the practice, consumers expressed outrage. In a clear demonstration of market discipline, many institutions reacted to the U.S. BanCorp announcement by revamping their privacy policies and committing to not engage in such third-party information-sharing practices. The U.S.BanCorp episode has become Exhibit A in this wider debate.
 Page 4       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Along with financial privacy issues, the subcommittee will receive information on medical privacy. Concerns have been expressed by many groups that H.R. 10's medical privacy provisions will undermine the more comprehensive medical privacy initiatives currently being pursued on both sides of the Capitol. Many of these medical groups have suggested that medical privacy provisions be stripped from the bill. I personally do not understand the logic of this suggestion and believe it would be irresponsible for H.R. 10 to be enacted without fundamental privacy medical protections for consumers.

    Now, let me emphasize that H.R. 10 is only a foundation. It is a beginning. It is more than a first step. It forms a foundation. I, too, favor more comprehensive privacy legislation. However, stripping H.R. 10 of medical privacy provisions in hopes that separate, more comprehensive legislation will be enacted is, I believe, most unwise. We shall hear from those medical groups tomorrow, groups with whom I have worked closely over the years on numerous issues relating to health concerns. I do not understand the logic of their position on this, but we will question them on that tomorrow.

    Over the course of these two days we will hear witnesses from a wide range of perspectives, including Government, academia, consumer advocacy and industry. The witnesses will provide the information as I have outlined on all aspects of the privacy issue. We will examine what Federal and State laws already cover financial privacy and their protections. Furthermore, our witnesses will offer their expert opinions on how both consumers and businesses are affected by some of the privacy approaches currently contemplated by Congress.

    I look forward to their testimony. I have every intention of using this hearing as the beginning of a more comprehensive review of laws and legislation that relates to all aspects of financial privacy as well as those that relate to medical privacy.
 Page 5       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    With that, I would like to recognize our Ranking Member who has played a very vital leadership role on the privacy issues, Congressman Vento.

    [The prepared statement of Hon. Marge Roukema can be found on page 114 in the appendix.

    Mr. VENTO. Thank you, Madam Chairwoman, for chairing the hearing. We have a significant group of witnesses who will explore the full range of privacy issues in our economy. Privacy is on the minds of consumers as they see the technological advances eroding barriers, linking data and shrinking the world and sharing their personal profiles with others. In many respects I think that they believe that the ability to maintain their privacy is greatly eroded.

    In many respects, these two days of hearings are a continuation of our look at consumer financial privacy which began in September of 1997. We took that look with a slight focus on the impact of the Internet on consumer privacy as well. We also touched on many of the same issues we will have before us today: the adequacy of the Fair Credit Reporting Act, data security and identity theft and information-sharing for marketing of products and services.

    What may be different is that in these post-H.R. 10, post-''know your customer'' days, we have finally become a very sensitized Congress and perhaps the public. With every day it becomes more clear that the American economy is running on data: personal data, consumer data. We collect, share and peddle profiles and preferences of people to run companies and enforce laws and sell products. But what voice and choice does any consumer have over their own personal and public data? What is the right balance of free flow of information versus privacy protection? Should the only choice a consumer has be that he or she not do business with a company or group of companies because he or she doesn't like their privacy policies?
 Page 6       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Public concerns about personal information privacy, of course, as I stated, are growing. Each week there are new reports of stolen identities and credit cards, selling of financial data, ''cookies'' on the Internet sites, false IRS reports, hijacked ATM cards and numbers. Bad actors are still stealing mail to divert your account statements. Companies are using old-fashioned directories based on where you live in deciding whether to interrupt your dinner with a phone call. Grocery stores are compiling your complete eating habits just because you sought to save a few bucks by using a card. Charitable groups are sharing or selling lists of their contributors. States are selling driver's license numbers which often include your Social Security number. And the litany goes on and on throughout our lives.

    No matter what we do or do not do here, the modern consumer must be vigilant about the information that is out there about themselves. We are in essence surrounded by unwanted junk mail, Internet spam, catalogs, and all sorts of material and telephone calls coming to us and, of course, knowing personal data about us that we would choose not to share.

    With regard to financial privacy, that is, of course, of paramount importance. I think that the expectation of the public has always been that financial institutions, the entities with which we transact, have a higher obligation and usually one which they have met that standard.

    Madam Chairwoman, I think that we have a very good work product which has passed the House of Representatives as an amendment that we worked out to H.R. 10 early this month. This product affords consumers new important safeguards for their financial privacy, putting banks, credit unions, securities firms and insurance firms at the forefront of most other U.S. sectors regarding privacy.
 Page 7       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    As passed, this measure provides strong provisions of law to respect and provide for consumer privacy with a privacy policy that meets Federal standards to protect the security and confidentiality of consumers and consumers' financial and personal information.

    H.R. 10 prohibits the sharing of account numbers for the purpose of third-party marketing. This protection applies to all consumers and requires no action on their part. Consumers can opt-out, of course, of sharing information with third parties in a workable fashion that protects consumers' privacy while allowing the processing of services they request and that are required by virtue of the regulatory and accounting standards of any financial entity.

    Importantly, regulatory enforcement authority is provided to the specific regulators of each type of financial institution to safeguard and to implement this policy.

    This measure, H.R. 10, specifically prohibits the repackaging of consumer information. Data cannot be resold or shared by third parties or repackaged to avoid privacy protections. Consumers must be notified of the financial institution's policy at the time that they open an account and at least annually thereafter. Certainly these are major steps forward. These commonsense and workable provisions were added to the substantial provisions already included in H.R. 10 that prohibit obtaining consumer information through false pretenses and disclosing a consumer's health and medical information.

    But, because there are those who would have liked to have gone further, some who wanted to eliminate provisions like the medical privacy protections in the bill, and because the issue of financial privacy is certainly larger than the financial institution marketplace, larger than H.R. 10 and financial modernization, I am hopeful that with these hearings we can begin to look at the big picture and then to act appropriately on the totality of privacy policy matters.
 Page 8       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    This Congress needs to step up to the plate and provide the legal framework for protecting consumer privacy. While it is appropriate to ensure that adequate policy safeguards are in place to protect consumer privacy in our changing financial marketplace, we need to look at all of the economic sectors—retail sales, commercial corporations, the Government at all levels—to understand how they all utilize information and private information about the individual.

    As many of my colleagues are aware, I have worked on consumer rights and privacy. I have worked to protect consumer privacy through laws like Truth in Lending, the Fair Credit Reporting Act and the Electronic Funds Transfer Act. I also introduced one of the first proposals to protect the consumers' privacy on the Internet, the Consumer Internet Privacy Protection Act.

    During the Banking Committee markup, I introduced an amendment that would have provided an annual opt-out on affiliate-sharing and beyond. I withdrew the amendment when I realized it was unworkable and there was much more that needed to be shaped in terms of financial privacy and policy issues.

    What is clear is that a law that requires consumer action is appropriate. A third party and affiliate opt-out is hardly the first and last word in consumer rights. The fact is that the number of consumers that have such a right today under the Fair Credit Reporting Act or under various institutional policies. Even with that authority, only a small fraction of individuals exercise that option. Consumer choice may give us a warm feeling about what is appropriate, but what does it really accomplish? What is the bottom line? Does it really provide choice if a fraction of 1 percent responds to opt-out?
 Page 9       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The bottom line must be the enforcement of the law. I note that we will have a witness from the Federal Trade Commission. Their testimony at the Commerce Committee last week promoting continued self-regulation for Internet privacy protection underscores for me the deficiency of some of the proposals for H.R. 10 which superimposed the Federal Trade Commission as a privacy regulator. That approach would have given enforcement authority to the FTC as opposed to the appropriate functional regulator for each financial institution. I do not think we should turn over such an important enforcement authority to a non-financial institutions regulator. Indeed, the functional regulators today show every sign of eagerness and awareness and the will to make financial privacy law work.

    Madam Chairwoman, I would entreat my colleagues and other witnesses that as we go forward, to first look to the breadth of the personal privacy issues in our economy. Financial privacy is important; however, privacy concerns are not limited to banks, securities firms, and insurance companies.

    Second, look to the basics for consumers and business. People want to know what information is being collected, and how and why. People want to know how the data about them is being protected. People want to know how to correct false information. People want to know how the laws are enforced. Business wants a fair opportunity to provide options and to use information to better serve their consumers. Business wants a level playing field across economic sectors. Business wants to develop the means to keep data confidential and accurate. There has to be a way to bring both sides together that does not violate the privacy of individuals or jeopardize the flow of a smooth functioning economy.

 Page 10       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Madam Chairwoman, we have a big task ahead of us. I think we have taken a positive step in terms of H.R. 10. I hope to preserve most of the provisions in conference.

    I look forward to working with you, Madam Chairwoman, and I yield back the balance of my time.

    Chairwoman ROUKEMA. I thank the Ranking Member. That was a comprehensive analysis of what we have been addressing.

    Now the Ranking Member of the full committee, Mr. LaFalce, do you have an opening statement, sir?

    Mr. LAFALCE. I will be very brief, Madam Chairwoman. I certainly appreciate the opportunity to join with the subcommittee today, and I commend you for holding this hearing with so many panels over a number of days.

    Issues of financial privacy have moved to the forefront of the debate over the financial modernization bill and moved to the forefront of the debate with respect to financial policy issues generally. Consumers have become increasingly concerned. Consumers have a right to expect that their private financial records will in fact remain private and confidential. And they have what has proven to be legitimate concerns regarding possible misuse of their private financial and personal information.

    A number of Members of this subcommittee, Mrs. Roukema, Mr. Vento in particular, have authored privacy proposals to address these concerns, and a number of them were included by the subcommittee in the Financial Modernization Bill. Most especially the amendment that was offered during floor debate that was adopted with almost unanimous House vote.
 Page 11       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The amendment that so many of us worked on provides consumers with financial privacy protections that go far beyond anything in current law and well beyond the privacy protections available to consumers elsewhere in the economy. But the Senate version contains minimal privacy protections. We may, therefore, in conference with the Senate, face efforts to weaken what we think is absolutely essential. The financial privacy protections that we currently have, the House version of H.R. 10, that we may find difficulty in enhancing these protections, because a good many number of Members would like to enhance these protections, whether in conference or through other legislation under consideration.

    So this makes the hearing today not only timely, but extremely important, Madam Chairwoman. But it is also important that we remember that the financial privacy issues joined in H.R. 10 are but a subset of privacy policy issues. It is not only financial institutions that are in a position to misuse private consumer information, there are a wide variety of commercial and high-technology companies, credit bureaus, marketing organizations, that have and use similar opportunities. Electronic commerce, on-line banking, the Internet, all bring tremendous benefits; but they also pose enormous challenges for those of us who would protect consumer privacy.

    I hope that these hearings will provide us the opportunity to see the privacy within financial services within context so that we might be able to begin exploration of a broader array of privacy issues.

    In addition, I think that recent discussions that I have had show there is some confusion regarding the privacy protections presently available in current law, whether it is under a statute such as the Federal Right to Financial Privacy Act of 1978, the Privacy Act of 1974, the Fair Credit Reporting Act, or various State laws. So I hope that the various panels that we have today and tomorrow will address some of these issues and clarify them in the course of the testimony. And I join you in welcoming the witnesses, Madam Chairwoman. Thank you very much.
 Page 12       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Chairwoman ROUKEMA. Are there other opening statements, please?

    Mr. Moore.

    Mr. MOORE. I would like to thank you for holding these important hearings today and tomorrow. We have several different panels so I will try to be brief. These hearings could not be more timely, given the floor debate on the privacy provisions that could have been contained in H.R. 10. The debate three weeks ago in Congress highlighted the concerns we have about privacy in every aspect of our lives from the annoying phone calls, to the horror stories of entire lives being disrupted and destroyed from the wrongful dissemination of private information. These issues of privacy should be at the top of our legislative agendas.

    We have great economic expansion and growth. Much of our recent success has been driven by our robust information economy and unprecedented technological advances in which consumers benefit from broad new sets of choices, efficiencies and quality services. But the expansion of our technology sector and the consumer benefits that have come as a result of more and better services come at a cost to personal privacy.

    You mentioned, Madam Chairwoman, the lopsided 427-to-1 vote on Representative Oxley's amendment which limits the ability of financial institutions to provide confidential information to unaffiliated third parties. By doing that, this Congress stated its clear intention to require our financial institutions to respect the privacy of their customers. These limitations on the use of personal information, though, should not be exclusively required of our financial institutions and this industry should not be singled out to bear the entire burden of congressional regulation over matters that aim to protect personal privacy. Many of our concerns are derived from our better and more efficient use of technology and increased access to information.
 Page 13       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    If we want to protect privacy, and I strongly believe that we should, we should do so comprehensively, as you have indicated, Madam Chairwoman, and not just impose a new burden on one industry that many of us voted just three weeks ago to modernize. We must not only act comprehensively, but we must act judiciously in our approach to these matters of personal privacy, particularly financial privacy. We must seek a balance between the ability of financial institutions to conduct their business under the new framework of H.R. 10 and the individual consumer's right to privacy. That Congress should also examine these important matters of personal privacy across all sectors of industry and commerce. While I understand that this subcommittee's consideration of this issue is primarily limited to the financial services sector, I want to again thank you, Madam Chairwoman, for your leadership in moving forward with these important hearings.

    I hope that our colleagues presiding over other industry sectors will follow your lead and begin to comprehensively examine this privacy issue. I also appreciate your statements about the concern that a lot of Americans have about medical privacy. Again, thank you very much.

    Chairwoman ROUKEMA. Thank you, Mr. Moore.

    Are there other opening statements?

    Mr. Inslee of Washington.

    Mr. INSLEE. Thank you for your leadership, Madam Chairwoman, on this issue. First off, I want to tell you I have been in public life for ten years and I don't think that I have had an issue that has blossomed so rapidly and caught the outrage of the American public so much.
 Page 14       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    We started this debate on H.R. 10 a couple of months ago and I don't think that any of us understood the depth of the abuse of people's privacy, number one, and the people's outrage that that is going on. Because of that, I think it is important in these hearings today and tomorrow that we realize our discussion here and on the floor to H.R. 10 is not the end and it is even the beginning of the end, it is maybe the end of beginning of the U.S. Congress dealing with privacy issues, and I think that should be true in H.R. 10 as well, because I don't believe our work is completed on privacy issues in H.R. 10. And we are going to be talking to the conferees in the hopes that they can go further, and that is because we believe that there is unfinished business, unfinished in the sense of being able to guarantee consumers' privacy, at the same time allowing financial institutions to enjoy the benefits of consolidation that H.R. 10 will allow.

    What I am hoping, and the second point that I want to make is that I hope that the folks who are going to testify in the next couple of days can answer this question. How can we give consumers what they are entitled to, which is the right to have banking information used for banking purposes and banking purposes alone if that is what they desire? How can we make sure that consumers have that right, while at the same time allowing financial institutions the use of that information to prevent fraud and the like that might be necessitated in certain instances?

    The reason that I ask you to help us in that regard is because when I was trying to draft legislation, I tried to accommodate financial institutions. They said ''We have to send the checks out to be printed, so you can't prohibit us from doing that,'' so we did an exception to that. They said ''We have to have a situation if there is fraud, you have to give us the ability to share information,'' so we wrote an exception to do that.
 Page 15       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    We have to know how to draft legislation that will accommodate consumers' rights to use banking information for banking purposes and banking purposes only, not marketing purposes. Now, I heard many folks say ''That is impossible. Can't be done.'' Well, in honor of today, July 20, let me refer to thirty years ago when we put a man on the Moon and, in a statement that has been used a lot in the last three decades, if we can put a man on the Moon, the U.S. Congress ought to be able to draft legislation that makes sure that consumers can use banking information for banking purposes exclusively.

    And I am going to ask you to help us and not give us the response that people did not give President Kennedy, saying ''It just can't be done, Mr. President.'' This can be done, and I hope that you will help us find a way to do it, to guarantee consumer privacy and allow the banks to move forward. Thank you.

    Chairwoman ROUKEMA. Mr. Gonzalez.

    Mr. GONZALEZ. Thank you very much, Madam Chairwoman. I join my colleagues in commending you for the leadership role you have taken in this issue. I am going to be very brief.

    The potential for this issue to derail passage of H.R. 10 financial modernization is very real, and that is where we are going to be focusing our attention. As Congressman Inslee has pointed out, this may be the launching pad to issues in other arenas. We ask for your expert help with this matter.

 Page 16       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    I look at the privacy issue like this: Technology is expanding. I guess it is really the backdrop. It has expanded, and it is forever changing the financial landscape. Our biggest challenge will be how we operate out there in the commercial world and how we determine what are reasonable and practicable expectations of privacy in today's society with the emerging technology.

    I truly believe that you have anticipated this, and that will be the basis as we proceed to take into account technological advancement and what it has done to commercial enterprise and basic behavior and how such changes impact society's expectations of privacy.

    I will use a quick example in the law, in that I was a judge and a lawyer for many years. At one time, comsumers could expect their phone calls to be private. However, with introduction of cell phones, do you still have the practical and reasonable expectations of privacy if you are using it when you get on a subway? Of course not. You can expand this idea to financial privacy, and that is what we will deal with here today.

    Thank you, Madam Chairwoman, and I look forward to the testimony today.

    Chairwoman ROUKEMA. Thank you.

    Now we must get on to this hearing, which I am afraid is going to be quite long. We were ambitious in setting up three panels. Let me just outline the procedures under the rules of the subcommittee, and particularly today with the extended number of panels and panelists that we have. First, I do want you to cooperate with the five-minute rule if you can. The light in front of you will tell you how to proceed; green to start, the yellow warning sign and then the red light when you should finish. If you can, please abbreviate your remarks. All of your written testimony will be submitted for the official record of this hearing. Again, we will do everything that we can to comply with the five-minute rule. I will also suggest to our subcommittee Members that we also comply with the five-minute rule.
 Page 17       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Second, Members will have—especially since the time is limited—the ability to submit written questions to the witnesses for the further explanation of the issues. Those written questions will be submitted to the witnesses.

    Third, the hearing record will be open for the usual period of time for the submission of additional information, and that goes for all of the panelists. In this regard, I have already received written submissions from several groups, including the Electronic Financial Services Council, the American Insurance Association, and the National Council of Investigation and Security Services, Inc., and I would ask unanimous consent for their written testimony to be submitted for the record. And it is so moved.

    Now, the first panel of witnesses, we have academics as well as experts on privacy and known authorities in their particular fields. The first witness is Dr. Robert Litan, the Vice President and Director of Economic Studies at the Brookings Institution. He is the co-director of the new AEI-Brookings Joint Center on Regulatory Studies and co-editor of the Brookings-Wharton paper on financial services. I do thank you, Dr. Litan, for adjusting your travel schedule and being here today, and of course your written testimony will be submitted for the record.

    Secondly, we have Professor Mary Culnan, from the McDonough School of Business at Georgetown University. She is a known authority in this area who has conducted various privacy studies, including one on Internet privacy policies that was conducted in the spring of this year.

 Page 18       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Our third witness is Mr. Gary Clayton, who is the President of the Privacy Council and also Vice President and General Counsel and Senior Privacy Analyst for Stone Investments of Dallas, Texas.

    And the fourth witness is Professor Fred Cate from Indiana University School of Law. He is the Director of Information Law and Commerce Institute at the School of Law at the University of Indiana.

    Thank you all for being here, and without further delay we will have Dr. Litan.


    Mr. LITAN. Thank you very much, Madam Chairwoman. Thank you for inviting me to appear here today. I apologize for not having written testimony, because the dog ate it.

    No, that is not the reason. My extensive travels have prevented me from writing prepared testimony, but I will submit something after the hearing. Actually, these opening statements were so good that I am going to skip over the detailed notes that I prepared last night and get right to the heart of the matter.

    I recently prepared a paper which I think your committee staff has called ''Balancing Costs and Benefits of New Privacy Mandates'' that I did for the AEI-Brookings Joint Center for Regulatory Studies, and I am going to summarize some of those points which are relevant to your inquiry today.
 Page 19       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    First, policymakers, including Congress, should be cautious about legislating in this area because of rapid technological change.

    Second, Congress should not hesitate to legislate where there is evidence of market failure as long as the steps that it takes do not create unintended side effects that are worse than the disease. I think the opening statements have eloquently demonstrated that there is a market failure here and that something needs to be done.

    The third point, and this is the most important, and something that I learned from Fred Cate in a book he wrote for Brookings several years ago, is that United States law has never made privacy an absolute right, as it more or less is in Europe. Instead, we have balanced the benefits of privacy protection against the costs of providing it and have selectively legislated.

    There are other things that we worry about. We want to catch crooks. We have a guarantee of free speech. We want to prevent fraud and so forth. I would encourage the Congress to continue this balancing approach. Indeed, I believe that H.R. 10 reflects this approach and I applaud Congress for moving cautiously in this area.

    H.R. 10 implicitly recognizes that there are benefits to the sharing of information that have been referred to. We want to reduce the cost of credit. We want to prevent fraud. We want to have third-party processing in many cases. The heart of the privacy-related complaints really center around the sharing of information for marketing purposes. That is the problem.
 Page 20       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    H.R. 10 addresses this problem by providing a notice and opt-out requirement that extends only to third parties, but not to affiliates. The financial industry is strongly opposed to extending this provision to affiliates. I think this opposition is shortsighted.

    One of the things that make financial institutions, and especially banks, unique is that consumers have a strong degree of trust in them. You abuse that trust, you lose the business. Now some say ''Let the market take care of this. If banks want to abuse it, that is their problem, not the industry's problem.'' I beg to differ. The problem in this area is that as more and more stories appear about banks abusing information, consumers can sour on the whole industry, so there are what economists call negative externalities associated with the abuse of information.

    So I think it is in the interest of the banking industry to have the privacy provisions extended to affiliates. In fact, I think it would save them money. When you are doing direct marketing, the last thing you want to do is send out a bunch of calls and mail to people who are never going to respond. Why not save yourself some money up front by at least having those people who don't want to hear from you identify themselves? We have heard that this is a relatively small fraction of the population anyhow. Banks would save money if they knew ahead of time that certain people in their database they should not approach. Indeed, those people are likely to be offended when the bank bothers them.

    In fact, I have come around to the view that I think a notice and opt-out ought to be mandatory for all businesses doing interstate commerce, not just on the Internet where it has come up most often; but why make a distinction between business on the Net and off the Net? For all interstate commerce, why not a minimum notice and opt-out requirement? Same argument. It is in people's interest, it enhances trust. We had a $50 credit limit on credit cards many years ago that basically allowed that industry to take off. I think enacting something like a minimum notice and opt-out will do the same thing for Net commerce—enhance its growth.
 Page 21       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I also think a broad notice and opt-out may help solve this dispute that we have with the EU over privacy. I think if we told the EU, this is what we are doing, we have a minimum across-the-board rule, although it is not the same as yours, at least we are paying attention to the issue. I think we would have the moral leverage to finally get this argument resolved.

    So I would encourage Congress as it goes forward in the negotiations on H.R. 10 to have a stiff back on this issue. Thank you very much.

    Chairwoman ROUKEMA. Thank you.

    Dr. Culnan.


    Ms. CULNAN. Thank you very much. Thank you again for inviting me to testify. I would like to second Bob's points, but I am going to present my own from a slightly different perspective since I am not an economist. The basic issue here, I think, is disclosure, not really privacy. Consumers will disclose personal information that is needed to drive the information economy if they perceive that the benefits of disclosure exceed the risk. So it is up to the business community to make the argument that there are benefits to having the information used, and then to also make the argument that this is a low-risk proposition. By observing fair information practices, risks are reduced and therefore, this promotes disclosure. So protecting privacy is really good for business.
 Page 22       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    One of the risks that comes up is incompatible use, as Bob Litan said, the idea that information is collected for one purpose and used for other unrelated purposes—information-sharing for marketing purposes is a primary example—when the information was not explicitly collected for that purpose.

    We are familiar with the results of information-sharing among affiliates. I received a phone call Sunday night from—the source of the information was First USA. It was one of their affiliates, and they offered me two free airline tickets to anywhere in the country that I wanted to go to introduce me to this organization.

    I think the current language in H.R. 10 does not adequately address the privacy concerns raised by the incompatible use for two reasons. First, it does not require the privacy disclosures to reflect the core elements of fair information practices. My recent survey of privacy notices posted by commercial Web sites clearly reflects the inadequacy of the majority of these privacy disclosures absent any core standards or core requirements for what the notice is to include.

    And second, H.R. 10 does not include an opt-out for affiliate-sharing. I disagree with the argument that by disclosing privacy practices or privacy policies, the consumers can then choose among organizations by selecting the ones that have a policy that they perhaps find acceptable, because if the trend toward these mega-conglomerates materializes, this is really a false choice. Offering an opt-out will not mean an end to the information economy, because information about consumer choices and behavior can still be analyzed and shared in the aggregate for making marketing decisions.
 Page 23       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The majority of consumers do not opt-out, but they value having the choice, and observing fair information practices addresses the privacy concerns that information-sharing raises. If really good notice and choice are given and people don't take the choice, then business organizations can feel free to go ahead and share the information and use it for marketing.

    On the other hand, I think a failure to offer an opt-out for affiliate-sharing really is at odds with all of the self-regulatory programs that the other industries have been working hard to advance and that a lot of American's best companies have instituted on their own.

    I also would like to say a few words about Internet privacy, because I think the Internet raises some unusual different issues than we find in the off-line world. On the Internet our behavior can be tracked even when we don't engage in any transactions or raise our hand in the marketplace. What we are learning is that when Web sites ask people to disclose information and don't tell them how the information is going to be used or offer choices about the subsequent use, what people do is refuse to disclose the information or they lie. So once again we have evidence that observing fair information practices is really good for business because it promotes disclosure and trust and confidence.

    While privacy is important to the success of e-commerce, it is important that any regulatory solution takes into account new Internet business models that involve information-sharing to benefit consumers, so I would urge not to rush to legislate without thinking through the implications for electronic commerce.
 Page 24       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    In conclusion, there are two things that you can do. One, charge the financial regulators such as the OCC to convene a series of workshops that bring together a lot of stakeholders to discuss the issues such as the ones that Mr. Inslee raised in particular, and to conduct research as necessary, and report back to Congress on a regular basis on the need to regulate or not. And I think this should be done independent of what happens to H.R. 10.

    The FTC has had a similar process in place for a number of years. I think it has been very effective in terms of developing views, understanding the issues on both sides and moving the process forward; particularly it has jump-started a lot of private sector initiatives, and I think the same thing could possibly happen in the financial institutions industry.

    I would also like to say briefly that technology has changed the nature of the public record. I think we need to have a national discussion about this in terms of how they benefit our society and the different ways that they are used, and to look at the current balance between privacy interests and other societal interests, and I would urge you to perhaps launch this discussion.

    Thank you very much and I will look forward to your questions.
    Chairwoman ROUKEMA. Mr. Clayton.


 Page 25       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. CLAYTON. One of the things that is very difficult, and I empathize with you, how do you try to shape something that is so fluid and changing so quickly? I work with people in California and Austin that are taking technologies and changing the way that businesses are providing services. And the issue of privacy is something that I don't know how you answer the question. There is no one single answer, and it is going to change with time.

    Mr. Vento made the appropriate response: Information is driving our economy, it is going to be used in ways that we never thought about before. And we see ourselves contrasted with Europe. The Europeans have taken the idea that the government can step in and form regulations and dictate how the knowledge and information is used in their society. I don't believe it will work. Technology will leave it behind.

    I believe what you need to do is to be cautious, to take time to understand and study these issues, because what is going to happen, the answer today is not going to be the answer tomorrow. There are going to be new technological threats to our privacy and changes to the way that we provide services, and we don't want to undermine the thing that is driving our economy.

    I would also encourage you to look at the way that the Europeans are attempting to draft their own legislation and implement this. It is in marked contrast to what we are doing in the United States. The frustration may be that we don't have one national legislation effort to resolve all privacy issues. The Europeans have tried that, but the problem is that when you do that, one size does not fit all.

    We are talking about personal information and it is very fluid because it is knowledge. It changes with how it is used. It changes with how industry wants to use it. And it varies from individual to individual. Privacy is not and never has been a fundamental right in the United States in the sense that it is written in the Constitution. It is a secondary right. It is one of those things that is protected by other fundamental rights.
 Page 26       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    In Europe they claim that it is, and I will tell you that I have spent a lot of time over the last two years, and I have studied and lived in Europe. It is not something that they consider a fundamental right. We are just as concerned in the United States about privacy. They view government's involvement in having information in Europe very different than we do. They allow and accept that. One needs to travel to London to see the government uses of close captioned television with no concern about privacy issues.

    In the United States we need to be very cautious about looking at what they have done in Europe and drawing some distinctions, because I think what has to happen is we do have to regulate by industry sector, and there is going to be a consensus formed that some issues have been resolved. And in the written statements that I talk about, I believe there are some general understandings about what privacy things are needed.

    Notice: We go through the various things in the paper talking about consent. Notice is very important, and I would agree that you should extend the idea and require very specific notice be given about what is going to be done with information, because one of the things that I am most optimistic about is that this power of the new technology we have empowers individuals, and I think our economy is a reflection of people who have now gotten access to information of all sorts that we didn't have.

    One of the things that you can enhance the empowerment of individuals by doing is to require financial institutions to disclose what they are going to do with the data. I think that applies to their affiliates as well. When given that choice, if a consumer decides to do something or not do something, that is up to the individual; but Congress should be very wary about stepping in and attempting to regulate it with great detail. I think encouraging public debate like the FTC has done is a very valid role.
 Page 27       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    One other point. Over the last two years a lot of industry organizations have gotten together to discuss this, to debate the ideas and to bring other people in. One of the groups that has been missing from those debates has been the financial institutions, and I am not certain for the reason about that, but maybe this subcommittee, through H.R. 10, or Congress can encourage through the regulators, encourage financial institutions to get more involved in the privacy debate and allow the free market ideas to come up with some solutions. I think it is too early right now to have those, and I believe H.R. 10, in calling for a study to do that later, is entirely appropriate.

    I would urge you to be cautious because I think you are attempting to regulate something that is too powerful and too useful for our economy, and that is the way that information is used. Just be very cautious. Thank you.

    Chairwoman ROUKEMA. Thank you.

    And Professor Cate.


    Mr. CATE. Thank you very much, Madam Chairwoman and Members of the subcommittee, it is a pleasure to be here. Coming last always presents the question of whether I say what I intended to say or I merely respond to what has been said before, but I think there is so much similarity I may be able to accomplish both.
 Page 28       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Let me start with the same points that Bob Litan did. First, we see the essential role of information in this economy. We would be mistaken to think that when we talk about protecting privacy by restricting the flow of information we are not also talking about costs involved. These costs may be well worth it—recognizing those costs do not automatically lead to the conclusion of what should we do—but it at least suggests the importance of making sure when we start regulating this essential infrastructure that we be frank about the extent to which we are in fact affecting the cost at which services and products are provided, and also the unanticipated consequences of those regulations.

    I know this is a phrase that you hear a lot and probably don't like hearing very much, but what we have seen in every area where we have seen regulation, and particularly in the States, and this is reflected in my written testimony, that there are ramifications of regulations to protect privacy that nobody thought of, that nobody considered were going to be likely until after the law took effect.

    Now this seems particularly likely in the case of financial information because of how central it is to our society, and because of how far-reaching it is: when you touch any part of this web of financial information, the entire web vibrates, that the ramifications are likely to be quite significant.

    I think H.R. 10, which in many ways offers excellent privacy protections—and I will return to those in just a moment—gives some clear examples of where these sort of unanticipated consequences might come from. How does H.R. 10 interact with the Fair Credit Reporting Act? Do H.R. 10's prohibitions on non-affiliated third parties regarding disclosing financial information also apply to credit reporting agencies? Does H.R. 10 preempt States from acting in this area? What about affiliate information-sharing, a subject on which H.R. 10 is silent, appropriately so at this point? But where does that leave us for the future debate? Is affilitate sharing now presumptively all right? Where does State law fit in there?
 Page 29       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The debate on affiliate versus non-affiliate sharing is mystifying to me, but mystifying in the sense that many banks today, many financial institutions offer services through affiliates, services which the customer would never know were coming from a different organization. A credit card, a bank account, an overdaft credit protection account, a mortgage account may all come from different affiliates of the same institution. My guess is, certainly my own view is that most customers would not be miffed to receive marketing information for a related product.

    So if, for example, I am seen to be carrying a high balance month after month on my credit card, I would receive a notice saying I could have a second mortgage on my home at a substantially lower interest rate, I don't think that is the type of thing that most consumers would think of as surprising, whether or not that comes from an affiliate or simply a division of the same company.

    I think consumers experience concerns when the marketing is for an activity or a service that is unrelated to the banking industry, unrelated to the financial service. And so to some extent, I think this focus on affiliate versus non-affiliate is in many ways missing many consumers' concerns.

    I want to conclude here by picking up on Bob Litan's point, however, about do we see here a market failure. If we start with the assumption that if the market is working well, then notice is what is key; and H.R. 10 certainly requires that notice, and it is commendable for doing so. Do we see a reason to go further than that? I would argue that we do not yet see that—first of all, that we are in a period of dramatic change; the FTC's conclusions with regard to online privacy are quite applicable here as well.
 Page 30       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Second of all, I am not as ready as some of the prior witnesses to dismiss the bank's self-interest here. We see banks now responding to the publicity of the past year. We see seven major national banks have appointed executive level privacy—what the industry is calling ''czars.'' We see the announcement of Bank of America that it is not going to market data to non-affiliated entities. I think the self-interest of banks in having that trust relationship preserved, not only for the handling of customers' money, but also for the handling of customers' data has, in fact, some significant room and should be given a chance to grow.

    And finally, just to touch on Mary Culnan's point, electronic commerce, I think, also suggests a reason to be very cautious here. Financial services promise to be a central component of electronic commerce for two reasons: one, because we have to pay for the things that we purchase online, and second of all, because of dramatic cost savings available when we do our banking online.

    On the other hand, the very things that we most need in the online environment—the verification, identification, authentication so we know who is on the other end of the transaction—depend on that ready access to a pool of information, just like check clearance and credit authorization services do. So my recommendation to you is not that this is not an area for attention or for enforcement of existing laws, but rather that, at present, we don't see the need for additional law.

    Thank you.

    Chairwoman ROUKEMA. We are going to be having a vote. I think I can get in my five minutes here—I think. And then we will have to recess for the votes.
 Page 31       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. Cate, I thought I understood you until you made your last statement. I think there has been a pretty definitive statement regarding the exceptions to practices with affiliates. Mr. Clayton disagrees with that, I believe, but I am not quite sure that I understand why you disagree.

    It sounds like a general statement. It seems to me just the logic of it goes with Mr. Litan, as well as Ms. Culnan, you mostly agree with that. I don't know that you have definitively stated that. But let me ask another question, OK, for anyone, particularly to Mr. Litan and Professor Culnan, to respond to.

    You have talked about the affiliates, but none of you have referenced the statement of the industry that exceptions are intended to protect industry practices. How do you respond to that? What industry practices are they speaking of and why does that justify the exception?

    Mr. Litan.

    Mr. LITAN. Actually I have this in my notes, and I skipped over it. If I were drafting a bill, I would take a different approach. Rather than having a broad requirement of opt-out and then a list of exceptions which can get incredibly complicated. I would take a much simpler approach.

    I would just simply say that there is a requirement that there be an opt-out for information transferred for marketing purposes, period. Just make the language a lot simpler. The bill already identifies customer account information or identifiers as being prohibited for transfer for marketing purposes, so that principle is already embodied in the bill. I would just make it clear.
 Page 32       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Chairwoman ROUKEMA. I think that—as Mr. Vento said, I think that is in the bill, but I don't know whether or not that is precise or tight enough. But we can discuss that further another time.

    Professor Culnan.

    Ms. CULNAN. I agree.

    Chairwoman ROUKEMA. You agree that the bill is probably adequate?

    Ms. CULNAN. No, I don't state that. I am agreeing with his point that the opt-out should be required for marketing purposes. I think that is a concern to people when they do not have a relationship with an organization, they do not believe it is a related organization; it is a different organization in their view. They may not be interested in hearing from this organization. Related use by the bank is fine. People don't have a problem with that.

    Chairwoman ROUKEMA. Please review the language in H.R. 10 and see where that might be insufficient for your statement now.

    Mr. Clayton.

    Mr. CLAYTON. If I gave the impression that I was disagreeing with them, I do not. That was sort of my point. I would agree if you try to start listing a litany of exceptions you are going to—it is impossible. And my point was, I think if you make it an understanding about if you give consumers the ability to learn who is going to get the information, and then limit it, as they are describing, I think that is sufficient.
 Page 33       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Ms. CULNAN. In my own case, the one example was an affiliate of the credit card company that marketed me for a service that had nothing to do with my credit card and was for something I was not interested in. And just because they were an affiliate, I thought that I should still be able to opt-out of that.

    Chairwoman ROUKEMA. Thank you. I appreciate, Mr. Clayton, your clarification.

    Professor Cate.

    Mr. CATE. I believe I agree, if I understand what this has been interpreted to mean, which is that it would be preferable rather than to distinguish between affiliate and non-affiliate data-sharing to simply say there would be an opt-out for data-sharing for marketing purposes. Then I understood the addition to be marketing an unrelated service or product.

    Chairwoman ROUKEMA. I would appreciate your help in terms of defining that in legal language in the bill, because I do not believe that the bill is precise enough. All right? I thank you for that.

    And I believe that we will have to recess now. We have a vote which will be followed by four five-minute votes. So we will be in recess for at least probably half an hour. We will be back within half an hour.

 Page 34       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Chairwoman ROUKEMA. I do apologize to everyone, our panelists and our observers here. That was far longer than a half-hour, and I am sorry for that. We were given the wrong information about the numbers of fifteen-minute votes and five-minute votes, but I believe now we have a time period here when we can make some progress, as they say.

    I have used my five minutes, and again I would remind all our Members of the subcommittee that we are going to try to stay in every case with the five-minute rule because of the extended numbers of panelists that we have today.

    And so with that, I will yield to the Ranking Member, Mr. Vento.

    Mr. VENTO. Thank you, Madam Chairwoman.

    Dr. Litan, you point out that the desirability of opt-out—of course, opt-in we sort of invented those words in this subcommittee, because obviously they are quickly gone by in terms of others, and you don't differentiate between an affiliate and a non-affiliate type of circumstance, suggesting that there is more commonality than difference.

    Nevertheless, suggestions have been made that we might all do well to back up and say, we know what we are trying to do in terms of privacy, but is this a good tool, opting-out or opting-in? Or are we better off placing an affirmative responsibility on the financial entity to, in fact, accomplish that privacy?

 Page 35       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. LITAN. Are you specifically asking me my views on opt-out versus opt-in?

    Mr. VENTO. No. I expect that opt-in is a lot more effective. In any case, the options that we have before us at this point at least, are wide open. But what about placing affirmative action on the part of the financial entity versus opt-out, which gives us less than 1 percent of the Fair Credit Reporting Act, a fraction of a percent which actually opt-out?

    If it were written in less than halftones on the back of the statement, maybe consumers would respond differently, but I know what the numbers are today.

    Mr. LITAN. I think over time the numbers are going to change as people become more aware of what information is out there. The difference between opt-out and opt-in, of course, is that with opt-in you certainly have more protections, but it is also a lot more costly. There are all kinds of potential unintended consequences from an opt-in requirement, and that is, you may not get a lot of information from individuals that you really need. In particular, if there are legitimate uses for fraud prevention and so forth, you may not get the information that you need.

    So I think it is premature to consider an opt-in. It may be five years from now we find that an opt-out requirement does not provide enough protection, but I think at this point it would jump the gun too far to go to an opt-in.

    Mr. VENTO. Trying to get some different issues on the table, the other side is that—I can remember as a kid taking the streetcar and seeing these advertisements in the public transit system, and they talked about the virtue of advertising and the way that it communicates and informs, implying if we didn't have it, we would still be using washtubs and scrub boards, and so the education age of our society.
 Page 36       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The converse of some of this reflects some conduct on the part of financial institutions where not only are they not sharing it—in other words, they are keeping all of this information, rather than sharing it with credit bureaus. They are not sharing it at all, so you are then limited in terms of trying to go to X, Y, Z, and say, ''we want credit.'' They say, ''we have an incomplete record of your transactional background, because it is not shared as broadly as it once was.''

    Mr. Clayton, do you have any comments on that phenomenon?

    Mr. CLAYTON. You have hit on the point where in an Information Age economy, we are dependent on the information and having a thin file or no information is tantamount to not being able to get credit and do business.

    Mr. VENTO. As a State legislator, I recall writing laws that gave the actuarial experience to everyone so they could bid for health insurance purposes, because the health insurance companies would not share the information, and as a consequence, there was no competition. So we had to actually write laws to say, you have to give the actuarial experience on a broad basis.

    So I assume, under this, there has to be transactional information for credit bureaus. We may be in a situation where we are going to compel a financial entity to share information, but with that goes an affirmative responsibility to determine how it is used. There are confidentiality agreements and privacy agreements and other factors that have to be in place.

 Page 37       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    For instance, Ms. Culnan, you referred to the fact that you are being contacted with regards to free flights, but on a credit card basis, one of the very common ways of gaining your points is through, in fact, the credit card transaction. They have to share that information so you can get your frequent-flyer points on American or Northwest.

    Do you have any comment?

    Ms. CULNAN. One of the differences—I am a big fan of frequent-flyer programs, and I often joke, if you give me frequent-flyer miles, I will tell you anything you want to know. But the big difference is, I signed up for these programs. The benefits in that case exceeded the risk.

    In this case—first of all, I am not sure that I was being offered a free airline ticket. In the second case, the information was being used for a use that I had not been told about.

    Mr. VENTO. One of the issues is the universality. If we have a different circumstance for financial institutions, Internet, it makes it more difficult to understand it, so it argues for universality in terms of the policy, so this all fits together. That is obviously something that the industry has been trying to avoid.

    I yield back the balance of my time.

    Chairwoman ROUKEMA. I wonder if the Ranking Member would take over the Chair while Mr. Gonzalez asks questions. I have a very important phone call to make.
 Page 38       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. VENTO. [Presiding.] I would be delighted to. We will reserve the gavel for you, and I will give it back.

    Mr. GONZALEZ. Thank you, Madam Chairwoman.

    There is a general principle being suggested that we would have an opt-out for any marketing or any related purpose. That is what I gleaned from this.

    Under that scenario, what do you see as any difficulties that a financial institution may encounter if, in fact, we have this in place, as a practical matter?

    Things are happening out there, and again I am going to get back to what—in today's commercial world, what does the average citizen customer expect? What are their expectations of privacy when they fill out those forms?

    When I talk to my constituents, I ask ''What if you went to Frost Bank and opened a checking account, and they have a security arm in Dallas, Texas and they use that information to identify you as a potential customer for securities. Does that upset you to get a brochure from Frost Bank telling you about securities operations in Dallas?'' They say ''no.'' What they do object to is if they get something in the mail that is totally unrelated—a travel club that has no relationship to the financial institution. But under your scheme or suggestion, if you can tell me, what do you see is the downside?

    Mr. LITAN. Well, I see virtually no downside. The banks would have a database, and for individuals that have said that they are going to opt-out, they would be segregated in that database. It is all on computer anyhow, and I don't think that it is a big deal to have separate identifiers. I actually think that the banks could end up saving money, because they would know that certain consumers don't want to hear from them.
 Page 39       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I tend to agree that most consumers probably don't care that they have been identified by some information that they have provided, but consumers ought to at least have that choice as to whether or not this information should be shared.

    Ms. CULNAN. I would agree. One issue is, they would have to come up with a definition of unrelated use and how many of these there are.

    The second issue would be, how many choices to give the consumer. Are you going to give them a couple or three choices as some credit card companies do, or do you give them a whole list, and it becomes so overwhelmingly complicated that people lose interest. Also, how to communicate this to the consumer and make the choice easy for the consumer.

    There is opt-out and then there is a good opt-out. We don't have a lot of good opt-outs in this country, and that would go a long way to improve the situation where it was a lot easier to make the choice.

    If you look at the Harris Survey data, if you look at the differences when people are given notice and choice, whether or not they opt-out, privacy concerns go away because people have been told and are informed.

    One of the issues is just the feeling that things are fair; even if you choose not to exercise the choice, the choice remains with you and you can make it at a later time. That goes a long way to remove the privacy concerns, and that is why I think that some of the opt-out rates are so low. People just do not want to be surprised.
 Page 40       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. CLAYTON. I think the problem is going to come when you start trying to define things like ''unrelated services.'' as technology continues to blur the lines between personal information, public information, how it is shared, services are going to have the same thing. And I will tell you, the Internet world, one of the powers of the Internet world, it is blurring these lines of distinctions. You have AOL offering all sorts of things, and you have all sorts of various Internet companies which start out with one facet that they are offering and are sharing information on things that consumers want. I see a world—the Internet world is, how many e-mails do I have to get to give me information? How many times do I opt-out? I don't want to get constant, constant notices.

    On the other side of this, I agree with her that you have got to have power to make that decision for yourself, and if you give me the information, maybe it is not opt-out or opt-in. Maybe the decision is that I do not do business with you. That is the ultimate opt-out or opt-in.

    Mr. VENTO. If the gentleman from Texas would yield to me on that point.

    I think it is a very good point. If you begin to look at not just services and related services, some of those related services are indeed the problem. Later on, the Consumer Union or Federation testimony will indicate that some of the related services like credit insurance and credit card insurance and credit life insurance are really selling services that are very questionable in terms of whether they are even usable. But that sort of propounds the whole issue: Can you protect an individual from themselves?
 Page 41       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Some of this is, we go through all of this Truth in Lending regarding the terms and benefits, and it has to be open; and then the question comes back to whether or not we should eliminate or insulate people, because if we advertise or solicit them, they might vote Democratic or Republican. The fact of the matter is, in terms of trying, they might buy that blue horse.

    So the issue is that is what it gets back to. I don't know if the service, as an unrelated services issue, is going to be quite what we want in terms of—I appreciate the gentleman yielding. I know that he had little time. You are still recognized, clearly.

    Mr. GONZALEZ. Professor.

    Mr. CATE. Let me associate myself with a couple of prior points. One is that the definitional problem, which is the major issue facing the subcommittee or the legislator who drafts that is, how are you going to define that?

    Second, how are you going to track those preferences so when information is supplied, for example, from a financial institution to some other institution? Data, as you well know, is often aggregated, and we should think about the cost involved in attaching preferences to how that data is used and how that will be maintained in subsequent database banks.

    Third, going back to the point that Mr. Clayton made, opt-in and opt-out are clearly not the only two options here. One option is, in a competitive market, walking away from the deal, and of course, that goes back to, do you know what the terms of the deal are, which the provisions of H.R. 10 make that clear. It requires the posting of a privacy policy, which makes that particularly important.
 Page 42       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Fourth and finally, I think we have to keep in mind that there is some sense of fairness between the customer who opts-out and the customer who does not. Presumably the reason banks are wanting to share this information and to market it is because it generates revenue, and therefore, customers who opt-out of this are presumably not participating in that form of revenue generation for that entity. So to require the bank or company to do business with someone who does not, in fact, share the same profile in terms of if their data is being used, nor is it contributing to the overall revenue of the institution, strikes me as raising a fundamental fairness issue.

    Mr. GONZALEZ. Thank you very much.

    Mr. LEACH. [Presiding.] Mr. Bentsen.

    Mr. BENTSEN. Mr. Chairman, I would be happy to yield to the distinguished Chairman if he had questions.

    Mr. LEACH. I would be happy to yield to you. You have been here much longer.

    Mr. BENTSEN. Relatively speaking. I thank the Chairman.

    I have a couple of observations. What I think we tried to do in H.R. 10, what is the point of creating a holding company and acquiring affiliates if you are not going to be able to share information for marketing purposes amongst them, as well as transactional information, which I think some of you have addressed briefly. But there is a transactional consideration, as well, in creating a financial supermarket that someone may or may not want to go into.
 Page 43       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I know that some have argued that this is the wave of the future. We are only going to see these financial conglomerates. I think there still is a pretty broad market out there.

    Furthermore, as my colleague brought up, the issue of credit life insurance or credit insurance and things like that, of course, current law allows all of those things to be marketed. I get marketing phone calls constantly from the bank I do credit card business with on all sorts of insurance products in which I have no interest. That is one point.

    The other is, the sort of functional aspect of this in an opt-out, and I would like you to think about this and comment about this.

    Ms. Culnan talked about the credit card industry, and I think American Express and some others—and I don't want to pick on American Express—they now have a mandatory arbitration over disputes that went into effect if you used your credit card; and it was, of course, noted in the bill. I will be the first to admit I didn't happen to read it in my bill. I am not sure anybody who may have been a card holder for some time read it or not. I am sure that it was in there in the amount of data that you get, but most people tend to look just at their statement, whether or not they made the charges, how much money they have to send in. And there is some practicality, I think, to having some specifics set out, because disclosure is good in that it is done, but it is also only so good as people will actually see it and notice it.

    And I think what we tried to do in H.R. 10 was to slam the door on transfer of data to third parties, prohibiting some outright and limiting others as well. And I would like you to comment on the practicality of this. We can have all of the opt-outs in the world and nobody might ever see them, and so they would be rendered useless as a result of that. So I would like you to comment on that.
 Page 44       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    But first of all, I still don't know, and Mr. Litan who I have the greatest respect for, I still don't know what the problem is, from a marketing standpoint, of an affiliate that is a controlled affiliate of the holding company that you have decided to do business with, marketing material that you may not want, other than the nuisance factor?

    Mr. LITAN. Well, again I think it comes down to a fundamental issue of choice and whether the consumer ought to have a right to opt-out of that.

    Mr. BENTSEN. If you will yield, they do still have the choice of the 10,000 bank holding companies that they can go down the street to Acme Bank and Trust that may not be a holding company.

    Mr. LITAN. In a world of financial conglomerates that we are headed toward, there may be only a handful of those. The reality, I think, is, there are multiple attributes that consumers look at when they look at financial services. They look at price, convenience, and privacy will be one among many attributes. I am concerned that privacy will get lost in the fine print and a lot of consumers will not make intelligent choices based on privacy.

    I don't think that there is any rational distinction between affiliates and third parties if you accept the proposition that consumers ought to have a right to at least have a choice. Why should it make a difference whether it is an affiliate or non-affiliate?

    Chairwoman ROUKEMA. Mr. Bentsen, you were not here earlier when we made the point that we have an extensive number of panels and panelists, and I have been quite precise in holding people to the five-minute rule. I will give you one more minute.
 Page 45       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BENTSEN. Do you consider affiliates and subsidiaries the same?

    Mr. LITAN. Yes.

    Mr. BENTSEN. For privacy information?

    Mr. LITAN. Yes.

    Mr. BENTSEN. Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Mr. Inslee, please.

    Mr. INSLEE. Thank you. I would like anyone on the panel to address this Federal preemption issue. There is a State legislative hearing on Friday in Washington because there is great concern that this will preempt an ability in the State of Washington to have an opt-in or opt-out for affiliates, or to have opt-in for third parties, or both. That is going to be under consideration by the State legislature. As H.R. 10 is currently drafted, do any of you have an opinion whether there will be Federal preemption; and what do we have to do to make sure that there is not, number two?

    Ms. CULNAN. I will pass on that because I am not a lawyer.

    Mr. LITAN. I will take a cut at it.
 Page 46       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    As I read the statute, I don't think that there is an implied preemption.

    The second question, as a policy matter, should there be preemption or not, you are taking the position that States should be able to add on what they want.

    I have the opposite inclination. I think in a world where we get 50 different State privacy laws, especially when we have financial conglomerates doing business all over the country, it would be a better idea not to have 50 different privacy laws, and so I would actually favor an explicit preemption.

    Mr. INSLEE. You would prefer that we do it right here then?

    Mr. LITAN. Yes.

    Ms. CULNAN. Yes.

    Mr. CATE. I don't see preemption in the bill, and I think it would be entirely appropriate here, because not only of the situation today with banking conglomerates, as the focus increases with online activities, the idea of having State regulation here is practically unworkable.

    Ms. CULNAN. But the key point is that Congress has to get it right at the national level.

 Page 47       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. CLAYTON. That is the key point, and one of the advantages of having this Federal experiment, I can try it in my State and you can try it in yours, and we can see what happens. The example of Europeans, they are trying one size fits all. We have decided we know the answer, let us do it. I don't think that is workable, because no one knows what this area of the world holds in terms of technology. I would rather you make a mistake in your State, and we learn from that, than have Congress make the mistake and we all have to live with it from now on.

    Mr. INSLEE. Are you suggesting that we not act on this issue?

    Mr. CLAYTON. Act cautiously. If you try to preempt States from doing this, they are going to be more sensitive to areas that we are not sensitive to on a national level. Using California as an example, for the supermarkets, they have bills trying to regulate how you use data collected by supermarkets and what notices you get. Congress is not addressing that issue. Other States may or may not address that, but they are responsive to local demands on that.

    Mr. INSLEE. Let me ask you to comment. Mr. Bentsen asked what is wrong with allowing consumer choice or markets to resolve this issue, and I liken the situation to an attorney-client relationship where we by statute and ethical rule guard the fiduciary obligation. We guard confidential information, and we do not say, if you don't like the lawyer telling the world you have this problem, you can go to the next lawyer and he will take care of it. And the reason we do that, we respect the fiduciary relationship of that type of relationship.

    I, for one, believe, and I am sure you realize, it is a fiduciary-type relationship, the banking relationship with their customer; and the reason the industry has been so successful is that it has enjoyed historically the trust of the American people. And I would ask your comments, is there some reason we should treat it with any less respect?
 Page 48       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. LITAN. I think you have just made an excellent statement. I fully agree with it.

    Ms. CULNAN. It does go to the issue of trust. People have an expectation that their information is provided for one purpose and will not be used for any other purpose, especially when they were not told about it. When new relationships are established later with new organizations, this can begin to undermine trust in the whole financial services industry.

    Mr. CLAYTON. I would disagree. There is a historical reason why we have lawyers and attorney-client privilege, and that is to facilitate a complete and uninhibited exchange of information. It can't be disclosed.

    That same sort of societal need is not demanded in relationships with the bank in every instance, or with other commercial entities. We have for hundreds of years tried to protect the attorney-client privilege, and it gets complicated when you start getting States and having other issues about who has the right. I think it is fundamentally different.

    Mr. INSLEE. We live in a great Nation where great minds can disagree. Thank you very much. Thank you for your time.

    Chairwoman ROUKEMA. That concludes our first panel and I don't know what more I can add to that last statement. We can be most appreciative to be in this great Nation where great minds can disagree.
 Page 49       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I don't know that we have resolved all of the issues here, but I think you have given us greater insights, and I think Mr. Vento agrees with that perception, that there are certain valuable things that you have laid out here which are very important for us to analyze and translate, if necessary, into further legislation. Maybe we can revisit H.R. 10, although I will not make any reference to the conference committee at this point in time.

    Again, under the rules of the committee, if you want to submit further extension of remarks, you are free to do so; and we may have some individual questions to present to you as panelists for the record. Thank you very much.

    Will the second panel come forward, please. I thank the second panel for waiting. We have a distinguished panel here that is representing some of the smaller financial institutions, as well as one or two other participants of the industry that have a direct relationship. Our first witness is Mr. Robert Barsness, who is President and CEO of Prior Lake State Bank in Minnesota.

    Did you want to have something to say, Mr. Vento?

    Mr. VENTO. Mr. Barsness frequently does represent the Independent Community Bankers.

    Chairwoman ROUKEMA. Yes, and that is his capacity here today. Being from the same State, I thought you might have an observation. We all welcome you today, Mr. Barsness.
 Page 50       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Our second witness is Robert Davis, he has appeared before us previously and is here on behalf of America's Community Bankers, and he is Director of Government Relations.

    The third witness will be introduced by a colleague and friend of his from the great State of Oklahoma, Mr. Lucas.

    Mr. LUCAS. Thank you, Madam Chairwoman, I appreciate the opportunity to introduce Mike Kloiber, President of the Tinker Federal Credit Union in Oklahoma City. Mike has twenty-one years of experience in the financial industry, eleven of those with Tinker Federal Credit Union. Tinker has 162,000 members and is based in Oklahoma City. In his capacity as CEO of Tinker Credit Union, Mike is actively involved in those issues which affect the privacy of member records. He is testifying on behalf of the Credit Union National Association and the National Association of Federal Credit Unions, and it is a pleasure to be able to introduce my fellow Oklahoman.

    Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you, Congressman Lucas.

    Our fourth witness, Mr. Richard Barton, is Senior Vice President for Congressional Relations at the Direct Marketing Association, and we certainly welcome you here today.

    Mr. Barry Connelly is President of the Associated Credit Bureaus, Inc. I believe that you have been President of that organization since 1994 and have an extensive background in fair credit reporting, having worked on that issue over the years, and we welcome all of you today.
 Page 51       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Again, I will repeat my alert warning on the subject of the time limits in the hope that we can be respectful of that.

     With that, we will begin with Mr. Barsness.


    Mr. BARSNESS. Madam Chairwoman, Ranking Member Vento and Members of the subcommittee, I am pleased to appear before you today on behalf of the Independent Community Bankers of America and its 5,300 community bank members. I commend you for holding this hearing to examine, among other things, the consequences of the privacy provisions of H.R. 10. Indeed, the ICBA would prefer that Congress withhold adoption of new privacy laws until the issue can be fully explored through the hearing process.

    Community banks have a long tradition of safeguarding the confidentiality of customer information. If my bank employees were to spread information around town about confidential customer information, there would be a line of people waiting outside the next day to close their accounts. There are a lot of options in the marketplace and customers will not tolerate a financial institution that does not protect their privacy.

    A case in point is the U.S. Bancorp lawsuit in my home State. Even before the ink had dried on the complaint, U.S. Bancorp customers were shopping around for a new bank. A number even came to us looking for a bank that would safeguard the privacy of their accounts. We at Prior Lake State Bank take this responsibility very seriously, and I know that community bankers place the highest value on customer privacy. Simply put, it is in the self-interest of every community bank to avoid the misuse of private customer information. The result of such misuse would be a loss of customer confidence in the institution and eventually the loss of customers. That is why voluntary customer privacy practices have worked well.
 Page 52       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Community banks cannot long survive if they gain a reputation for abusing customer confidentiality. Two years ago the banking industry adopted a set of industry guidelines and privacy principles to govern voluntary privacy practices. As a signatory to those principles, ICBA has continually urged members to adopt the privacy policy and inform their customers. We believe these voluntary guidelines provide a workable framework to devise a privacy policy that will protect customer information.

    I have attached a sample policy to my written testimony.

    In addition to the voluntary practices, we operate under a framework of State and Federal laws and regulations which provide comprehensive privacy protection for our customers. There are at least sixteen different Federal privacy laws on the books. H.R. 10 would make number seventeen. H.R. 10 will lead to the formation of new financial conglomerates. The prototype conglomerate, unfortunately, has already taken shape. Citigroup was pulled together under a combination of legal loopholes and anticipated legislative changes. But once all barriers are removed by H.R. 10, cross-industry mergers will proliferate.

    To provide a competitive alternative in this landscape, many community banks will offer non-traditional products and services. Since most community banks do not have affiliates, they partner with third-party providers to meet these needs. That is why we have urged Congress not to pass any laws that place new restrictions on these partnerships.

    H.R. 10 requires financial institutions to provide notice of the banks' information-sharing practices and an opportunity for customers to opt-out on disclosing non-public personal information to third parties. But the bill does not apply the same requirements for institutions that share information with affiliates. The special carve-out for banks with affiliates will reduce the ability of smaller banks to offer a full array of products and services. This is inequitable, competitively harmful and imposes a heavy new regulatory burden on community banks.
 Page 53       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    The fact is that community banks are doing a good job of self-regulating, yet they are being singled out for more regulation under H.R. 10. The problems that have been encountered have been in large banks, yet large banks escape new regulatory requirements under H.R. 10. The logic of this escapes me. My written testimony goes into considerable detail on the use of third-party outsourcers who provide service to banks, as well as other normal and routine third-party arrangements critical to conducting the day-to-day business. In the interest of time, I will not repeat them here.

    It is true that H.R. 10 contains a number of general exceptions to the third-party opt-out requirement, and this exception should cover many of the third-party activities described in my testimony. However, with the varieties of legislative drafting, inevitable legal challenges and subsequent regulation and interpretation, only time will tell if that is the case.

    Madam Chairwoman, we urge you to ensure that there is parity, whatever privacy policy is adopted. H.R. 10 fails in this important test. Congress should reject any privacy proposal that imposes new burdens on community banks while carving out an exemption for larger banks. Congress also should examine and evaluate the effectiveness of the privacy principles adopted by the banking industry in 1997. And we would recommend holding medical information to a very careful standard of protection and prohibit pretext calling.

    Madam Chairwoman, we appreciate this opportunity to appear before you today.

 Page 54       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Chairwoman ROUKEMA. Thank you.

    Mr. Davis.


    Mr. DAVIS. Thank you, Chairwoman Roukema, and Members of the subcommittee. My name is Robert R. Davis. I am Director of Government Relations at America's Community Bankers. ACB appreciates this opportunity to testify before the subcommittee today on protecting personal financial information privacy.

    All of us are well aware of the growing public concern about information-sharing practices both in the financial services industry and in other sectors of our Nation's economy. The news is full of stories about people receiving telemarketing calls during dinner or bundles of direct mail solicitations in their mailboxes without knowledge of how they got on the list.

    While there are legitimate and even essential reasons for businesses to share information, such practices should be subject to reasonable requirements. Those requirements should be developed in large part through self-examination by businesses of their own activities.

    In addition, Government should have a role in ensuring that basic standards to protect personal financial information privacy are established and implemented by financial institutions. Financial institutions, particularly our community banks, depend on the trust and confidence of their customers. While most businesses are serious about doing what it takes to maintain good customer relations, it only takes one highly publicized, isolated incident to upset the apple cart.
 Page 55       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    To complement the ongoing efforts of financial institutions to review their information-sharing practices, ACB urges the 106th Congress to enact legislation which affirms its commitment to consumers that their basic privacy will be protected. We are pleased that the approach taken in H.R. 10 generally tracks ACB's official policy position on this issue. This policy position was based on the results of a comprehensive survey of practices at select member institutions, as well as the enlightened self-interest of our members.

    Our policy position supports legislation that is balanced to ensure consumers that their personal information will be protected while not unduly interfering with the routine legitimate practices of financial institutions. We support legislation that, at a minimum, requires every financial institution to establish its own privacy policy and to share that policy with its customers, that prohibits the sharing of health and medical information without the consent of the customer, and bans abusive pretext calling practices. We are pleased to see that these provisions are included in H.R. 10.

    We also appreciate the fact that the House responded to concerns raised by ACB members, and carved out critical exceptions to the bill's opt-out requirement for information-sharing with third parties. In particular, ACB requested that financial privacy legislation not unfairly discriminate against community banks that use third-party relationships for the same legitimate purposes for which some larger banks might use affiliates. Some of those activities engaged in by ACB members include the use of outsourcers providing services to banks, joint marketing arrangements with third parties for products sold under the bank's name, mortgage activities, including sales of mortgages in secondary markets, activities involving common employees, and joint ventures and cobranding activities.
 Page 56       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    An opt-out requirement on these activities could preclude many community banks from continuing to use these critical arrangements and foreclose the opportunity for other community banks to utilize them in the future. While we do not oppose the bill's opt-out provisions, we do suggest a preferred approach to reach the same goal. Instead of establishing a blanket opt-out requirement for information-sharing with third parties and exceptions to this requirement, as H.R. 10 currently does, we believe Congress should determine which activities and practices or relationships justify a required opportunity for a consumer to opt-out, and apply that requirement only to those activities. This more direct approach would still give customers the right to say no to certain information-sharing activities, and of course, there would be a full disclosure of privacy policies under the law. ACB urges Congress to consider this alternative, a targeted approach of the opt-out requirement, as well as other suggested modifications to the bill which are outlined in our written testimony.

    While enactment of H.R. 10 would mark the biggest step ever taken by Congress to protect personal financial information privacy, and while this is a major step, there are still those that believe that the bill's privacy provisions could be more stringent. Given the experience of our member institutions with information-sharing practices, ACB does not believe that such proposals warrant legislative action at this time.

    Finally, we should recognize that while financial information privacy has been a hot-button issue with the general public, the financial services industry represents just one segment of our Nation's economy. The information-sharing practices of financial institutions should be examined by Congress, as these hearings do, but other industries must be required to participate in the effort to reassure the public that their personal information will be protected.
 Page 57       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Again, Madam Chairwoman, thank you for holding these very important hearings and for giving us an opportunity to testify. We at ACB look forward to working with you, the Congress, Federal regulators, and our customers as well, to ensure that the financial privacy of our customers is maintained.

    Chairwoman ROUKEMA. Thank you.

    Mr. Kloiber.


    Mr. KLOIBER. Thank you, Madam Chairwoman. As Congressman Lucas said in his generous introduction, I am the CEO of Tinker Federal Credit Union. I am pleased to provide testimony today on the credit union perspective regarding financial privacy.

    From a legislative standpoint, this issue has developed with extraordinary speed, given the complexity of the technological and operational aspects and the relative scarcity of specific knowledge about the impact of any changes in the law involving privacy.

    I testify today on behalf of two credit union trade associations, the Credit Union National Association, known as CUNA, and the National Association of Federal Credit Unions, known as NAFCU. Tinker Federal Credit Union is pleased to be a member of both associations. My oral testimony will highlight key points of agreement shared by both associations. More detailed written statements have been submitted for inclusion in the hearing record.
 Page 58       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    As member-owned financial cooperatives, credit unions value the unique relationship we have with our members and respect our members' right to financial privacy. This relationship stems from a long-held credit union core belief that credit unions are not for profit, not for charity, but for service. Serving our membership drives everything a credit union does, including all decisions regarding a member's personal financial privacy.

    Credit unions place a high value on protecting our member's financial records, while at the same time delivering cost-effective financial services. Member service involves more than respect of a member's financial privacy; it also involves providing the widest range of financial options at the best possible price, something that cannot be effective unless a member is apprised of all of his or her choices in the marketplace. In fact, financial products that would be right for some members may not even be offered to some, often because their credit union is small and has limited resources necessary to support a full range of products.

    Given that 61 percent of all credit unions have assets less than $10 million, many credit unions work with outside companies to promote their financial products and services. Many credit unions rely heavily on the services of credit union service organizations, known as CUSOs, because of their limited ability to perform services in-house. CUSOs perform such tasks as credit card and debit card services, check cashing, wire transfer, loan processing and accounting services. Even a credit union the size of Tinker Federal Credit Union, with over $900 million in assets and 160,000 members, must rely on our wholly owned CUSO or outside companies to provide many of the services members request. Each outside company is required to post a non-disclosure statement, protecting the shared information, and in most cases only public information is provided.
 Page 59       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    But some services require the sharing of additional information to effect delivery. During last month's House action on H.R. 10, privacy emerged as a pivotal issue. In fact, the inclusion of financial privacy provisions now necessitates that credit unions become involved in debate on H.R. 10.

    Since credit unions will be subject to the privacy requirements recently incorporated in the bill, CUNA and NAFCU have three basic questions about how the new requirements will practically affect operations. First, will credit unions and other smaller institutions that will not operate as financial conglomerates be subject to a heavier disclosure burden than those financial institutions with affiliates, as currently defined by H.R. 10?

    Second, will institutions that share information with third parties be subject to greater disclosure and opt-out requirements?

    Third, is the definition of ''affiliate'' included in H.R. 10 intended to include credit union service organizations?

    Prompted by recent congressional activity, both NAFCU and CUNA are attempting to gain a clear understanding of credit union privacy practices and are in the process of developing formal principles and policies on the issue. Both organizations will be pleased to share their views with this subcommittee as their policy formulation process moves forward.

    I would like to commend you, Madam Chairwoman, as well as Mr. Vento for recognizing the potential problems presented for credit unions by the opt-out provision in H.R. 10. Your work to improve the privacy section by creating reasonable exemptions for third-party information-sharing improves the legislation significantly.
 Page 60       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Despite the improvement, there are several changes that we believe will be necessary. These changes are outlined in both CUNA and NAFCU's written testimony. I sincerely hope that the conferees will keep these suggestions in mind as the bill continues through the legislative process.

    Credit unions want to play a constructive role as Congress and regulatory bodies assess this largely unexplored universe that is financial privacy. Technology has outpaced the law, and we understand that adjustments should be made. We hope that those changes are made with care and caution, so that the very consumers you are trying to protect are not disadvantaged and deterred from participating in the marketplace that lies ahead.

    I appreciate this opportunity to appear before this subcommittee and will be happy to answer any questions.

    Chairwoman ROUKEMA. Mr. Barton.


    Mr. BARTON. It is a real pleasure to be here. The rest of the witnesses are very used to this subcommittee, but this is a very new experience for me, appearing for the Direct Marketing Association, and it is a real pleasure.

 Page 61       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    For those of you who don't know, the Direct Marketing Association is a national and international trade association of 4,800 companies, in the United States primarily, but also in 54 other countries, that deal in all types of direct marketing. More than $1.3 trillion of goods and services were sold through direct marketing in 1998 in the United States, to give you some idea of the magnitude of this type of selling.

    Information is essential to the direct marketing process. The information comes from any number of sources, including specific information about individuals, and general demographic information such as from the census. Regardless of where the information comes from, the only and single purpose of information access and use in the marketing process is to provide consumers and businesses with product and service offers that are relevant to its needs.

    This being said, the DMA has long had a concern in privacy issues. As long as thirty years ago, we created, because of privacy concerns at that time, our Mail Preference Service, which now has more than 3.3 million names on it. This is a national list of people who want to get off of mailing lists and do not want to receive mailings.

    Around fifteen years ago, we began the Telephone Preference Service, which has almost three million names on it, and it is growing all the time; and we are now preparing our E-mail Preference Service for the same purpose, because we believe that it is not sensible to market to people who don't want to receive our material.

    Brand-new in the association, begun on July 1, although we began to develop it more than a year ago, is our Fair Information Practices Manual—a new program of mandatory protection of the privacy of our consumers. Our companies now must publish their own information policies notice and give individuals a right to opt-out of its use for marketing purposes. They are required to maintain what we call in-house suppress files so that when anyone requests that their name be taken off their list that they not be contacted again and their names and information about them not be traded. They are also required to use the Direct Marketing Association Mail Preference, Telephone Preference and E-mail Preference Service files, when it is formed.
 Page 62       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    So you can see, we are strongly committed to the concept of notice and opt-out, and we will remove a company publicly from our association if they do not fulfill these principles.

    We also maintain, just for your information, our Guide to Ethical Business Practices, which outlines our concepts of information privacy as well as other ethical business practices; and our ethics committee hears cases and complaints on a variety of issues, including privacy. When we cannot resolve an issue with a company and we believe that they are violating this policy, we will publish their names, and we will remove them from the association.

    So we believe in the notice and opt-out principles that are in H.R. 10. However, we are committed to a self-regulatory regime. We believe that self-regulation can handle the situation and problems.

    We do have a problem with H.R. 10 where it provides an absolute ban on financial institutions and the sharing of account numbers, credit card numbers, and other similar information with telemarketers and direct marketers. In marketing cases any such information that is transmitted is transmitted in an encrypted form, cannot be read by the telemarketers or direct marketers putting together the information, and has important uses. It can provide a direct way to identify customers and verify purchases, reducing fraud possibilities. It can allow for the collection of accurate and verifiable data for customer service purposes. It is an important tool in improving the accuracy of mailing and telephone lists, and it can help a customer charge a purchase to an account without revealing the number to the direct marketer, adding an important element of security in the sale of any item.
 Page 63       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    We believe that properly encrypted data can actually enhance the security of a transaction, protect consumer privacy, and improve the accuracy of the direct marketing process; and that the provision, as it is written now in H.R. 10, would do little to protect privacy and could undermine consumer choice and hurt an important segment of the economy.

    We think that provision certainly is fixable, but we think that it needs to be looked at carefully.

    We certainly thank you again for the opportunity to testify and certainly will be happy to work with the subcommittee on any privacy legislation. Thank you.

    Chairwoman ROUKEMA. I thank you very much.

    Mr. Connelly, please.


    Mr. CONNELLY. Thank you, Madam Chairwoman and Members of the subcommittee. My name is Barry Connelly, and I am President of Associated Credit Bureaus, headquartered here in Washington, DC. ACB, as we are commonly known, is the international trade association representing over 1,000 consumer credit and mortgage reporting, as well as employment and resident-tenant screening agencies, throughout the United States and around the world. Also 400 of our members are in the collection service business.
 Page 64       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    We certainly commend you for choosing to hold this oversight hearing on financial privacy. Our country has a strategic global advantage resulting from the legitimate and balanced use of information. As an example, the Tower Group, a Boston-based consulting firm, says that the consumer reporting industry's information products are the infrastructure upon which our country has built a mortgage-backed securitization process that results in a net savings of 2 percent off the cost of a mortgage for the average consumer.

    Economic advantages, consumer benefits and consumer rights are all elements of a balanced equation. It is the art of maintaining this delicately balanced equation which remains crucial to your thinking as our Nation's lawmakers.

    Consumer reporting agencies are essentially libraries, libraries of information on individual consumer payment patterns associated with various types of credit obligations. The data compiled by these agencies is used by creditors and others permitted under the strict prescription of the Fair Credit Reporting Act to review the consumer's file.

    Consumer credit histories are derived from, among other sources, the voluntary provision of information about consumer payments on various types of credit accounts or other debts from thousands of data furnishers, such as credit grantors, student loan guarantors, child support enforcement agencies, as well as collection agencies. A consumer's file may also include certain public record items such as a bankrupt filing, a judgment or a lien.

    For purposes of accuracy and proper identification, our members generally maintain information such as a consumer's full name, current and previous addresses, Social Security number, and place of employment. This data is loaded into the system on a regular basis to ensure the completeness and accuracy of data on each consumer.
 Page 65       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    It is interesting to note the vast majority of data in our members' systems simply confirm what most of you would expect; that consumers pay their bills on time and are responsible, good credit risks. This contrasts with the majority of systems maintained in other countries, such as Japan or Italy, which often store only negative information and do not give consumers recognition for the responsible management of their finances.

    In discussions of consumer credit histories, I have also found it helpful to point out some facts about the types of information that our members do not maintain in consumer credit reports. Our members do not know what consumers have purchased, using credit cards, like a refrigerator or clothing, or where they are using their credit cards, such as which stores or restaurants they frequent. They also don't know when consumers have been declined for credit or another benefit based on the use of a credit history. Medical treatment information is not a part of the database, and no bank or brokerage account information is available in a consumer report.

    Let me reiterate that our members don't track data on what consumers purchase or where they shop. We compile data on how consumers pay their bills. The FCRA is an effective privacy statute which protects the consumer by narrowly limiting the appropriate uses of a consumer report. Often we call this a credit report. The limitations are under section 604 of the FCRA, entitled ''Permissible Purposes of Reports.''

    Some of the more common uses of a consumer's file are in the issuance of credit, subsequent account review and the collection process. Reports are also, for example, permitted to be used by child support enforcement agencies when establishing levels of support. A complete list of these permissible purposes can be found in Appendix A of this testimony.
 Page 66       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    A question that we hear with some frequency relates to how data found in a consumer's credit report may be used, other than for credit reporting. Let me first point out that any data defined as a consumer report under the FCRA may not be used for any purpose other than those outlined in section 604.

    However, it is a fact that some of our members do use consumer identification information to develop high-value information-based products, such as fraud prevention and authentication products, risk management systems, locator services, just to name a few. Some of our members use direct marketing lists in order to stay competitive in the marketplace. Note, the data used for direct marketing purposes is not credit history information defined as a consumer report under the FCRA.

    In conclusion, let me urge the subcommittee to consider carefully the strategic importance of information in our country and how it benefits consumers. We have moved beyond an industrial economy, and information use is a critical catalyst for our new service economy growth. Balanced laws, such as the Fair Credit Reporting Act, which was significantly amended in the 104th Congress, is an excellent example of the balance needed.

    We do believe that there are times when innovative solutions can be found that don't require new laws. The creation of responsible self-regulatory systems can create a flexible bridge between the call for consumer protections and the unintended rigidity of new laws.

    Thank you, Madam Chairwoman.

 Page 67       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Chairwoman ROUKEMA. Thank you, Mr. Connelly and the whole panel.

    We have, as I understand it, just one vote, and so we hopefully can all be back here within a fifteen-minute time period or less and get on with our questioning. You have opened a number of interesting avenues for follow-up questions. Thank you very much.


    Chairwoman ROUKEMA. Thank you. I do appreciate your patience, but we do have some business to take care of here on the floor every once in awhile. Voting, I think, is what the Constitution expects us to do.

    But at the same time, we want to get back to this very important subject. There are a number of questions that I have, but given the time, let me give you a general reaction and let any one of you who wants to respond. I would think particularly Mr. Barsness and Mr. Davis would want to respond with more explanation.

    I have listened very carefully here, and if you heard my opening statement, I said something to the effect that I certainly would expect the industry to be precise as to what they mean with respect not only to unintended consequences, but what they mean with respect to: ''exceptions intended to protect current industry practices.''

    Now, I have heard some of your references, but I don't think that it is precise enough to explain to me what you mean. Without precision, it sounds to me like a huge loophole that would justify almost any practice. I don't believe that you mean that, but we have to have a little more detailed explanation of what those practices are. Again, I am not limiting it to Mr. Barsness and Mr. Davis, but I would think that it would most focus on the groups that they are representing.
 Page 68       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    So, again, not only the question of sharing information with affiliates, but also as to what you mean and how you can justify that this broad exception, which is intended to protect current industry practices, is not simply an open loophole that would justify any kind of information-sharing which, in my opinion, would lead to violations of privacy.

    Who would like to be first?

    Mr. Davis.

    Mr. DAVIS. Let me respond first. I understand the nature of your concerns, and let me assure you that we certainly are not looking for a loophole. What instead we believe is the case is that community institutions frequently serve as stewards in their communities to identify important financial services.

    There is a level of trust and personal relationships frequently with community-based institutions that communities rely upon. What we do not want to do is chill the process under which most community institutions frequently serve as a gateway for people in their communities by carefully selecting partners to offer products.

    A smaller institution is not going to operate a mutual fund or underwrite insurance or underwrite annuities or other sorts of services, but it will frequently scour the financial landscape and find those companies that are the best partners to offer quality products that it wants its members—its customers——

 Page 69       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Chairwoman ROUKEMA. For example?

    Mr. DAVIS. A small institution is not going to underwrite annuities, but it may offer them. It is not going to develop and operate mutual funds, but it may want those investment opportunities available. A small institution is not going to operate a brokerage service, but it may want to help identify to those customers joint venture products with a larger company that it wants to, in essence, endorse by marketing those products through the offices of the bank. So in those cases, community-based institutions are helping to identify, after a lot of due diligence, the sorts of quality services that should be brought to a community as that institution seeks to broaden its provision.

    That is the sort of thing that we don't want to see impeded. In those sorts of circumstances, the institution is more closely identified and more potentially damaged by inappropriate use of information than any other type of financial institution.

    For one thing, the community institution is right there in the community, and the Chamber of Commerce meeting and church on Sunday and everything else. Whoever is running that institution is going to see the people affected in the community, and I can assure you that none of these community banks are making calls to their neighbors during dinner to market products, but they are partnering in-agency relationships with some of the best service providers to broaden their offering of services and products in their community, and that is the type of thing that we don't want to inadvertently chill.

    Chairwoman ROUKEMA. Thank you.

 Page 70       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. Barsness.

    Mr. BARSNESS. Madam Chairwoman, trust is the thing that is critical to our community banks, and we certainly do not want to support any kind of loopholes in this process. We scrutinize the entities that we deal with and develop contractual relationships, such as with an insurance company, to provide an insurance policy. We ensure that they protect that information and they can only use it to the extent that we want that product available to our customer.

    As I said before, if the public does not have trust in a community bank, that is all we have is with our relationships with our customers, so we guard that extensively. We have continual meetings with our employees and talk about it on a regular basis. We ensure that our information does not get out to the general public because, if we don't, we are going to lose business, and we cannot afford to do that. That is our value in our community, that relationship that we develop over the years. So that relationship is so critical to us that we deal with that on a constant basis. Privacy, to us, has been a watchword as long as I have been in the business, long before it was even discussed in Congress.

    Chairwoman ROUKEMA. Is there anyone else that wants to comment on this?

    Well, I would have a follow-up, but I don't have the time. I will submit it to you and see what your reactions are in writing as to how you select those partnerships. What basis, what objective standards do you use to select—and I would like that in writing—and who would judge or what standard would judge whether or not the industry practices are not anticompetitive or conflicting in terms of consumer privacy?
 Page 71       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    We will present that to you in a defined way and for anyone on the panel, but particularly for Mr. Davis and Mr. Barsness, as a follow-up.

    My colleague, Mr. Vento.

    Mr. VENTO. Mr. Barsness, you comment on some of the concerns or disadvantages. One is that you did not think that there is a $1,000 policy that is extended to some consumers or some individual members of banks that have consumers or customers in the organization.

    What would stop you from extending that particular benefit? Would that not be a point in terms of asking for the information for that purpose?

    Mr. BARSNESS. You are going to have to explain yourself.

    Mr. VENTO. You suggested that there is a $1,000 life insurance policy that you extend in your testimony?

    Mr. BARSNESS. Yes. We offer an accidental death policy to all of our deposit customers, free of charge, no cost to them to do that.

    Mr. VENTO. What is the problem?

    Mr. BARSNESS. Well, they have to select that and opt to take that, but to do that we have to share that information with the insurance company that provides that; and that information, as I read the statute, as it would be in H.R. 10——
 Page 72       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. VENTO. Wouldn't they cooperate in terms of doing that specifically if you have to have the information? You are talking about the fact that it is an inconvenience?

    Mr. BARSNESS. Cost-wise, I am not sure how we would determine who gets the opportunity to opt-out and how many times you send it. It is a low-cost item, but it develops a relationship, so it is a matter of how much additional cost will there be to ensure that our system will keep track of all of that? Our systems are not as sophisticated as they might be, and I am not sure that we can keep track of all of that on that basis. That would be the concern.

    Mr. VENTO. Do you think that some marketing will take place by some smaller financial institutions or security firms that in fact—in terms of safeguarding information and privacy?

    Mr. BARSNESS. Marketing the privacy issue, you mean?

    Mr. VENTO. Uh-huh.

    Mr. BARSNESS. We do that now publicly and through our media with our customers, that we are concerned about their privacy and we want them to understand. That is a marketing tool, that we do protect their privacy.

    Mr. VENTO. The point is if you have a relationship with a larger institution, a megabank or financial entity, there is a tendency that they may be more open. You approach the question of whether I am going to have confidence in Robert Barsness' bank, an institution, it might be a different question in terms of sharing or opting out of information, as opposed to whether I am involved with Citibank and Travelers?
 Page 73       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BARSNESS. I think there would be a difference. I think people perceive us as protecting that privacy. We think that we have done that very well and will continue to do it.

    Mr. VENTO. That may permit you to make some decisions with regard to third-party marketing that would not be the same level of confidence that one might have with Citibank?

    Mr. BARSNESS. That is certainly possible.

    Mr. VENTO. You hope that is true?

    Chairwoman ROUKEMA. Don't put words in his mouth.

    Mr. VENTO. I am leading the witness. I didn't mean to do that.

    I think there is a qualitative difference, and I think it ought to be recognized for what it is.

    Do credit unions, Mr. Kloiber, do they pay CUSO for the services?

    Mr. KLOIBER. No. The credit unions actually have an investment and own the CUSO itself. They try to offer complementary services through the CUSO that they cannot directly do, or to complement their direct products and services to meet the member's needs.
 Page 74       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. VENTO. Do they serve any other entities besides credit unions with the information that is provided by credit unions?

    Mr. KLOIBER. No, they do not share any of the information. The credit union controls the flow of information into the CUSO.

    Mr. VENTO. I think there is a perception that they are covered by the exceptions for transactions and operations in the bill.

    Mr. KLOIBER. The major concern is that they don't fit the definition directly. And, in fact, in many cases they are in an investment on the part of the credit union, and there could be more than one credit union.

    Mr. VENTO. I understand that.

    Mr. KLOIBER. We have shared branching where we have—say, in the State of Oklahoma we have seventeen credit unions that own a shared branch network, and that is a CUSO. So there is concern that we want to be sure that the term ''affiliate'' covers CUSOs, because we do. A shared branch——

    Mr. VENTO. No, I don't think that it covers it under that basis. I don't think that is accurate. But under the transactional data, it may be exempted.

    Mr. Barton, all direct marketers are not members of the Direct Marketing Association. What is the percentage of membership, do you know?
 Page 75       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BARTON. No, I don't know out of the total universe of direct marketing. We estimate that about 90 percent or more of national direct marketing is done by companies who are members of ours.

    Mr. VENTO. We appreciate your efforts, but I think it does give rise to questions about self-regulation, what the baseline requirements have to be, especially since one-in-ten are not members.

    We will submit more questions in writing.

    Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you, Mr. Vento.

    Again, we are going to try to question in the order of people's arrival, and I think that would mean that Mr. Gonzalez is next.

    Mr. GONZALEZ. Thank you very much, Madam Chairwoman.

    First, I have an observation and—maybe for later, and I am going to follow up on what was previously stated.

    I would appreciate concrete examples of those activities which you believe benefit consumers, that you are presently able to do, that you believe will be jeopardized by any opt-out scheme. These are things that we take back to our communities; we talk about at the town hall meeting. So we can say, ''Do you realize, when you talk about privacy that which is being offered by Broadway Bank may not be offered to you?''
 Page 76       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    You are out there. You know exactly what is in jeopardy.

    The other question is very limited. Credit unions, the situation that you pose under the current language, are in conference, I think; maybe they will work over the definition of what is ''processing'' and, as Mr. Vento said, it is ''transactional'' in nature as opposed to ''marketing.'' if they address it adequately, will it take care of some of the fears that you have because you have to outsource? You don't have all of the resources available that maybe a bigger financial institution would have with affiliates and so on.

    Do you believe that is that a way of addressing it?

    Mr. KLOIBER. I would agree. Since most of the credit unions are small, they do have to rely on outside companies to provide a lot of products and services, and they end up sharing what is mostly public information, which could become even greater, depending on the product. A lot of times members have to request to come back to participate in that product or service, but we have to address that service so that smaller credit unions, they would be impeded from delivering some of these products and services if it was too restricted in the legislation.

    Mr. GONZALEZ. Thank you very much.

    I yield back the balance of my time.

    Chairwoman ROUKEMA. Mr. Barsness would like to respond.
 Page 77       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BARSNESS. Our insurance program provides accidental death insurance for our customers at no cost to them and there is an encrypted account number for identification purposes. The way that I read the statute, we would have to cancel that program, and that will be coming out very shortly; unless I hear otherwise, we will cancel that program and not be able to provide that. In my judgment, to be sure that I don't have to worry about it, I am just going to cancel the program so I don't have to worry about dealing with regulatory issues.

    It is a benefit. We recently had a ten-year-old boy that was insured under the policy pay benefits. We had a couple last year; both of them were killed in an auto accident. Those are free policies that they get. But under the current statute as it proceeds under H.R. 10, I would cancel that program.

    Mr. GONZALEZ. I appreciate that. I yield back the balance of my time.

    Chairwoman ROUKEMA. I am not quite sure about your position there, but we will go over that. I don't know if that is precise as to the implications, but I will have legal counsel maybe come back to you with any questions we might have. You may be absolutely right, I am not sure.

    Mr. Inslee.

    Mr. INSLEE. Thank you, Madam Chairwoman.

 Page 78       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. Barsness and Mr. Davis, I have talked to some smaller community banks since all of this has come to the surface, particularly about what some of the larger banks have been doing with information, and their perception is that some large banks in the Minnesota case have actually sold lists of depositors with, actually, their credit card numbers to telemarketers or direct marketers; and they have expressed to me quite a bit of anger at the larger banks for doing that, because they viewed it as giving a black eye, if you will, to the whole industry. And they perceive that has mostly gone on with the larger banks.

    Is that anger justified in that regard? The community bankers who express this sentiment to me——

    Mr. BARSNESS. I deal with community banks specifically, and my contacts and my knowledge would suggest that—although I can't tell you categorically that no community bank has done that, I can tell you, as a matter of practice, community banks don't do that. I certainly do not sell my customers' names for telemarketing, and I don't know anyone who does.

    I am not going to suggest that all big banks do that. Those that do are known and have to suffer the consequences on that basis.

    From my perspective, the community banks do not do that, and I am offended by that also. People came to us during that timeframe in Minnesota and said, ''What do you do?'' I said, ''Not today and not ever.'' That is our position, and all others will have to justify their own actions.

 Page 79       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. DAVIS. The U.S. Trust v. Minnesota situation was troubling to a lot of banks. In my oral statement, I noted that one problem like that can upset the apple cart, because it has an effect on public confidence, and it unfortunately affects all banks.

    H.R. 10 specifically addresses that situation, and we think that a lot of progress was made in the debate on H.R. 10. We were generally supportive of the provision, even though we would like to do some fine-tuning.

    The thing that we want to guard against is that while we are trying to protect against that type of activity and empower the regulators to step in, and so forth, that we don't impede by opposing an extra cost on a third-party relationship which a smaller bank established with significant due diligence, such as the insurance program that was just mentioned. It might be a program which actually generates fee income, but the additional regulatory burden of keeping up makes the institution decide not to operate it.

    So where it is something that is carried out under the scrutiny of the regulators, I can guarantee that the bank regulators look very closely at all of our activities in uninsured products, and it is going to get a lot of scrutiny, and there is a lot of due diligence, that we don't add a regulatory burden in that type of relationship.

    Distinguishing can be difficult, but our interest has been to look at the mainstream of these relationships where smaller banks actually operate in—they provide stewardship and a gateway in identifying other companies that have good products, and other areas, we think, are problematic.

 Page 80       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. INSLEE. I appreciate your answer, but let me sneak in another question.

    Mr. Barsness, you said if H.R. 10 prohibits small banks from providing some of these services and marketing, in essence, with third parties, but larger banks who will have affiliated structures are allowed to essentially do the same kind of operations, but simply through affiliates, that that would be a competitive disadvantage essentially for the smaller banks.

    I tend to agree with you, and I would like you to expound on that, and I would like you to tell me, do you believe there is any reason why, if this prohibition is put on sharing with third parties, it thereby affects community banks, that we could not also create a similar prohibition that deals with that specific type of conduct which involves sharing with affiliates?

    Is there any reason that we could not do for larger banks and their affiliates what has an impact on smaller banks with third parties?

    Mr. BARSNESS. Well, I am not here to push for additional regulation for any privacy activity, because I think it is best done on a voluntary basis, because of privacy principles and the like; and because of our relationship with our customers, we adhere to that and that is not a problem for us. But whatever Congress decides, they need to decide and act now.

    I would certainly hope that Congress would act so that all entities are treated in an equitable manner; and currently the way that it is written is not equitable to community banks.
 Page 81       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. INSLEE. Thank you.

    Chairwoman ROUKEMA. Thank you.

    Mr. Bentsen.

    Mr. BENTSEN. Mr. Barsness, in your capacity on the banking side, what sort—and I realize that you are representing ICBA today, and not ABA. But are there transactional—is there sharing among affiliates and/or subsidiaries that are transactional in nature and not marketing in nature? Could you give us a couple of examples?

    Mr. BARSNESS. It would be difficult for me to answer. We do not have affiliates, probably never will. I am not sure what areas that would lead to.

    Obviously, from our perspective, our relationships are invariably with third parties, so the issue of affiliates will never come to the forefront. The problem is, as this legislation evolves and comes to pass, obviously the world is going to change and we are going to have to make more arrangements. We are going to have to do more things for our customers. That is what H.R. 10 allows to have happen with the merging of securities and insurance and the like.

    So we are going to have to provide these services for our customers to do competitive—it will not be through affiliates, it will be through third-party arrangements. It is the nature of the beast.
 Page 82       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BENTSEN. Current law provides for smaller banks to enter into joint agreements with other providers, insurance agents or brokerages, where you share space. There is some profit-sharing arrangement. Now staff advises me that they think that is dealt with in the language in H.R. 10. That is not treated as a third party, if there is that sort of arrangement. Is that your understanding as well?

    Mr. BARSNESS. I would hope so, but based on this evolution of products and services that are going to come out by these conglomerates, I am not sure. You have made an effort to do that, but our concern is, as the world changes and these financial products and services change, I very likely will be put in a position that I can't do things that others can because of the affiliate relationship.

    I like to think that all of that has been covered, but somehow regulation and litigation and all of those things come into play and I am really not sure that it will and I am concerned about that for our membership. There needs to be a law for those products and services. We need to be competitive and provide those things for our customers.

    Mr. BENTSEN. The gentleman from the credit union brought this up: You have third-party service agreements for non-transactional issues for marketing purposes. Is it then ICBA's position and CUNA's position, and others', that there should be a further exemption for third-party service activities for marketing or that opt-out should be extended to affiliates for those that are big enough to have affiliates?

    Mr. DAVIS. Let me try responding to that.
 Page 83       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I agree with your staff observation that there is pretty broad exemption provided now where there are common or joint employees. Also, under H.R. 10 as it is written, in a variety of third-party relationships, that would also include marketing of products. If I am a bank and I have a relationship with an insurance company to market their annuities, or it can go the other way, that sort of arrangement of co-branding or joint marketing or operating through dual employees is covered in the list of exemptions. So we think a good job was done in trying to carve out.

    One of the points that we made in our testimony was that perhaps it would be better—rather than saying there is opt-out for all third-party relationships, but then adding most activities in which most banks currently engage covered by an exemption, it may be better to go directly to the types of U.S. Trust v. Minnesota sorts of cases and say, no, these are the ones that explicitly require opt-out.

    Mr. BENTSEN. With the Chair's indulgence, may I ask a question?

    Chairwoman ROUKEMA. It depends on how long the response will be.

    Mr. BENTSEN. In your opinion, even with the opt-out and the way that the language is written and the sharing of information with affiliates or a third party in the joint arrangement, does the bank or the thrift still retain liability for the misuse of personal information for fraudulent use of personal information?

 Page 84       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. DAVIS. Well, with respect to the activities of the third party, it is my understanding—and I will be happy to clarify this for the record, but it is my understanding that obviously the third parties will be contractually bound to abide by the bank's privacy policy, but the bank would not be directly liable for breaches of contract by the third party.

    Mr. BENTSEN. Thank you.

    Chairwoman ROUKEMA. I think we may need further clarification. Feel free to submit for the record, any one of the panelists, a response to that. It is an important question and we want to be precise. If there is lack of clarity we have got to look at it with respect to H.R. 10. Thank you very much.

    I thank the panel, and as you can see, we do have some open questions and again, for clarification, we will look forward to your written responses. Thank you.

    The third panel, please.

    Each of our three panelists is now seated, and to balance out and complete the picture, the pros and cons of this issue, we have this consumer panel, and in order of their appearance, I acknowledge and welcome Mr. Edmund Mierzwinski, who is Consumer Program Director for U.S. Public Interest Research Group. Mr. Mierzwinski has been a member of the Federal Reserve Board of Consumer Advocacy group, and has considerable experience there.

    You raised your eyebrows. Is that not correct?
 Page 85       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. MIERZWINSKI. I am sorry, I thought you were going to say I had been a member of the Federal Reserve.

    Chairwoman ROUKEMA. Oh, no. I know the difference there.

    Mr. MIERZWINSKI. I know you do.

    Chairwoman ROUKEMA. But what would the Federal Reserve Board do without your guidance?

    Our second witness is Mr. Marc Rotenberg. Mr. Rotenberg is Director, Electronic Privacy Information Center and is Adjunct Professor of Law at Georgetown University Law Center.

    And the third and final witness is Mr. Jack Brice. Mr. Brice is representing the American Association of Retired Persons—as we all know them, AARP. He has been a member of the Board of Directors since 1998, and has many years of military experience to recommend him to us today, and now he has his own consulting business.

    Mr. Brice, we also welcome you.

    Without further ado, we are trying to limit ourselves to five minutes. Please be respectful of the time limits.

 Page 86       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. Mierzwinski.


    Mr. MIERZWINSKI. Thank you, Madam Chairwoman, Mr. Vento and Members of the subcommittee. My testimony today is on behalf of the U.S. Public Interest Research Group, Consumers Union and Consumer Federation of America. Our views are quite simple on this matter.

    First, we believe that the Congress should act in response to the growing concern from the public that their privacy is not being protected and will not be protected by ever-larger corporate entities. As Mr. Brice will point out, several AARP surveys of both their own members and of the general public have shown very strong support for consumer privacy. Customer outcry over the driver's license photo sales by several States, consumer outcry over the know-your-customer regulations are just some of the other examples that lead us to believe that the public is well ahead of the industry in calling for changes to the laws to protect our customer information.

    What consumer groups believe should be done is that the financial sector should be subject to privacy laws that provide us with an opt-in for the sharing of our personal information with any inside affiliate or outside company and additional consumer protections to guarantee that that opt-in is protected. We believe that H.R. 10, as passed in the House, fails to provide that protection. It provides a limited opt-out for some third party purposes, allows a number of third-party uses without the opt-out and allows affiliate-sharing to continue without any privacy protection at all. Our message on what is provided for affiliate-sharing is very simple. Disclosure is not privacy protection.
 Page 87       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Instead, however, of enacting what is in H.R. 10 and in lieu of enacting the opt-in provision, which is our preferred provision, we would have at least hoped that the Congress would have enacted the compromise Markey-Barton opt-out provision.

    I want to point out, by the way, that that provision was partially based on the Inslee provision from this subcommittee that you yourself supported, Madam Chairwoman. The opt-out across the board for affiliate-sharing and for third-party uses would have made a great deal of sense and would have solved a lot of problems that H.R. 10's provision will not solve.

    It is particularly important to recognize that privacy problems are caused not only by third parties, but also by inside affiliate-sharing, and we think that the NationsBank case of 1998, where they settled a $7 million SEC complaint for sharing CD holder information, confidential customer information, very similar to the information shared by U.S. Bancorp with Memberworks, where they shared that information with a securities subsidiary that then put the people into risky hedge funds, is indicative of the problem and suggests that affiliates are doing the same thing third parties are doing. We should have the same protections across the board.

    I want to point out, and this is not in response to anything any member has suggested to me, but in response to what I hear industry saying in the newspapers, the consumer group position is not against information-sharing; it is for giving customers control over their information. We do not believe that our provision, the preferred Markey-Barton provision, would stop H.R. 10, would condemn banks to living without the benefits of financial modernization. We find that to be absurd.

 Page 88       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    I want to make two other brief points. First, the idea that we have operated successfully on a sector-by-sector approach, and we believe that is obsolete as sectors are converging. We believe that voluntary self-regulation just will not work. We believe that financial information should at least be subject to the same level of protection as video store rental records, and it is not in this situation.

    The last point I want to make is that when Comptroller Hawke spoke on the U.S. Bank situation he actually spoke on two issues, and the other issue in his speech I want to urge the subcommittee to take a close look at, he strongly pointed out that consumers are no longer getting the benefits of the Fair Credit Reporting Act, which governs the use of information for credit decisions, and affiliate-sharing is only going to make things worse.

    What Comptroller Hawke talked about was the increasing number of financial institutions that are no longer sharing their customer records with credit bureaus. So if I apply for a loan, my credit report will not be complete, because my bank may have chosen to keep my information for proprietary reasons. If banks, under H.R. 10, get bigger and bigger and no longer need to use credit bureaus, then consumers will not have the protection of the Fair Credit Reporting Act, and they will only have the limited protections provided under affiliate-sharing; and not only will privacy protections be denied, but I think it will have a very significant effect on both competition and the marketplace.

    Thank you very much.

    Chairwoman ROUKEMA. Thank you.

 Page 89       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. Rotenberg.


    Mr. ROTENBERG. Thank you very much, Madam Chairwoman, and Members of the subcommittee. I appreciate the opportunity to be with you today. I have submitted for the record a lengthy statement that tries to answer all ten questions. I was asked to go into some detail about specific changes that could be made to Title V and H.R. 10, as well as Section 351, which is the medical record provision, as well as describing some of the larger concerns relating to the international privacy protection and the EU data directive.

    I would like to make a few general comments on this particular issue and start with the point that was made just a few minutes ago by Congressman Inslee on the nature of the disclosure of personal information in the financial sector context. At the Electronic Privacy Information Center we have become aware that there are two types of information that raise the greatest level of public concern. The first is medical and the second is financial.

    It is clear that in both of these settings, when individuals give up information for a particular purpose, they consider the information to be related to that purpose. If, for example, I fill out a loan application and indicate my period of employment, what I have been paid, account holdings and so forth, I don't expect that information to be used in another context for another purpose. My willingness to provide information to receive a particular financial product or service is based in large part on the trust that I have in that relationship with the financial institution; and our privacy laws, by and large, reflect an intent to allow individuals to exercise control over their personal information so that the data will be used for the purpose that it is provided for.
 Page 90       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Now, the problem with affiliate-sharing is that viewed from the consumer's perspective, the corporate relationship between the entity that now is in possession of the personal information really does not bear on the question of whether that should allow for uses in unrelated settings. The central question for privacy protection is still, does the individual have the ability to control the use of the information in that particular context?

    And so it is for this reason that I very much agree with the experts on the first panel, and also Mr. Mierzwinski and the consumer groups, that to realize privacy protection in the financial services sector, you have to give individuals the ability to control the use for unrelated purposes; and that means, specifically, in the context of affiliate-sharing, there has to be a strong notice and opt-out provision. Even with a notice and opt-out provision, I don't think that provides adequate privacy protection, because one of the other critical areas where the present privacy provisions come up short, as measured against other privacy bills, is they do not give individuals the ability to get access to their own personal information that is held by the financial institution.

    Now, you understand well the significant role that this plays in mortgage determinations with the Fair Credit Reporting Act, where a person's ability to see the information contained in the credit report that will bear on the likelihood of the loan and the closure and purchase of a house is absolutely critical to a person's ability to operate effectively in the marketplace.

    Similar rights should be extended to other financial services, particularly as the amount of detailed information about individual consumers increases.
 Page 91       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    And this, then, is my final point. As we enter the 21st Century, I think it is important to keep in mind that the amount of data collected on consumers in this country is going to accelerate rapidly. In the old days, if you walked into a bank and picked up a brochure because you were interested in opening an IRA or something similar, until you contacted the bank about the IRA application that brochure sat in your pocket and was basically a private fact.

    In the online world, where more and more companies will be offering financial services to customers, when you click on the ad for that IRA, when you download more information about that financial product, a record is going to be created that you, as a known individual, have an interest in a certain type of financial product. That information is going to be added to a database long before you fill out any application or before you actually enter into an agreement with a financial institution.

    And so it is for this reason, in particular, that on the issue of privacy protection in the area of financial modernization, I think it is very important to err on the side of stronger safeguards and stronger protections for customers, because the growing demands for personal information and the ways in which individuals may lose control over personal information, I think will be increasingly threatened.

    Thank you very much.

    Chairwoman ROUKEMA. Thank you.

    And Mr. Brice.
 Page 92       PREV PAGE       TOP OF DOC    Segment 1 Of 2  


    Mr. BRICE. Thank you, Madam Chairwoman and Members of the Subcommittee on Financial Institutions and Consumer Credit. My name is Jack Brice. I live in Decatur, Georgia, and I serve as a member of AARP's Board of Directors. The Association appreciates this opportunity to present our views regarding the important issue of protecting the personal financial information and medical records of individual Americans.

    AARP recognizes the potential that a modernized financial services industry may offer in the way of new and useful products and services, as well as the potential for cost savings to the consumer. However, the Association is concerned about the risks involved in allowing the integration of the financial services industry without also updating consumer information privacy protections.

    The issue of financial privacy has emerged from a recognition that our Nation lacks a consistent binding process for protecting the privacy rights of consumers with regard to personal financial information collected and disseminated by private financial enterprises. It is clear from the AARP survey that midlife and older Americans feel truly vulnerable to the complex and fundamental changes which have already occurred in this period of financial transformation. Survey respondents were concerned that they will be put at further risk by the financial mergers that are yet to occur if adequate personal privacy safeguards are not put into place.

 Page 93       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Extensive personal information is already routinely gathered and distributed by a wide range of financial institutions. As banks merge with securities and insurance firms, financial privacy protection for confidential information grows increasingly important. It is clear that the financial privacy of consumers should not be considered incidental to the modernization of the financial services industry, but rather an inherent part of it.

    The financial services industry and consumer interest advocates have another opportunity to work together. One opportunity concerns ''pretext calling.'' While the House and Senate have passed different versions of financial modernization legislation, both include provisions that would make it a Federal crime to use false pretenses, so-called ''pretext calling'' to gather private information about an individual from a bank.

    However, many of the personal information privacy protections included in the version of H.R. 10, the Financial Services Act of 1999, reported out of the House Commerce Committee, were dropped from the version finally passed by the full House. AARP was encouraged by Commerce Committee bill provisions requiring:

    First, financial firms have and disclose their privacy policy;

    Second, consumers be given the opportunity to say no or to opt-out of personal information being transferred among financial firms, business affiliates as well as unrelated third parties, such as telemarketers; and

    Third, consumers have access to their information held by third-party companies, as well as the ability to correct that information.
 Page 94       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    AARP believes that financial services modernization legislation should go even further to protect consumers. Specifically, AARP believes that consumers should not be compelled to pay to block such information dissemination, nor should they be forced to comply with cumbersome procedures to ensure that protection.

    Consumers' explicit and recorded consent should be obtained before any sale or sharing of their non-publicly-available financial records to third parties or to businesses affiliates. At a minimum, this notification and opportunity to prevent distribution of their information should be reviewed when new data is being collected or added, as well as instances of business mergers or acquisitions, and consumers should be provided avenues for redress if they are harmed by inappropriate disclosure or use of their personal information.

    Unfortunately, the version of H.R. 10 that passed the House allows financial services providers to continue the practice of sharing individual financial information with its affiliates, as well as unrelated third parties that market products in alliance or partnership with the data collecting institution. Without the customer's consent, the House-passed H.R. 10 only requires the customer consent before allowing the financial services providers to share private account information with telemarketers and other unrelated third parties.

    The medical records provision of H.R. 10 is also of deep concern to AARP. The Association believes that a medical history contains some of the most important information collected about any individual. It is critical that individuals be able to actively participate in decisions about how these data will be used and to approve who will have access to their personally identifiable medical information.
 Page 95       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Section 351 of H.R. 10 would legislate to financial institutions more authority to share confidential health care information than currently exists within the health care business. AARP, therefore, strongly recommends that issues related to the privacy of medical information not be addressed in the Financial Services Act. It is felt that Congress, instead, should continue the extensive legislative work that has already been done on this complex issue and enact separate comprehensive Federal legislation applicable to the entire health care system.

    Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. And thank you. I am going to reserve my questions until the end, and I will defer now to Mr. Vento.

    Mr. VENTO. Thank you, Madam Chairwoman.

    Today the Health Policy Project released a detailed report on how States are legislating medical records confidentiality, entitled ''The State of Health Privacy and Uneven Terrain.'' Based on their review of State laws conducted over the past eighteen months, the office concluded that on the whole, State laws are weak and incomplete in the broad areas Federal legislation seeks to regulate, such as patient access to medical records, limits on disclosure of health information, law enforcement access to records, remedies for violations of privacy laws; and pointing out that in some specific illnesses, such as HIV, AIDS or genetic diseases, States have enacted detailed legislation.

    The intent of this legislation, of course, at the last moment, was to try to prevent health insurance companies from sharing that information with banks and securities institutions and other firms, to put some limits based on the banking modernization.
 Page 96       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Of course, most of the answers that come back are that somehow we are affecting or preempting States, which I think is unclear; second, that the Department of Health and Human Services would in fact put in place a strong definitive policy with regard to this. But I would remind the witnesses and others that they have to go through the Administrative Procedures Act, and it is a long way down the road. So I would think that we don't want to preempt States or to preempt the Department of Health and Human Services from dealing with that, that we need to have some modicum of limit in terms of a safety valve in this legislation, which is what this was intended to do.

    One of issues that we brought up, the opt-out provisions, even given their effectiveness, you heard the Direct Marketing Association suggest that they have 3 or 2 percent of the persons that opt-out that seek to have their names removed from the Direct Marketing Association, which I think is a little more provocative in terms of having your names removed, especially since they have people pushing and soliciting to have their names removed, as opposed to the opt-out provisions that we get for fair credit reporting or what I would anticipate would occur under either an opt-out for affiliates or an opt-out for third parties in this legislative provision.

    It is very limited in terms of the demonstrated participation by individuals in that particular means. In terms of trying to deal with their privacy and for other reasons, I don't think when they are opting-out they are dealing with it for privacy. There can be a lot of reasons: Maybe I don't want to be bugged by XYZ.

    Do you have any response? For us to fall on our sword over opt-out seems to me to be, when it has such a limited application or utility in this case, although we claim it gives choice—anyone?
 Page 97       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. Mierzwinski?

    Mr. MIERZWINSKI. Representative Vento, my understanding is that in California some 40 percent of consumers opt-out of having their names disclosed in the telephone book. So some opt-outs do work.

    In terms of—I agree with you that a bad opt-out is a real problem. That is why our preferred position is an opt-in. If we are going to have an opt-out, it should be statutory and clear disclosure. The fair credit reporting prescreening opt-out is not subject to any kind of disclosure statute.

    Mr. VENTO. I only have so much political ability to do things around here. When we are making decisions around here, we can't say, my preferred position is over here on this pole.

    Mr. MIERZWINSKI. But on the opt-out, the ones that we have are terrible. The fair credit reporting affiliate-sharing opt-out has been condemned. Former Acting Comptroller Williams gave several speeches and her staff pushed for a disclosure rule on that.

    Mr. VENTO. I am going to run out of time. I think if I am going to spend my political capital on something—I am trying to get something done inside. The concern is that from my efforts in terms of working on the affirmative responsibility, and disclosure is not enough, I agree, and dealing with limiting the account numbers and—you know, which obviously was helpful because it says you have to have an affirmative responsibility. And I know that you would like to have a legal action based on that. But banking and financial institutional law works on the basis of standards and it works on a different basis.
 Page 98       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. Rotenberg.

    Mr. ROTENBERG. I just wanted to say, Congressman, on this particular point there is plenty of data and plenty of polling information that shows that the American public, if asked, would much prefer an opt-in regime to an opt-out regime, and these questions have been asked by Time, CNN, by Lou Harris and other organizations. And in some sense, the opt-in regime is the common-sense regime. It is the one that says ''we have received your information for this purpose, thank you. We would now like to use information for other purposes. Is that OK with you?'' It is not a prohibition. It does not say that it cannot be used. It simply puts the burden where it properly belongs, and that is on the institution that knows what the subsequent use is going to be.

    You see, the problem with opt-out is that people can't exercise this choice effectively. They don't know what they are opting out of.

    Mr. VENTO. I think that is very important. I think most of us can agree on transactional and other credit information not permitting people to opt-out or opt-in if we can develop a commonality with the list of exceptions that might exist here, to permit business to go on.

    And then we get to questions that you have raised. The counterposition is, if you make this so difficult to get information that some banks and institutions become their own credit bureau, and you don't share any of this information anymore. So that is the other side, and it would put us in a position that they don't want to share it because they want it as proprietary information. That is sort of an ironic problem. Or the example I cited from thirty years ago, when I was a State legislator working on insurance actuarial data that they would not share because they didn't want competition in terms of bidding on the public contracts for health insurance.
 Page 99       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I can cite you some examples, and I think—so you know, I just think that the issue in terms of trying to address this, the universality of it and the way I feel is that we are going a lot further with financial institutions than we have gone with other commercial entities. We are looking for something that will work. And I agree with the universality of how this will shape up. I hope that we have a common touchstone in terms of what we are doing and what we are doing on the Internet.

    I don't think that we should go the way that the FTC has advised in terms of self-regulation, as they have done with Internet. That has failed with banks and with other financial institutions.

    Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you.

    Mr. Inslee.

    Mr. INSLEE. Thank you. I appreciate all of your work on this, obviously, and you have all articulated the arguments for this better than any of us. I want to ask you a process question if I can. You heard my opening statement where I asked folks, how do we draft something that will prevent affiliate-sharing that would allow them to do marketing with affiliates, and how can we do that in a way that would not destroy a bank's ability to provide financial services; and I did not get much of an answer from the first couple of panels.

 Page 100       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Has the industry talked to any of you to try to work out language of that sort? Or have they simply taken the position that we are not going to allow any regulation of affiliate-sharing, we are not going to talk about it or try to find language that would meet our mutual requirements?

    Mr. MIERZWINSKI. Congressman, I did go to one meeting that industry was present at, but they were not talking to me, and they have not approached us individually to work on this; and I don't think that they have approached the other groups that I am representing today.

    Mr. ROTENBERG. I have heard nothing about this.

    Mr. BRICE. Nor have I. The Association is just as concerned, and rightly so, that consumers have the right to reject unauthorized use of personal financial information and medical information.

    Mr. INSLEE. I have heard a lot of people say we have to be cautious about this, if the industry did not want to talk about language, how to prevent affiliate-sharing for marketing purposes, but some language which would allow them proper use of it. Would you be willing to do that?

    Mr. ROTENBERG. The answer is yes. In fact, in my written statement I went into some detail in terms of various changes that could be made. Most of the changes are actually surgical, changes that I think could survive some of the industry concerns.

 Page 101       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. MIERZWINSKI. I think that the Markey-Barton-Inslee amendment is highly appropriate and would have been an ideal solution that answers industry's and our questions.

    Mr. INSLEE. When you say that, I think you appreciate we tried to take some of the industry concerns when we drafted that. Were any of those inappropriate from your perspective?

    Mr. MIERZWINSKI. My understanding, Congressman, is that you tried to preserve the right of companies to conduct affiliate-sharing or third-party sharing when it dealt with completing the customer's transaction for his existing accounts; but you tried to give the customer control over sharing that dealt with secondary uses. That is our position.

    Mr. ROTENBERG. I think it is important to keep in mind the comments that were made by both Bob Litan and Mary Culnan on the first panel. They said that by establishing common-sense procedures, notice and opt-out, some clear privacy policies, you build trust that enables people to disclose information so it can be used to receive the services they want to receive.

    And on the second panel they said that they do not want to market to people that are not interested in the products and services. The way that you sort of put this all together is that where you have a good privacy policy, one that respects the rights of consumers, but protects the interests of business, then people can go forward. But in the absence of good privacy policy, then you have a lot of unease and mistrust, and these problems, I think, just get bigger.
 Page 102       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BRICE. I think that is the crux of this matter. We feel that Congress must put into place performance standards that take advantage of the efficiencies and the conveniences that information technology brings forth to us, while at the same time providing security, confidentiality and privacy for the consumer.

    Mr. INSLEE. I appreciate that. I would like you to know that I would personally prefer an opt-in provision. I was on a radio talk show today and a fellow said, ''You are doing a great job fighting for consumer privacy, but how come you have to opt-out instead of opt-in?'' Unfortunately, there are folks who are listening to other voices rather than our constituents, frankly. I would love if you have majority support for that and I appreciate your efforts. Thank you.

    Chairwoman ROUKEMA. Mr. Bentsen.

    Mr. BENTSEN. Thank you, Madam Chairwoman.

    I have a number of questions, so if we can get through them in the time. When you used the term ''affiliate,'' do you also believe that to mean subsidiary, wholly owned subsidiary?

    Mr. MIERZWINSKI. Yes, we do.

    Mr. ROTENBERG. Yes.

 Page 103       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    Mr. BENTSEN. So to the extent that there was an operating subsidiary structure, that NationsBank owned Nations Security, which is actually Section 20, but if it was a wholly owned subsidiary, you would oppose information-sharing of customers of NationsBank or vice versa without an opt-out?

    Mr. MIERZWINSKI. Again, I think our intent is to define ''affiliate'' broadly for the purposes of privacy to include subsidiary.

    Mr. BENTSEN. Mr. Rotenberg.

    Mr. ROTENBERG. I take a somewhat different perspective on the issue.

    From the privacy perspective, the corporate structure of the entity that the consumer is dealing with turns out to be less significant than the use of the information. Now, I appreciate, from the regulatory viewpoint, that is a little bit complicated. But from the privacy viewpoint, that is really what it is about. If a person is providing information for a certain reason and it is being used for other reasons or it is being disclosed to other entities, that is where the person will be able to exercise some control.

    Mr. BRICE. That would be our concern, too. We are trying to say that we are concerned that the financial information and medical records outside of the original business context is a threat.

    Mr. BENTSEN. Let me ask this follow-up. Would you oppose—and of course there is no current law right now; there is H.R. 10 and the Fair Credit Reporting Act, although H.R. 10 is not law yet, there are some State laws out there. Would you oppose the ability of a bank to share information between the deposit side and the trust side that is allowed within the current bank structure?
 Page 104       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Do you understand my question?

    Right now, you know how a bank is set up. You have the deposit-taking side and the consumer side, and presumably they can share information. If I have an account with Texas Commerce Bank and they want to start marketing their trust benefits to me, they can do so. Would you oppose that as well? That would be sharing among departments within the bank itself.

    This is getting to a critical question.

    Mr. ROTENBERG. I understand the question, and I have not thought about it enough to say yes or no. What I would say is that whatever the answer would be, the more information that the bank provides to the customer about how the information that is collected will be used, the more likely you are to produce an outcome that the customer will be satisfied with.

    In other words, I think the customer needs to be made aware that there are potential uses within the one institution of the personal information that is being provided for a particular service, and at least on that basis people can make some assessment.

    Mr. BENTSEN. Let me step back for a second. It is not really that complicated when you talk about structure, because in my mind that is where the problem is.

    Some of us believe in Congress that the marketplace demands a new bank charter model or bank structure with additional powers. Now we have disagreements as to what powers to allow in the bank or out of the bank for safety and soundness reasons, and so we either use a holding company model that allows for affiliates to do securities and certain types of insurance and other types of activities, or there is a matter of dispute over using a subsidiary model for certain types of activity. But we have done that.
 Page 105       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Now, some may oppose that, but to the extent we get to that level, then we have a question as to what synergies do you allow within the new bank structure that are already accepted practice within the bank itself; but now for safety and soundness reasons, we have created this new model, but we are going to give you a different set of rules. And that is where I find that there is a real problem. Yes, there is the marketing nuisance of getting phone calls or excess mail, saying will you buy this or buy that, but that is not the issue. I mean, that is one issue; and how do we deal with that?

    The other issue, Mr. Mierzwinski brought this up with respect to NationsBank and Nations Security, is the bigger issue which is not so much sharing. Yes, there need to be privacy issues with respect to medical and things like that, but it is not the access as much as the misuse of the information; and I don't see in H.R. 10 where we shield from liability, and I would be opposed to doing that.

    And second of all, the fact is, in the end NationsBank had to pay $7 million in a civil penalty. We should always be concerned about fraudulent activity, and I don't see anywhere in H.R. 10—and if there is, I would like to know—where we are saying, certain types of otherwise fraudulent activity are OK. We should be always on guard for that, and that is really a different issue.

    The fact that somebody is going to market something and you may make a bad investment, even given the disclosure you have, is another issue; and that is where the privacy thing comes for me. You are getting marketed this data by a new bank structure with certain protections, which are absolute, that we set in the bill, but you should not confuse that with fraudulent or misuse of the data or fraudulent behavior toward investors or consumers.
 Page 106       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. MIERZWINSKI. Very briefly, I am aware and you make the point correctly that that civil penalty was not for a privacy violation. But our view is that in addition to their protections against fraud and unsuitable investment marketing, customers should have the right to say no to even receiving the marketing from either a subsidiary or an affiliate.

    Mr. BENTSEN. But opt-out would not have done anything with Nations Securities if people had bought the securities with bad information.

    Mr. MIERZWINSKI. Some would not have received the offers so some would have been able to say no. Again, we would prefer that they say yes.

    Chairwoman ROUKEMA. I was very generous with Mr. Bentsen, but he really hit on part of the question that I have remaining in my mind.

    Mr. Gonzalez, are you here to ask questions?

    Mr. GONZALEZ. It is always dangerous to ask questions when I have not heard the testimony. My question is more in the nature of philosophy, Madam Chairwoman.

    I have a note as to what you basically agreed to, and I guess what it comes down to—and you heard the first panel kind of summarize things—and that is, it is a fundamental right or question of fairness. It is fairness to the consumer, not necessarily to the business entity, who makes that choice on whether the information should be used for any purpose; and the rights should remain with the individual, the consumer, the customer, to determine whether that information is to be provided to anyone else for whatever purpose.
 Page 107       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    In general, is that in principle what you are telling me today?

    Mr. ROTENBERG. Yes.


    Mr. BRICE. Yes.

    Mr. GONZALEZ. Thank you very much.

    Chairwoman ROUKEMA. Mr. Moore.

    Mr. MOORE. Madam Chairwoman, I missed the majority of this testimony this afternoon, so I don't think it would be appropriate for me to ask questions, but thank you very much.

    Chairwoman ROUKEMA. Thank you. I don't know quite how to conclude this.

    As I have listened this afternoon—first, I will say categorically and without exception that Mr. Vento spoke exactly to my conflicts over the questions of opt-in and opt-out. In addition, I agree with what you said, and I have forgotten the follow-up way you characterized it, with respect to the medical privacy. There is a modicum of progress—I think it is a modicum, but it is a foundation on which we can build. And so in those two areas, I want to totally agree with what Mr. Vento said.
 Page 108       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    I would also go beyond it in terms of the opt-in/opt-out provision. I hear what you are saying, but rather than putting it as Mr. Vento did, about falling on my sword, I would rather say that if we make it a statutory requirement with rather precise disclosure provisions, it seems to me then we are hair-splitting over whether it is opt-in or opt-out. The opt-out provision should serve everybody's purposes if those disclosure requirements under the statute are precise.

    I would think that would be the way it is, and I think Mr. Vento made a reference to, can't we get you together with the industry. And if, as the industry says, that is their intention as well, then I would think that we would be able to accommodate this.

    Do you take strong exception to that or not? No?

    Mr. MIERZWINSKI. Well, getting together with the industry, our major concern——

    Chairwoman ROUKEMA. No, if you agree that clear disclosure could resolve the problems as to opt-in or opt-out?

    Mr. MIERZWINSKI. It would go some way toward doing so. However, this bill does not provide an opt-in or opt-out for the majority of purposes, and that is our bigger problem.

    Chairwoman ROUKEMA. But you are not suggesting that we not address the subject at all and build on it in terms of separate legislation, either in that case and/or the question of the medical privacy as well?
 Page 109       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. MIERZWINSKI. Our view is, of course, we are always happy to work with you, but since H.R. 10 is the major bill dealing with increasing the size and ability to cross-share by institutions, we feel that it is the bill to try to build the biggest foundation in.

    Chairwoman ROUKEMA. Mr. Rotenberg.

    Mr. ROTENBERG. I certainly think that it is an area that should be explored, and it may be possible through good notice, as you say, to kind of narrow the gap.

    I can tell you the debate on opt-in or opt-out, basically it comes down to the question of who carries the burden. It really is that simple. In an opt-in regime, it is the company that wants to make subsequent use of the data that is going to have to get permission. And they will say that that is costly; they prefer not to do it if they don't have to.

    In an opt-in regime, it is the customer that is going to have to find out how is that information going to be used?; do I need to renew on an annual basis?; and that is why, frankly, you don't see a lot of people exercising opt-out, because the burden falls on the consumer.

    Now, if there is a way to narrow that gap so it is more fairly allocated, I think that may be the right way to go.

    Chairwoman ROUKEMA. Mr. Brice, do you want to comment on this?
 Page 110       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    Mr. BRICE. Not really.

    Chairwoman ROUKEMA. Not really. You don't want to split any more hairs? OK.

    Well, I would simply conclude we don't have easy answers here. I guess there are no simple answers. Simple answers are for the simple-minded. I think we have more insight as to the complexities of the privacy issue that we have been dealing with today. Maybe by tomorrow there will be even more complexities, but I do not believe that they are irreconcilable. I believe we have the ability here in H.R. 10, through the conference as well as—and I stressed it in my opening statement, I believe that the foundation is in H.R. 10, but it is not exclusive. The purpose of these hearings is to set the stage for further action on more comprehensive privacy legislation.

    Mr. Vento.

    Mr. VENTO. I think that the comments that he made that he wants to build the strongest foundation that he can, I understand that because nothing else is moving on this particular issue in spite of the fact that he referred to the privacy provisions in the other bills.

    I think that the first panel also made a difference between—in terms of opting-out on service and related services. In other words, if they are related services, that that would be helpful. But it seems to me that some of the examples that you gave in terms of credit life insurance and credit card insurance are exactly the ones that you are most concerned about.
 Page 111       PREV PAGE       TOP OF DOC    Segment 1 Of 2  

    In the best opt-out circumstance, where you have people soliciting business to opt you out of direct marketing, they are saying you get 2 or 3 percent. Maybe 5 percent, but that is an aggressive program. They say, would you like your name removed from this list of folks that are calling you on the telephone or sending you mail? So that has got to be—I don't know how much better you are going to get it. I understand halftone on the back of a bank statement is not the best modus operandi for opting-out. I understand.

    I think the idea—I don't mind laying down most of your effort for something that was workable, but it obviously—and we do have a problem here, as is indicated. I think that we have not got into the issue of whether or not you can do due diligence, whether you have mortgaging servicing rights or other products that you are going to sell within these financial entities and if you can, in fact, share that information. Most financial institutions get into confidentiality agreements. They don't share this on an open-ended basis, and so we are obviously recognizing that in the context of what is in H.R. 10.

    There is all sorts of concerns about securitization and—not just that, but the expectation, if I am doing business with Citibank and I go over to the mortgage entity, that I don't have to fill out a three-page application again. So there is—we do let them use that name, Citibank Mortgage, Citibank Bank, Citibank Insurance. So there is some expectation that it is the same entity that you are doing business with.

    Chairwoman ROUKEMA. I think that having been said, we will adjourn for today and return tomorrow for the second installment. Thank you so much.

 Page 112       PREV PAGE       TOP OF DOC    Segment 1 Of 2  
    [Whereupon, at 2:55 p.m., the hearing was adjourned, to reconvene on Wednesday, July 21, 1999.]

Next Hearing Segment(2)