Segment 2 Of 2     Previous Hearing Segment(1)

SPEAKERS       CONTENTS       INSERTS    
 Page 113       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
FINANCIAL PRIVACY

WEDNESDAY, JULY 21, 1999
U.S. House of Representatives,
Subcommittee on Financial Institutions and Consumer Credit,
Committee on Banking and Financial Services,
Washington, DC.

    The subcommittee met, pursuant to call, at 10:00 a.m., in room 2128, Rayburn House Office Building, Hon. Marge Roukema, [chairwoman of the subcommittee], presiding.

    Present: Chairwoman Roukema; Representatives Bereuter, Royce, Vento, C. Maloney of New York, Watt, Sandlin, Moore, and Gonzalez.

    Also Present: Representatives LaFalce, Dingell, and Inslee.

    Chairwoman ROUKEMA. I think we will try to come to order here. I would appreciate it if everyone will take their seats at the table, the panel I mean. It is a busy day for all of us, I know. We are ready to move on with this very important hearing. I will try to keep my opening remarks brief by summarizing yesterday's hearing and setting the stage for today. As most here will understand, this is the second day of hearings on financial privacy. As we mentioned yesterday, the privacy issue is addressed in H.R. 10. There are several significant new privacy protections in H.R. 10. Of course, mandatory opt-out for consumers and information sharing with unaffiliated third parties is the focus in H.R. 10, and it is dealt with in a very constructive way.
 Page 114       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    There is also prohibition on sharing account and credit card information with marketers and the practice of ''pretext calling'' is criminalized. I think frankly that the financial privacy provisions in H.R. 10 are a good start. In fact, I think it is more than a good start. I think it lays a strong foundation on which we are hopefully going to build as a consequence of the constructive things that we learn here in the first two hearings, and which may result in additional hearings.

    In our hearing yesterday, the witnesses included academics and privacy experts, representatives of our smaller financial institutions, credit bureaus, and marketers as well as the consumer groups. We covered a lot of ground. I don't think that we have necessarily digested all of the points that were made, but virtually all witnesses warned against further privacy protections unless extensive hearings and analysis is done. They outlined a few concerns. The majority of them advised against an opt-in approach at this time. They were quite definitive on that, but not unanimous, so that question is an open question. I am sure that our panelists today are going to address the opt-in approach in depth.

    One particular point that I think was well made is that consumers have a right to know who is collecting their information and how that information is to be used. Also, privacy policies must be clear and easy to understand. That there must be agreement. To be meaningful, the customer opt-out process must be clear and straightforward. What does that mean? It means that we have to look carefully at the statutory requirements on the opt-out disclosure provisions. I am hopeful that we will hear more about that today.

    Then there were references to the small financial institutions using third parties for many common everyday practices. They pointed out that contracting with third party service providers is vital to the small institutions and that those practices must be protected. One example that they gave, but there are many more, is the check printing. It was also pointed out that data processing by third parties was particularly commom and limiting this ability would complicate matters for small institutions.
 Page 115       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Many other issues remain with respect to privacy and State laws. Does H.R. 10, or should H.R. 10, preempt State privacy laws? What we will do in the future with respect to State-Federal relationship? Should customers be permitted to opt-out of information sharing by financial institutions with their affiliates? That in particular is a key issue of controversy.

    In addition, it is possible that good disclosure of privacy policies, that if we have really good statutory disclosure requirements, we may be able to, if not eliminate, at least greatly diminish this intense debate over opting-in and opting-out. Quite frankly, I think this area—disclosure—is going to be a focus of my own attention. I am anxious to hear what our panelists have to say about that today.

    Then we are also going to address Section 351 and medical privacy. Do we need to make it clear that the Secretary of Health and Human Services retains his authority to promulgate comprehensive medical privacy rules even if H.R. 10 becomes law? There seems to be some question about that. Mr. Ganske's intention was to preserve the Secretary's authority. Perhaps the statutory language in Section 351 is not as precise as it should be. In addition, we may have not considered all of the ramifications of the medical privacy provisions. This is an issue of particular concern to me.

    I think we must be very, very deliberate in terms of medical privacy. The subcommittee will be looking at all of these issues today, and of course with that in mind I will now relinquish the time to my Ranking Member, Mr. Vento, before we introduce the witnesses.

    Mr. VENTO. Thank you, Madam Chairwoman. I think we made progress yesterday. Of course, we are trying to translate the culture of privacy that pervades financial institutions, which is the basis for trust and confidence of the people we represent in our economic and financial system and taking that culture and translating it into rules and finally trying to codify it for essentially the first time. As privacy applies to this relationship between our banking and financial entities with the consumers, it is not an easy task.
 Page 116       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Of course, it is especially a problem when throughout our communities there is an explosion and so many changes which are affecting the very target that we have in mind. Of course that is exactly the case.

    And when we are the first, when other entities frankly are being given the policy path of self-regulation or no regulation and no rules with regards to in fact what is going to be the rights of privacy, financial institutions and those involved in modernization are in an unusual circumstance. I think we did well in terms of what we put together to build a foundation in the House bill. The Senate bill is practically silent on the entire topic except for something called ''pretext calling.''

    So I think we did a good job. Obviously this is not going to be the last word. I dare say that Congress and the public will be looking for policy changes and perfection of this privacy issue down the road. I think it is important that we put in place a foundation. I think that the actions and the interactions of traditional privacy issues that we have taken for granted are very much at risk and very much up for grabs in the electronic communication age, and I think the point that we are trying to do is to maximize the benefits that are inherent in these changes and in the discoveries that are being made in communications to maximize that benefit and to minimize the effect or impact on our own individual privacy.

    Those are two goals which may be difficult to reconcile, but at least I think it is what is at the base of this anxiety and the concerns we have heard from consumers. To find and establish policies which in fact achieve that is easier said than done. We have practically invented, or at least have overused, the words opt-out and opt-in in this subcommittee, and have discovered with the instantaneous nature of transactions that take place, not only does it speak to efficiency, but it speaks to great risks in terms of privacy.
 Page 117       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    So I hope that we in our process in terms of financial modernization will at least help in setting a foundation. Of course it is important that we start to look on a global basis at what the European Union is doing and to establish a policy that is consistent. I think in that consistency develops an understanding in terms of the public in terms of responding to a commercial firm, to the financial entity, to the Internet, to others that are outside the gamut of financial modernization.

    Second, I think with the steps that we put in place we do not want to create an avalanche of paper without any positive benefit to the people that we represent. So I think we are on the right path. I am sure that it will take adjustment down the road. We look forward to the help and guidance of the regulators here today and those that have testified in the past on these topics.

    Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you, Congressman Vento.

    Any other comments?

    Yes, we have the pleasure of having Congressman LaFalce, the Ranking Member of the full committee, with us today.

    Mr. LAFALCE. Thank you, Madam Chairwoman. I am delighted that you are having these hearings. I consider them to be extremely important, and I simply wanted to come to advise the panel how important I think these hearings are.
 Page 118       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    We have been struggling for years for financial service modernization legislation. We have not struggled for a great many years too with the issue of privacy, but primarily because of the technological explosion which has taken place and the tremendous number of citizens, especially within the United States, but also globally, not nearly to the extent as American citizens' use of that technology, the issue of privacy has come to the forefront of our considerations, the American public's considerations.

    Now it is possible for everybody to know every book that you buy. It is possible for everybody to know every video cassette that you rent. It is possible for everybody to know when you go to the grocery store what your favorite products are, and so forth. And virtually everything about your financial status and transactions.

    Independently of financial services modernization, this is an extremely important issue. As a matter of fact, I think it is profoundly more important than financial services modernization. I just want to make that clear. The opportunity to do something about this has presented itself during the course of markup, and then it took on a life of its own.

    I think we should do as much as we can as part of the financial services modernization. But since it is a related issue, but also independent, as much as we can independently of it, too. The difficulty is we don't have a majority in the Congress. I am not sure how much we will be able to achieve independently, so we have to take up every opportunity to do as much as we can. We did that during the course of the Banking Committee markup. We got so far. We did that in our deliberations with the Rules Committee and we got much further than I ever thought we would.
 Page 119       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    We had opt-out provisions with respect to third parties, and prohibitions with respect to certain types of marketing, telemarketers, and so forth, and so forth. We created an affirmative obligation on the part of financial institutions to have privacy policies, and we gave you, the regulators, the ability to articulate the standards that would have to be met by the financial institutions. Otherwise they would be in breach of an affirmative obligation. This was significant. The first thing that I am interested in hearing from you is an evaluation of what we did, what we did right and what we did wrong, what we might be correcting.

    Second, as part of that, I am a little concerned about what we did with respect to medical privacy. We do not have tremendous expertise within our committee on the issue of medical privacy, and I want to make sure that what we did with respect to medical privacy in no way infringes, in no way infringes no matter what we pass, the ability of the Secretary of HHS to promulgate regulations effecting medical privacy standards above and beyond anything we might do.

    Additionally, I want to make sure that the exceptions within the present law with respect to medical privacy do not create loopholes that we will be sorry for later. If that is the case, we ought to just omit that entire provision.

    Then whether we will be able to do it as part of financial services modernization, and I think it is problematic, because I don't know if we will be able to go beyond where we have gone in the House, there is the issue of opt-out, not just for third parties, but for affiliates. A lot of us believe that can be done certainly at the appropriate time with the appropriate vehicle. I want your thoughts on that issue, too.

 Page 120       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Yesterday I was here when the professor from Georgetown said yes, this can and should be done. It is a matter of technology, is a matter of cost, yes, absolutely. If you have thoughts on that issue, because the industry monolithically is saying, no, no. We are not talking about an opt-in, we are talking about an opt-out there. What are the concerns of the—what are the validity of the concerns of the industry? We would not be prohibited, we would not be calling for an opt-in, simply for an opt-out basically for marketing purposes with affiliates, something they desire to do, and probably could do with 99 percent of their customers even if there were an opt-out provision.

    But that is a focus of debate within the Congress and I appreciate your thoughts on that issue, too. And I thank you all very much.

    Chairwoman ROUKEMA. Mr. Bereuter.

    Mr. BEREUTER. Madam Chairwoman, I commend your role in holding the hearings. I look forward to hearing the panel.

    Chairwoman ROUKEMA. I might say as a follow-up to what Mr. LaFalce has given us in terms of the background of H.R. 10, I was a co-sponsor of the privacy provisions in H.R. 10. I think everyone here should know, and if they don't, I will inform them, that the privacy amendment passed overwhelmingly in the House, 427-to-1.

    But I also want to state that I took the initiative of setting up these hearings prior to floor consideration of H.R. 10. These hearings were planned prior to any thought that we would be able to link privacy, appropriately in my opinion, to H.R. 10. Indeed, I felt that there were large questions of privacy that demanded our attention and that it would be irresponsible if we did not have a set of hearings on the subject and explore the whole range of issues that are connected.
 Page 121       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    So again to repeat, I feel as though we have made a start. We have set a foundation, but it is not complete until we give due consideration to all of your concerns here and those of the other panelists.

    Now we will hear from Mr. Moore. Excuse me, Mr. Inslee, I believe you were here first.

    Mr. INSLEE. I just want to thank the Chair for holding this hearing, and I want to point out that the Chair had the foresight to really plan these hearings even before America knew about these sordid practices because this Chairwoman had the foresight to recognize the importance of this issue even before the expose hit the newspapers, which showed that banks were taking Americans' personal financial information and selling it to marketers across America. Those suspicions have been confirmed in Minnesota and various other States across the country.

    I am convinced while we have made a start in the House version of H.R. 10, we have made a start involving third party sharing with telemarketing, marketing purposes, we have left an enormous loophole that you can drive an armored truck through to allow marketing purposes to allow that personal intimate financial information to be used by affiliates for not banking purposes, for not purposes of checking accounts, for not purposes of savings account, but for marketing purposes. And we need to find a way to plug that loophole and find a way that does not interfere with the legitimate banking operations of the industry.

    I am here to ask the panels to address that issue. How do we plug that loophole and allow Americans to allow their personal information to be used for the purposes intended and not for marketing purposes. I believe 30 years plus one day ago we put a man on the Moon, and we can certainly plug this loophole, and I would like to ask you to help us figure out how to do that.
 Page 122       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Thank you.

    Chairwoman ROUKEMA. Thank you.

    Mr. Moore.

    Mr. MOORE. I would just like to echo the eloquent comments of Congressman Inslee and I appreciate the fact that he submitted an amendment during the hearings on this bill, and I also wanted to mention the fact that during the hearings on this bill, H.R. 10, we were promised that we would have an opportunity for hearings on the privacy question and so, Madam Chairwoman, I really appreciate your convening this hearing and giving us an opportunity to hear all of the expert witnesses who have testified today and yesterday about the privacy issues.

    Thank you.

    Chairwoman ROUKEMA. Thank you very much.

    Now just a few administrative announcements. According to the rules of the committee, for those witnesses here today you should know that all of your written testimony will be automatically included in the official record of this hearing. Witnesses are limited, or at least we try to limit ourselves to what we call the five-minute rule. Those lights in front of the witnesses will give you an idea of when your five minutes are up. I will try to be respectful of you, but please try to cooperate and condense your comments to meet the five-minute rule. I would make that same comment also for my colleagues on the subcommittee. We should try to keep our questioning period within the five-minute rule. Your written testimony will be part of the official record. Members will also have the opportunity to submit questions to witnesses in writing as follow-up questions under the rules of our committee. The hearing record will be left open for the customary period of time for additional comments or additional statements that you want to include in the hearing, the official record of the hearing.
 Page 123       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    With that let me introduce our first panel. The first panel is regulators who regulate, in one capacity or another, components of the financial institutions. We have Federal and State regulators represented here today. Let me introduce all of you and then we will begin with Mr. Gensler.

    Mr. Gary Gensler is Under Secretary for Domestic Finance, Department of the Treasury. The Under Secretary has appeared before us previously and we welcome him here today. We look forward to his testimony, which I have a sense is going to be very instructive and opposite of some of what we heard yesterday.

    Governor Edward Gramlich, we welcome you today. Governor Gramlich is a member of the Board of Governors of the Federal Reserve System. Mr. Gramlich, I believe you have been on the Board since 1997. We welcome you here today. You have significant experience and I don't know whether you are speaking on behalf of the Chairman, Chairman Greenspan, but he has given you permission to be here today.

    Mr. GRAMLICH. For the whole Federal Reserve Board.

    Chairwoman ROUKEMA. Our third witness is the Comptroller of the Currency. We appreciate Comptroller John ''Jerry'' Hawke, Jr., being here. Comptroller Hawke has been here several times and is always constructive in his testimony.

    Our fourth witness is the Chairman of the Federal Trade Commission, Robert Pitofsky. The FTC has primary legislative responsibility over the Fair Credit Reporting Act. That legislation is central to some of these privacy issues that we are dealing with here. It is the Federal law which permits entities to share customer information with affiliates in a holding company structure. That gets right into the heart of the issue—financial institutions sharing customer information with affiliates without getting customer consent. I understand that you have recently made some somewhat controversial comments, or definitive if not controversial, regarding internet privacy. We will follow up on that.
 Page 124       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Our fifth witness represents the Securities and Exchange Commission. Annette Nazareth is Director of the Division of Market Regulation, and is testifying on behalf of the SEC.

    Then we did say that we are going to include the State regulators and we have one here today, Connecticut Commissioner of Insurance, Mr. George Reider, Jr. Commissioner Reider is the current President of the National Association of Insurance Commissioners. We welcome you, Commissioner Reider.

    You are going to have significant work to do here today.

    Thank you, and without further delay I will defer to Mr. Gensler of the Treasury.

STATEMENT OF HON. GARY GENSLER, UNDER SECRETARY FOR DOMESTIC FINANCE, DEPARTMENT OF THE TREASURY

    Mr. GENSLER. Madam Chairwoman, Ranking Member Vento and Members of the subcommittee, I am pleased to have the opportunity to present the Administration's view, not just Treasury's view, the Administration's view on financial privacy.

    Today many Americans increasingly feel their privacy threatened by those with whom they do business. Americans want the ability to earn, invest and spend their money without having to expose their lives to those who process that information, just as they would not expect a letter carrier to open their mail. Americans deserve that right. For much of our history, consumers were justifiably confident about their financial privacy. That confidence is on the wane today due to three important developments.
 Page 125       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    First, today's ordinary desktop computer has significantly more power than the mainframes of 30 years ago. Vast amounts of information can be stored, sorted, manipulated and analyzed at lower and lower costs.

    The second key change is the growing integration and consolidation in financial services firms.

    Third, Americans increasingly use credit cards, debit cards, electronic bill payments, and direct deposit in lieu of cash, and thus financial services firms are able to collect far greater amounts of information.

    Taken together, these three trends provide the means, motive and opportunity for financial services firms to mine consumer information for profit.

    Our challenge therefore is to protect the privacy of consumers while preserving the benefits of competition and innovation.

    On May 4, the President outlined the Administration's financial privacy and consumer protection initiatives. Protecting financial privacy led the list of key principles for consumer protection. When the President announced this agenda, some may have viewed the proposals as ambitious. Only two months later, however, leadership by the President and the Members of this subcommittee and the House have sparked a debate that has produced dramatic results. Most overwhelmingly, the privacy vote in the House. Today I will address five basic issues that we believe Congress ought to consider as privacy legislation moves forward.
 Page 126       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    First, scope. We believe that the transaction and experience data must be protected regardless of the type of financial institution at which it is held.

    Second, the concept of notice. The Administration believes that every financial institution should establish and disclose a privacy policy that covers information sharing with both affiliates and third parties. Disclosure of an institution's information practices is a precondition to consumers choosing how their information will be used or choosing to do business elsewhere. The Administration believes that this should be meaningful notice and be provided to customers upon account opening and annually.

    The next issue is choice. The Administration believes that consumers should have the choice to opt-out of—that is to say ''no''—to the use of their data by both third parties and affiliates. Choice allows consumers to make their own decisions as to the potential tradeoff between on the one hand, their financial privacy, and on the other hand, the marketing opportunities and other potential benefits of information sharing. This is a very personal decision which is most appropriately left to an individual.

    Congress has embraced notice and choice—for both affiliates and third parties—in the Fair Credit Reporting Act. The FCRA has given consumers the right to notice and the opportunity to opt-out before a company shares certain credit information with an affiliate. Financial firms have a proven record in finding how to work with notice and opt-out.

    The fourth issue is exceptions. While the Administration is firmly for choice, we also believe that there is a need for balance. There are some types of information sharing where consumer choice may not be appropriate. In approaching any exceptions, we think three questions are appropriate. First, what is the consumer's reasonable expectation of privacy? Second, what is the purpose of the transfer? Third, what are the costs of allowing choice? Any decision should be based on a balance of these factors.
 Page 127       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    The Administration strongly believes that in most cases the balance counsels for choice, whether sharing with a third party or an affiliate. We also support strict limits on reuse of information shared pursuant to any exception.

    Perhaps the clearest case for choice is in the area of medical privacy. We strongly oppose, however, the medical privacy provisions of H.R. 10, which undercut stronger and more comprehensive protections to be promulgated later this year.

    The sale of marketing information to a third party also appears to be a clear case where no exception is appropriate. In some cases though, the case for an exception may be stronger. Financial services firms may wish to provide customers a consolidated account statement so they can see the picture with the whole organization.

    Other cases present more difficult tradeoffs, and we think these three principles are the best way to think through these as we move forward. But I think that it is important that where a consumer is spending his money and the purposes for which a consumer is obtaining credit should remain subject to notice and opt-out. How we live our lives, what we believe, the choices we make, all of these very personal pieces of information should not be shared without our consent.

    Last, the complexity and uncertainty of this task leads to one further point, the need for regulatory flexibility. We should allow many of the details to be worked out by the regulators that know the financial services industry best, after taking into account public comment.
 Page 128       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    I wish to thank you again for allowing me to appear here today, and I look forward to any questions.

    Chairwoman ROUKEMA. Thank you.

    Mr. Gramlich of the Federal Reserve Board.

STATEMENT OF HON. EDWARD M. GRAMLICH, MEMBER, BOARD OF GOVERNORS, THE FEDERAL RESERVE SYSTEM

    Mr. GRAMLICH. Thank you, Madam Chairwoman, and other subcommittee Members. You are all to be commended for efforts to resolve the vital issue of customer financial privacy. Information about individuals' needs and preferences is a cornerstone of any system that allocates goods and services within an economy. The more information about needs and preferences available, the more accurately and efficiently will the economy meet these needs and preferences. But though the availability of information promotes economic efficiencies, there is also a long recognized value in permitting individuals to maintain a zone of privacy. To date, conflicts between the two goals have been largely handled in the marketplace where the competitive value to the companies of customer information has been traded off against the competitive value of providing customer privacy.

    The current privacy debate concerns information that banking and other financial institutions derive from their relationships with customers. This may include information submitted by a customer in order to obtain a loan or deposit, information about transactions or information obtained by a bank from third parties such as a credit report. The economic value to a bank is unquestionable, but the information also has value to others who may wish to sell goods or services to the customer.
 Page 129       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    In the area of financial information, many customers clearly believe that an implicit contract exists between the financial institution and the customer requiring the financial institution to keep information confidential. Control of information about ourselves is a fundamental means by which we manage our relationships with each other. The feeling that financial information should be private has deep historic roots, and bankers and customers have long viewed their business relationship as involving a high degree of trust which could be threatened by violation of privacy.

    The testimony goes on to give a few examples of how customers value both economic efficiency and privacy, examples that are in the testimony and that I won't read.

    The environment presents the Congress with a series of important questions. Are banking practices involving customer information developing so quickly that customers will be unable to respond to these practices effectively? If so, can market processes be made more efficient without lessening privacy protections? If not, must Congress strike the appropriate balance between these competing interests? Congress has already addressed the issue. In the Fair Credit Reporting Act, governing the exchange of customer data by and with consumer reporting agencies, Congress balanced the issue of privacy and efficiency by allowing institutions to share information related solely to the institution's transactions and experience, but by also requiring that each customer be provided with a right to opt-out of sharing between affiliates of any other type of customer information. There are a few other examples in the testimony of how Congress has already addressed some of these privacy issues.

    The additional privacy protections of H.R. 10, particularly those giving customers the right to opt-out and thereby limiting the sharing of the institution's own experiences and other transactional information with third parties, would generally improve the privacy protections for bank customers. There are a number of important details here and without getting into some of the questions that Gary has just raised, we would emphasize a few points in this dispute.
 Page 130       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    One is the importance of exceptions necessary to make the payment system work smoothly. Another is to establish consistency across markets to ensure that any limitations imposed on one industry, such as financial services, do not place that industry at a competitive advantage. Our lawyers have gone through H.R. 10, and there are some points in which the drafting might be clarified, and we would be happy to offer our assistance on that score.

    Finally, the time period for adopting or implementing regulations is very ambitious. Perhaps the implementation period could be extended to at least a year.

    Thank you very much for an opportunity to testify on this very important matter.

    Chairwoman ROUKEMA. Thank you, Mr. Gramlich.

    The Comptroller of the Currency, John Hawke.

STATEMENT OF HON. JOHN D. HAWKE, JR., COMPTROLLER, OFFICE OF THE COMPTROLLER OF THE CURRENCY

    Mr. HAWKE. Madam Chairwoman, Congressman Vento, and Members of the subcommittee, thank you for the opportunity to testify about an issue that has enormous ramifications for the banking industry and their customers—financial privacy. The relationship between banks and their customers is built on the pervasive assumption of customers that their banks will maintain the confidentiality of that relationship. While technological advances and the demands of a competitive marketplace have placed a premium on the availability of personal information, often at the expense of personal privacy, the way in which banks respond to these pressures is of enormous importance. If banks fail to honor customer expectations that personal information will be kept in confidence, they will impair the most priceless asset of their banking franchises—the trust of their customers. Thus, privacy is not just a consumer issue; it is an issue with long-term implications for the vitality and stability of the banking system.
 Page 131       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    By its very nature, banking is driven by information. Bankers have always relied on access to personal financial information to make fundamental judgments about their customers' qualifications for financial products and services. Information exchange has thus served a critical market function which has benefited consumers and financial institutions alike by facilitating credit and other financial transactions.

    Recent advances in technology that permit the efficient collection, storage, analysis and dissemination of vast stores of information, coupled with the changing structure of the financial services industry and the development of efficient new delivery systems, have increased the market value of customer information. Although financial conglomerates may profit from the cross-marketing opportunities and consumers may benefit from the availability of a broader array of custom-tailored products and services, there is a serious risk that these developments may come at a price to individual privacy. The challenge is how to balance those competing considerations.

    H.R. 10 as passed by the House adopts a measured approach which provides consumers with notice and choice about certain of the information-sharing practices of financial institutions, without impeding the flow of information essential to doing business. This is a positive step in assuring customers that their information will be handled appropriately and providing consumers with increased control over their personal information.

    In my view, however, a serious question can be raised whether H.R. 10 adequately protects the confidence of customers in the confidentiality of their relationship with their banks. In his May 4 proposal regarding privacy, the President indicated his support for legislation that would give consumers control over the use and sharing of all their financial information, both among affiliates and with non-affiliated third parties. H.R. 10 is a good first step toward meeting that goal, but I believe customers will expect more. In particular, the distinction that H.R. 10 makes between information sharing with affiliates and non-affiliates, allowing customers to opt-out with respect to the latter, but not the former, is, I believe, likely to erode customer confidence rather than enhance it.
 Page 132       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Is it realistic to think that customers will see a meaningful distinction between information sharing within the same corporate family and with unrelated entities? Will customers believe that the legislation adequately covers their reasonable expectations regarding the use and transfer of confidential information they have imparted to their banks? If the answers to these questions are in the negative, the failure to provide protection for the sharing of information with affiliates could have a profound effect, particularly in a world of expanded financial conglomeration on the willingness of customers to maintain the kinds of relationships with the banking system that they have had in the past. I should mention when I was with the Treasury Department in Mr. Gensler's position, we did a survey of the unbanked and found that at least 25 percent of the people who do not have bank accounts gave concerns about confidentiality as one of their reasons. While the desire of bankers to take advantage of new cross-marketing opportunities is entirely understandable, a primary objective of policymakers should be to assure that doing so does not cause fundamental damage to the banking system.
    I cannot overstate the importance of addressing consumer expectations about the confidential treatment of financial information to maintaining the public's confidence in the banking system. And I urge that, in crafting an appropriate response to consumer privacy concerns, banks and Congress put themselves in the shoes of a customer and ask, ''Will my financial institution use my personal information in a manner consistent with my expectations, and will I have any control over the use of my information?'' Whatever legislative formulation ultimately results, American consumers deserve the right to be able to answer ''yes'' to those questions.

    Thank you, Madam Chairwoman.

 Page 133       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman ROUKEMA. Thank you.

    Mr. Pitofsky, Chairman of the Federal Trade Commission.

STATEMENT OF ROBERT PITOFSKY, CHAIRMAN, FEDERAL TRADE COMMISSION

    Mr. PITOFSKY. Thank you, Madam Chairwoman, and Mr. Vento and Members of the subcommittee. I appreciate the opportunity to present the Commission's views on H.R. 10. The FTC has been involved in developing consumer rights in the area of privacy for some time. I am pleased on behalf of a majority of the Commission to support fully H.R. 10, which concerns privacy in the financial sector.

    Privacy is not a set of issues where one size of regulation fits all. But when it comes to financial records, Congress and the regulatory agencies have been consistent and clear that privacy rights are especially important. All studies that I am aware of show that consumers care deeply and have expectations about the way in which their personal financial information will be treated. The heart of privacy protection must be notice, which is a clear and conspicuous disclosure of what are the privacy policies of financial institutions, and consent, opportunity for consumers to deny to financial institutions the ability to sell or otherwise transfer personally identifiable information. H.R. 10 does that.

    Now, just a week ago on behalf of the Commission I testified before another committee with respect to privacy in the online universe and the majority of the Commission looking at the progress of self-regulation took the view that at this time we ought to allow self-regulation to proceed awhile to see if it really gets to the finish line. If it does not, then legislation would be appropriate. But I want to emphasize that the Commission unanimously does not believe that is the right prescription in this area. On the contrary, financial information is different. It is different for the reasons that I have already stated. Consumers believe it is different, and they have a different set of expectations. Congress has treated financial information differently time and time again. The regulatory agencies have acted as if it is different.
 Page 134       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Now, I do believe that H.R. 10 should go a step further. It should include a provision that applies these essential rights of notice and consent not just to financial institutions when they transfer information to third parties, but also to transfers between financial institutions and their affiliates. Typically consumers do not appreciate the complex ownership and control relationships between conglomerate corporations and therefore are not aware that privacy protections might not apply to a transfer of information to a financial institution to one of its affiliates. I don't know myself all of the affiliates of my bank or other financial institutions that I deal with, and I can only assume that consumers are a little bit like me. If they should have the right to notice and consent generally, they ought to have the right to notice and consent when it comes to affiliates.

    Finally, I am pleased to support the important provisions of H.R. 10 that outlaw the practice of obtaining personal financial information by deceit or pretexting. The Commission supports civil and criminal sanctions against pretexting and in April of this year, brought what I believe is the first and only Federal court challenge involving pretexting. The complaint alleges that the defendants violated Section 5 of the Federal Trade Commission Act when they obtained consumers' private information from a bank by impersonating bank account holders and making false statements to financial institutions to induce the disclosure of consumers' private financial privacy. Statutory confirmation that pretexting is unacceptable is useful and the right thing to do.

    In conclusion, the financial modernization which is the heart of H.R. 10 can produce great improvements to the economy and benefits consumers. On the other hand, it is important, as the sponsors of H.R. 10 recognize, to ensure that this step forward is not accompanied by strong measures to protect consumer privacy.
 Page 135       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Thank you very much.

    Chairwoman ROUKEMA. Thank you.

    Ms. Nazareth, Director of the Division of Market Regulations of the SEC.

STATEMENT OF HON. ANNETTE L. NAZARETH, DIRECTOR, DIVISION OF MARKET REGULATION, SECURITIES AND EXCHANGE COMMISSION

    Ms. NAZARETH. Thank you, Madam Chairwoman, Congressman Vento, and Members of the subcommittee. I am pleased today on behalf of the SEC to testify regarding financial privacy.

    The Commission supports the legislative efforts that are currently being made to enhance financial privacy and believes that H.R. 10 is an important step in creating a consistent and enforceable privacy protection framework for American investors.

    To begin with, I think it is fair to say that most of us expect our financial transactions and financial information to be private. Meeting this expectation is one way that financial services providers demonstrate their integrity and earn their customers' confidence. That confidence is essential to the continued success of our financial markets and institutions, including those that the Commission regulates. Although the Federal securities laws do not contain an express requirement for registered broker-dealers, investment advisers or investment companies to safeguard their clients' personal financial information, the Commission has reminded these entities that as financial professionals they should protect this information. More particularly when broker-dealers, transfer agents and investment advisors deliver personal financial information through an electronic means, the Commission has required them to take reasonable precautions to ensure the integrity, confidentiality and security of that information.
 Page 136       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    In addition to being regulated by the Commission, broker-dealers are regulated by securities self-regulatory organizations, or SROs. We believe that these SROs, which are required to have rules to promote just and equitable principles of trade, have the authority to address privacy concerns. SROs have used this authority to bring disciplinary actions.

    Until recently the privacy of customer financial information has not been an issue for most businesses. As a practical matter, the inability of business to share information on a large scale has protected customers' financial information. In addition, businesses, had and still sometimes have, commercial reasons for wanting to retain control of their own customer information.

    The landscape is changing. The exponential growth in electronic commerce and technology means that more information can be collected, not to mention stored, sorted and analyzed more quickly than ever before. Financial modernization and the consolidation among banks, securities firms and insurance companies portends the development of huge databases of customer information.

    There is, however, another side to the coin. Financial institutions often have a legitimate need to share personal financial information. A good example of this is credit checks. Another example is when a customer does business with two affiliated companies, and the companies share information in order to save the customer time and trouble.

    So what is the difference between legitimate information sharing and violations of a customer's privacy? The key here is the customer's expectations. If a bank customer opens a bank account linked with a securities account offered by a bank's securities affiliate, the customer might expect and even intend for the bank to share information with the securities affiliate. The customer might not, however, expect the bank to share this same information with a third party that was marketing other financial services. As Congress considers the many issues inherent in reforming financial services regulations in this country, it is appropriate that privacy be among these issues. The Commission agrees that Congress, as well as financial regulators, should evaluate how to insure that financial services customers' expectations of privacy are met.
 Page 137       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    The Commission supports the provisions in H.R. 10 that enhance the privacy protections available to American investors. More specifically, we support requiring financial institutions to disclose their privacy policies to their customers. We are also sympathetic to giving customers the ability to decide whether their financial information will be shared in some instances even among affiliates, and particularly when it is to be used for marketing purposes.

    Any legislative proposal to heighten financial privacy protections needs to balance a number of concerns. Financial services providers may have to engage in a certain amount of information sharing in order to do their job. They may also use information sharing as a cost saving device. As firms consolidate, they enjoy many efficiencies of scale, including the ability to avoid duplicative information gathering. Customers as well as firms can benefit from these efficiencies. Customers, however, should know when their personal information is going to be shared and they should have a voice in saying how far that information should go.

    The Commission also strongly supports an exception for information shared in the context of executing transactions. Elements of apparently seamless securities transactions often involve parties that must share customer information in order to continue to provide the services customers have come to expect. Depending on the size and structure of the firm involved, these parties may or may not be affiliated.

    In conclusion, I appreciate the opportunity to testify today on behalf of the Commission. We would be happy to work with you and your staff going forward in addressing these issues relating to the SEC, investors and the securities industry generally.

 Page 138       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman ROUKEMA. I thank you very much.

    Mr. Reider, President of the National Association of Insurance Commissioners.

STATEMENT OF HON. GEORGE M. REIDER, JR., COMMISSIONER OF INSURANCE, STATE OF CONNECTICUT; PRESIDENT, NATIONAL ASSOCIATION OF INSURANCE COMMISSIONERS

    Mr. REIDER. Good morning, Madam Chairwoman, and Members of the subcommittee. My name is George Reider, and I serve as Insurance Commissioner in Connecticut, and President of the National Association of Insurance Commissioners. I am pleased to be here today to testify on financial privacy issues.

    At a time when it seems that anyone can retrieve your financial information at the click of a button, it is important for consumers to know that protections are in place so that their personal financial information is not unfairly used. The challenge for Congress and the States is to determine how much disclosure is acceptable so companies can do business, regulators can enforce the laws and consumers' personal financial information is protected.

    I will address this balancing act by making four points. My first point: privacy means keeping personal information confidential and protecting the integrity of the regulatory system. Like banks and security firms, insurers collect and have access to personal financial information about their customers. Similarly, State insurance regulators have access to personal information about insurance consumers in their States. Both face the need to share information in order to do business the right way, but both must also protect consumers. People legitimately expect that companies holding personal information will not use it to take unfair advantage of them. At the same time, consumers are realistic. They understand that disclosure of some of their information is necessary for typical business needs, like billing and record keeping. And they know that sometimes disclosure of information can result in real advantages for them in the form of cost savings and convenience.
 Page 139       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Protecting privacy also entails protecting the integrity of the regulatory system. People must have confidence that information is being used to protect them.

    My second point, the States and the NAIC have taken actions so that insurance companies and agents will protect personal financial information. We are constantly working with our fellow States through the NAIC to monitor insurance privacy issues and assess the need for further action. I will give you two examples of privacy laws that we have enacted in my home State of Connecticut.

    Several years ago we enacted a comprehensive insurance information privacy law based upon the NAIC's Insurance Information Privacy Model Act. The law establishes standards for the collection, use and disclosure of insurance information. It seeks to maintain a balance between the need by insurance companies and agents for information and the need of consumers for fairness in insurance information practices.

    In addition to the comprehensive privacy law, we have specifically addressed the sharing of financial and other insurance information by banks that sell insurance and annuities in Connecticut. Like the privacy law, the insurance sales law requires the prior written consent of the customer before the bank may share information.

    My third point. The States and the NAIC are working to ensure that regulators protect confidential information. First, we are revising confidentiality provisions in NAIC model laws to strengthen the ability of State insurance regulators to keep sensitive regulatory information confidential. This will help preserve the privacy of individuals and entities in addition to providing a strong platform for States to use in entering into confidential agreements with State, Federal and international regulators.
 Page 140       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Second, we are addressing confidentiality issues and regulatory information exchanges with other regulators, including some of the Federal agencies represented by the distinguished members of this panel.

    The NAIC recently approved a model consumer complaint information sharing agreement with the Office of the Comptroller of the Currency. The purpose of this model agreement is to ensure that consumer complaints about bank sales of insurance are routed to the proper regulator. Ten States have already implemented agreements based on the model and several other States are scheduled to sign agreements in the coming weeks.

    The NAIC is also working with the Office of Thrift Supervision and the Conference of State Bank Supervisors to develop broad-based regulatory cooperation agreements. We expect these agreements to be completed soon. The model regulatory cooperation agreements have strong confidentiality provisions, making it clear that confidential information is to be protected to the fullest extent possible.

    My final point. Congress should consider improvements to facilitate the protection of confidential regulatory information. In order to protect personal information, the States need to be able to share information to stop bad actors, and we need to be able to prevent the disclosure of that information.

    Congress could take several steps that would strengthen our ability to protect the privacy of personal and financial information. These include amending Federal law to clearly protect confidential information exchanged between State insurance regulators and Federal and international regulators, giving State insurance regulators access to the FBI criminal database so we can better guard against fraud and abuse and protecting insurance information databases operated on behalf of the States from frivolous lawsuits.
 Page 141       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    My written testimony contains more information on these proposals and I would be happy to discuss them further here today or in the coming weeks.

    Madam Chairwoman, I applaud you for holding these hearings on this most important matter and certainly appreciate the opportunity you have provided for our testimony here today. Thank you very much.

    Chairwoman ROUKEMA. Thank you.

    Well, I have two aspects of this and they may be closely interrelated, and I referenced them in my opening remarks, and in one form or another you have addressed them, but not with the precision that I am looking for. Perhaps you could, and Mr. Gensler, I did understand your reference to regulatory flexibility, but—I don't know, did you say not statutory, but regulatory flexibility? The implication is that nobody has recommended statutory language which is clear enough, but don't go into that quite yet until I get to the question of disclosure. Everybody is for disclosure. What my concern is is that someone's definition of appropriate disclosure could be another person's definition of huge loopholes. In my opening statement I did say that the disclosure issue came up in my mind over and over again yesterday: Do we not need a clear Federal statutory requirement regarding what the disclosure should entail and the timeframes? That is question one.

    The other issue I want as many of you as possible to give me a little more specificity on this affiliate question. I tend to agree with you about the affiliate issue as I have understood at least three of you. But the industry, which we will hear from later as well as those we heard from yesterday, is strongly opposed to any interference in the sharing of customer informatin with affiliates. They oppose additional disclosures, opting-in and other new requirements, because they feel strongly that it will interfere in their business operations and their daily operational needs.
 Page 142       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    I would like to hear from you who specifically referenced the affiliate question and the disclosure, Mr. Gensler.

    Mr. GENSLER. Thank you, Madam Chairwoman. First regarding disclosure, on disclosure we think it should be addressed in a statute, and that there should be disclosure both for third parties and affiliates. H.R. 10 did provide for it for third parties. We think that it is critical for consumers to also have an understanding of what is happening with affiliates, that disclosure should be clear and conspicuous—and by that we mean meaningful, that people can see it and understand it—it is not the small type at the end on the back of the documents, and that it be provided at least at the initial account opening and annually thereafter. If that were provided for in the statute, there still, with developments in the future, would be some need for regulatory flexibility to implement that statutory guidance.

    On the affiliate matter, we think that it is critical to address both affiliate and third party notice and choice. With industry consolidations, consumers' expectations of privacy can relate equally to affiliates and third parties. If I am a bank customer of a Maryland bank and that bank happens to affiliate with a California insurance company or it may affiliate with a travel magazine, as could be provided for under H.R. 10, I think it is a reasonable expectation that my private information with a Maryland bank is still with that Maryland bank. H.R. 10 does provide for affiliation with institutions which may be incidental to financial activities and to some extent even activities complementary to such activities.

    In addition, I would also like to note that restricting only third party sharing would tend to confer a competitive advantage on large banks which have many affiliations as opposed to small banks which tend to use third parties to service customers.
 Page 143       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    As I noted in my prepared remarks, banks have found that this can work. Under the FCRA, there is notice and opt-out for both third party and affiliate, but particularly I wanted to focus on the affiliate matter and it does work.

    Chairwoman ROUKEMA. Thank you. I am going to violate my own five-minute rule, Mr. Ranking Member, but I do have to hear from one or two others. Would you like to address the affiliate question or the statutory question on disclosure, Mr. Pitofsky?

    Mr. PITOFSKY. Let me say a word about disclosure. That is an area that we have 85 years of experience. First, I think it does make sense for the statute to address the question of content and timing. On clear and conspicuous it is sort of a common law rule. We have a lot of precedent in that area and rule, what is clear and conspicuous in terms of size, and I would be glad to furnish that to the subcommittee in a separate writing.

    Chairwoman ROUKEMA. you may address either the affiliate or disclosure question.

    Mr. Hawke.

    Mr. HAWKE. I would simply repeat what Mr. Gensler and Chairman Pitofsky have said about the affiliate question and disclosure.

    I think the distinction between affiliates and non-affiliates is untenable. I don't think customers make that distinction. But, the point that concerns me most is what the failure to have that protection means for the long-term health of the banking system.
 Page 144       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    There is another point here, Madam Chairwoman. The chamber of horrors described by the industry with respect to the burdens of an opt-out from affiliate sharing needs close examination by the subcommittee. I think that organizations that want to share customer information with affiliates can make a pitch to their customers as to why it is in the customers' interest to share, and I think a great many customers will be persuaded that it may benefit them to allow information sharing. It is not simply a passive proposition where the institution cannot tell customers about the benefits of information sharing.

    Chairwoman ROUKEMA. Thank you.

    Ms. Nazareth, did you want to add something?

    Ms. NAZARETH. Yes, I generally support everything that has been said here. I don't want to lose sight of the fact, however, that the underpinning of this is that we care about the customers' expectations, and I think the bill as currently drafted does rightfully note that there are certain areas where exceptions to disclosure might be appropriate because it comports with the customers' expectation. They would not necessarily need an opt-out if what you are doing is sharing information among affiliates to do something, such as settle a transaction.

    Chairwoman ROUKEMA. That is where we get into more complexity.

    Mr. Gramlich.

 Page 145       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. GRAMLICH. We did not focus on this issue in our testimony, and I don't want to take a strong position on it. Some of the things said on the panel are undoubtedly true; that is, consumers don't really know all of the affiliates of their financial corporation. There may be a competitive advantage issue, but I would just like to put in a word of caution. What H.R. 10 is all about is permitting the synergies of financial combinations, and so there may be some ways in which it is difficult for people here in Washington to figure out all of these synergies.

    It may be necessary to go through and put in more exceptions into the bill. There are eight now and there may be more if you get into sharing within affiliates. This is just a word of caution. There may be some hidden complications here.

    Chairwoman ROUKEMA. Thank you very much. That is very helpful. But again, we don't have a clear road map here. We will have to keep working on it together.

    Mr. Vento.

    Mr. VENTO. Thank you, Madam Chairwoman. A lot of focus has been on this opt-out and trying to analyze what works. We say that we have 90 percent of the people that are polled want this, but only a fraction of 1 percent actually exercise it. So there is some discrepancy here between the 80 percent and the less than 1 percent that exercise it in my mind's eye.

    There may be a lot of reasons for that. You can blame it on the modus operandi in which the regulators have put the material on the back and the sort of confusing statements that deal with fair credit reporting and if we had it on this issue it would be much more clear. We all know what consumers want. Consumers want to be left alone and not be cross marketed whether it is with a third party or an affiliate. I understand that. I suppose, though, we should recognize that if I am going to do business with a small institution versus a large one, I obviously should expect some differences with regards to what they can and cannot do for me.
 Page 146       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. HAWKE. If surveys show that 90 percent of customers want the ability to opt-out, but only 1 percent are exercising that option under present law, in my mind it would raise an important question about the adequacy of the disclosure of the opt-out. We are not permitted under the FCRA to examine banks except upon complaint. One of the things that H.R. 10 would do is——

    Mr. VENTO. I know. Since 1996 I favor that particular change that you are referring to, Comptroller Hawke. So I understand that issue.

    I am concerned about having some affirmative responsibilities. As you look at the universe and the magnitude of what this privacy legislation and what effects H.R. 10, we are going to go with every bank in the country, with each insurance firm, State and Federal, the magnitude of this is pretty significant considering what we are doing. Obviously if we are cautious about it, and make certain about what the consequences of our actions are, it is important.

    So I appreciate the guidance and help, but I also want to make sure that we do things that are effective. At the same time, Mr. Pitofsky, I went after the FTC because of their avowed devotion to self-regulation with regards to the Internet, but yet of course their enthusiasm for us to go further with the category of institutions which I think ought to have a higher standard as financial institutions, but yet I am trying to understand the difference between the Internet and some of the transactions that might take place on it and the information that is conveyed on it which is financial in nature and personal in nature, and the type of policies that we have before us, and I don't see the differences.
 Page 147       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. PITOFSKY. Well, Mr. Vento, we all want to get to the same place. We all want to ensure that consumers have the opportunity to be told what will happen to personally identifiable information and to opt-out, to consent or not consent. The only question is how is the best way to get there. In the online universe you are dealing with an extraordinarily dynamic new sector of the economy in which self-regulation has moved from notice—14 percent, which we criticize as being terribly disappointing—to 66 percent in one year. So the Commission's view, they have gone from 14 to 66 in one year, let's wait a little while and see if we get all of the way there through self-regulation.

    Mr. VENTO. We are about 66 percent with banks, too, in terms of disclosure statement.

    Mr. PITOFSKY. I don't know what the percentage is there. All I am saying is that the industry was challenged. They went from 14 to 66. Under the circumstances we said if you can get all of the way there through self-regulation, fine. If not, we will be back before Congress after a thorough evaluation. If it bogs down, we will be there recommending regulation. But in light of the progress that has been made, we thought it was premature at this time. That is our only reason for——

    Mr. VENTO. Don't you think that there is a necessity to have a universality in terms of what the foundation is in terms of privacy that would be reflected both in the financial modernization and in terms of the Internet and other commerce and commercial firms?

 Page 148       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. PITOFSKY. No, that is the point that I was trying to make in my testimony when I said this is not an area where one size fits all.

    Mr. VENTO. But some of the foundation should be the same in terms of disclosure in terms of opting-out or opting-in. I think there are certain predicates that should be in place. I think that they need to be adjusted to meet the need, but there should be some common touchstones in these matters. Otherwise regardless of the disclosure, we are going to end up confusing the public. I think there is going to be an avalanche of paper.

    As you look at the legislation, the distinction between commerce and financial institutions is one that is very much blurred within the States, within the class of institutions and the international scene, it is very much blurred. So the weakest link of the chain in terms of commerce and what is lacking in terms of the Internet and the electronic transmission are very much integrated in terms of what is going to happen. So we can build a solid wall here, but it is going to be made of paper in other areas that are going to affect it so it is not going to protect the privacy. We would be misrepresenting that unless we have the type of cooperation and the type of harmonization in terms of privacy issues that are necessary because just the very use of these particular mediums to exchange and communicate and in fact to actually do legal transactions is very much going to undermine anything that we try to do here unless there is some consistency. So there is plenty for everyone to do, including the regulators at the table, that deal with financial institutions and the FTC and of course in cooperation with our trading allies.

    Madam Chairwoman, I have overrun my time. I did want you to know that I was criticizing the FTC for their lack of action in this part, Mr. Pitofsky, coming from a little different view than the minority views that you have.
 Page 149       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. PITOFSKY. Very briefly.

    Chairwoman ROUKEMA. I will give Mr. Pitofsky a moment to respond.

    Mr. PITOFSKY. I wonder whether it is fair—I agree with your essential point, that everybody is entitled to a certain minimum, the only question is how to get there. Lack of action by the FTC, I think we have been out front on this issue for three years now. We were the first one to do a study on how much privacy disclosure there is on the Internet. We brought cases in this area time and time again. The issue is not lack of action, the issue is whether the better way to get there is through, in this area, self-regulation as opposed to legislation at this time.

    Chairwoman ROUKEMA. Thank you.

    Mr. Royce from California.

    Mr. ROYCE. Thank you, Madam Chairwoman.

    I would like to get the perspective of the Board of Governors of the Federal Reserve, Mr. Gramlich, who is with us on that very question, on the question of what the principal problems will be in terms of privacy protection as banks begin to offer more and more of their services over the Internet and the definition of traditional banking products becomes blurred. We see an exponential increase here with Internet activity, and those were considered historically as non-financial, but with this evolution we see these becoming quasi-financial. What do you see the privacy problems are here?
 Page 150       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. GRAMLICH. Well, this is I think what makes this whole issue so hard. The definition of banks is evolving. On the issue that we are just talking about, sharing information among affiliates, as the definition of banks and let's say insurance companies or brokerage firms blurs, it may be harder and harder to know what is an affiliate. More and more activities may be done as departments of the bank.

    So I think the whole question of how you make some of these important definitions is in play here. We are not taking a strong position on a lot of these issues, so I don't want to be anti-privacy or tilt the development of H.R. 10 in any way. It is just that these questions are complicated. They are evolving. It is very difficult to impose a level playing field, if you will, in this area.

    So the subcommittee has to exercise a good bit of caution. That is really my only point. There are a number of legal aspects of this. I am not a lawyer, but we can certainly offer our help to the subcommittee in trying to sort of tiptoe around some of these complications.

    Mr. ROYCE. Thank you. I would also want to ask the Chairman of the Federal Trade Commission a question.

    That has to do, Mr. Pitofsky, with the EU decision that the United States law does not provide adequate privacy data protection consistent with their European Union privacy directive. Could you give us the reasons for the determination and the status of the negotiations that the Commerce Department is having with the European Union over this issue?
 Page 151       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. PITOFSKY. I really cannot. We have not been parties to that negotiation. I know that they have been complicated and difficult for quite a long time, and whether or not the European Union will eventually come around to the view that the United States protection for privacy is comparable to theirs and adequate, I just don't know. I am not really a party to those negotiations.

    Mr. ROYCE. What would the ramifications be if we passed legislation and ended up at odds? Tell me what the ramifications would be?

    Mr. GENSLER. Bob, on behalf of the Administration, as we are working very closely with the Commerce Department, the European Union directive lays out various privacy protections which they believe, the European Union believes, go further and do capture these concepts of notice and choice, access and other affirmative privacy protections.

    The talks continue at this time, and I think that no finding has been made as of this time, but talks continue and they have been active and ongoing.

    Mr. ROYCE. Was Britain in accord with those changes that the EU was making?

    Mr. GENSLER. I believe so. It is part of the European Union, is part of those deliberations within the EU directly.

    Mr. ROYCE. So there is solidarity among the European Union, and the United States is the odd-man-out at this point?
 Page 152       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. GENSLER. As I said, the talks continue. There has been a dialogue. There was some sharing in dialogue as to whether there may be some safe harbors—that the U.S. financial services firms could have safe harbors around notice and choice and access that are sometimes similar to what we are talking about today and sometimes actually go a bit further, and that if American firms comply with those safe harbors, the Europeans would find that we were in compliance. Those talks are ongoing and active.

    Mr. ROYCE. Thank you, Gary. Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you.

    Mr. Inslee.

    Mr. INSLEE. Thank you. Just a general question, one of the panelists suggested where we all are headed and we all want to end up in the same place, and not to be the wet blanket, but I am not sure that is true. The reason is it is my perception that the industry, or at least some of the larger institutions, have a clear and manifested desire and goal to use affiliates, to use private financial information, to use it to mine prospects for marketing purposes, and they are very jealous of their ability to do that and they want to retain the ability to do that.

    The reason that I have that perception or fear is that as we were drafting and working on trying to deal with this issue, I continue to solicit the industry for ways that we could write something to protect consumers' rights not to have their personal information mined for marketing purposes, and still allow banks to do some of the other things that they have to do, prevent fraud, allow checks to clear, and so forth.
 Page 153       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Despite an effort to do that, I never got a specific proposal from the industry on how to do that. Instead I got a rather conscious decision, hey, we want to do this. The question is: Is my perception accurate, and were you ever involved in discussions, any of you, with the industry about how to draft a bill that would in fact meet the bank's legitimate needs to share information for some purposes and meet consumers' needs to be able to prevent that sharing for marketing purposes? Have you ever had proposals from the industry on how to do that?

    Mr. GENSLER. Congressman, we believe that that balance can be found in statute, that exceptions, as we talked about in testimony, can be found. As Governor Gramlich said, maybe there are some additional exceptions necessary in affiliate situations, particularly as it relates to a consolidated account statement, that might be appropriate.

    We have found some hesitancy, as you have noted in the industry group, but we think that it can be found, and with the leadership of Congress and the President hopefully we can move forward and find that right balance.

    Mr. INSLEE. Was there ever—from any of the panelists' knowledge, did the industry ever make a proposal about how to do that that was somehow rejected by the Administration? Has there ever been a proposal about how to reach that balance from the industry that you are aware of?

    Mr. GENSLER. Not that I am aware of at the Administration. Around the Fair Credit Reporting Act, we have found that affiliate opt-out can work. I would also take note of another Act that Congress wrestled with a number of years ago, the Telecommunications Act that deregulated significantly that industry—not at all dissimilar from the actions of this subcommittee and this House on banking and insurance and securities. Incorporated in that Act is privacy protection as it relates to your telephone records. There is clear notice and consent on affiliate sharing of your telephone records. That had to be grappled with and handled sensitively, and have various exceptions in that context.
 Page 154       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    So I think industry can do this, and Congress has wrestled with it with a number of acts—in the cable area, the Department of Motor Vehicle Act a few years ago—as this subcommittee is wrestling with this now on this industry.

    Mr. HAWKE. At the risk of belaboring a point, there is nothing inherent in the concept of affiliation that is likely to give consumers any greater sense of confidence that sharing with affiliates is going to be less of a threat to them than sharing with non-affiliates. The definition of affiliates that presumably would be used here relates to 25 percent common stock ownership. So you theoretically could have two companies whose only relationship is that one has a 25 percent stock holding in the other, and they would be deemed affiliates, and information could be shared without giving an opt-out even though the affiliate did not have any particular incentive to protect the bank's fundamental relationship with its customer that we are so concerned about.

    Mr. INSLEE. A quick question. My perception is that the American public has absolutely no clue what has been going on in this marketing situation in that when these news reports hit it really was a bombshell, at least in my district, on people's perception. And I believe, and I am going to ask you if you share my belief, if, in fact, the CEOs of major banks called their consumers and said ''We are going to do computer profiling of you, and we are going to find out if you have some cash, and then I am going to tell my affiliate to call you at 6:00 at night and try to sell you hotstock.com stock because we think you need it.'' I believe there would be a very high percentage of people who would opt-out with vigorous language to the CEO, and I wonder if you share my perception?

 Page 155       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. HAWKE. One of the problems that we encountered in connection with the telemarketing episode was that the telemarketers were not indicating that they had information from a bank. They had customer account numbers or access to customer account numbers, but it wasn't until the customer saw charges appear on their bank statement or credit card statement that they realized that there must have been a connection. At the time of the contact, no bank was identified.

    Mr. INSLEE. Thank you.

    Chairwoman ROUKEMA. Thank you, Mr. Inslee.

    Mr. Bentsen.

    Mr. BENTSEN. At the outset, I want to publicly thank Mr. Hawke and Mr. Pitofsky as well as Ms. Nazareth. I recently had some public hearings in my district on fraud prevention among the elderly and Sam Golden and Craig Stone from the Comptroller's Office were there and did a great job. Mr. Pitofsky, Jim Elliot from your Dallas office and Andrea Foster from your Atlanta office came and did a very good job, and Harold Degenhardt, who is the Regional Administrator of the SEC, came down as well. There were also people from the FDIC and OTS, and at the appropriate time I will publicly thank them. I was surprised at the quick reaction I got from the financial regulators to my request, and very appreciative.

    I have a number of questions. Governor Gramlich, you raise a point in the broad sense that the Congress needs to think about, which is why are we doing H.R. 10 in the first place, if we are creating a new bank charter model that allows for additional powers, but we are trying to keep them somewhat out of the bank. We are not looking to try to create a structure that is the sum of the parts of the revenues. You might as well have a holding company that has a widget company and a ranch and something else and not have any synergy among it, and we will see if that works versus some other. We are trying to create a new bank model that meets the current demand in the marketplace and creates some synergies that are there. Consumer privacy notwithstanding, I think we should think long and hard about that before we take some strong positions, which I think the Administration has taken today without really thinking them through, and I regret to say that because I have the greatest respect for all of you on this.
 Page 156       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    The questions that I would like to get answers to, Mr. Hawke, you talked about an affiliate in the context of the Bank Holding Company Act, 25 percent joint stock ownership. Would you have the same viewpoint toward a wholly owned subsidiary of a bank; say if you had an operating bank subsidiary structure, would you treat that the same as an affiliate under the current definition of a bank holding company?

    Second of all, under the Fair Credit Reporting Act, if I read your testimony correctly, transaction and experience information may be shared with affiliates and is not subject to an opt-out or is it subject to an opt-out because the way that I read it, it is not subject to an opt-out and other personal information is, and should we apply that same standard in the context of H.R. 10? Functionally, can you have an opt-out with respect to information sharing that doesn't require subsequent opt-in, and I think Ms. Nazareth mentioned this point on stock clearing and things such as that. I don't know, but is there a situation that would be out there where you would have an opt-out and then in order to make a transaction work you have to come back and say gee, you opted-out and now you have to opt-in and how does that work? It may just be a functional problem that exists there. Is there anything in H.R. 10 or in current law which in some way shields liability to the bank for misuse of private consumer information?

    Mr. HAWKE. Let me answer the first question. If Congress in its wisdom were to adopt the version of H.R. 10 passed by the House, we would be only too happy to apply an opt-out from information sharing with operating subsidiaries.

    Mr. GENSLER. Congressman Bentsen, let me answer your broader question because I think it is a very good question and a challenging one. I think the Administration supports financial modernization and there are many benefits to consumers and to the markets of financial modernization.
 Page 157       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    The efficiencies that come with consolidation, potential industry consolidation, we think are broader than just in the area of cross marketing. There are many efficiencies in providing service, there are many benefits of mergers that come with having geographic diversity or product diversity.

    We do also think that the benefits of cross marketing still would exist even if there were notice and choice. As has been pointed out, many consumers would still decide to let the cross marketing occur, and it would be only some who would decide not to through an opt-out.

    What we think is important is to notify consumers how information is shared, and then recognize the diversity of the American people. Some would value their privacy protection above those benefits.

    At the same time, we are supportive of a series of exceptions so that transactions can occur, so that many of the benefits can occur. But as it relates to that which is profiling the individual and his lifestyle, we think that we should recognize the diversity of Americans and allow Americans the option to choose to opt-out and allow financial institutions to gain the great benefits of consolidation that exist.

    Mr. BENTSEN. With respect to fair credit reporting?

    Mr. GENSLER. I'm sorry, your question on fair credit reporting was whether today there is notice and opt-out for the affiliate for the credit report. As I understand it, there is. There is currently not for transactional experience data, and we are suggesting complementing that and adding transactional.
 Page 158       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. BENTSEN. So you would expand fair credit reporting?

    Mr. GENSLER. No. Again I don't know if there is a technical question with regard to that. Through H.R. 10, as you have complemented privacy protections for third parties, we would complement it for the affiliates. I don't know if the vehicle would be specifically in the Fair Credit Reporting Act, if that was your more technical question.

    Mr. BENTSEN. And legal liability?

    Mr. GENSLER. The question on legal liability, if I can have a moment just to see if anyone—could you repeat it?

    Mr. ROYCE. [Presiding.] Why don't you repeat the question.

    Mr. BENTSEN. Is there anything in current law or H.R. 10 that would shield liability to the bank or the provider from the consumer for the misuse of private financial data? Are we creating any safe harbor?

    Mr. HAWKE. The first question is whether there is any damage to consumers. There is a whole body of common law that has recognized rights of action by customers against banks when confidential information has been used in a way that causes injury to the customer.

    Mr. ROYCE. But Mr. Hawke, Mr. Bentsen's question, is there some precedents in the legislation, H.R. 10, which puts in a safe harbor or in some way overturns common law in that regard?
 Page 159       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. HAWKE. I am not aware of anything in H.R. 10 that affects that.

    Mr. GENSLER. With the benefit of terrific staff work, we are not aware of any preclusion of liability in H.R. 10. We are not aware of any additions in H.R. 10, and we have not taken a position on private right of action. We have just said there should be a regulatory authority to enforce the provisions of H.R. 10.

    Chairwoman ROUKEMA. [Presiding.] Thank you.

    Mr. Gonzalez of Texas.

    Mr. GONZALEZ. Thank you very much. The question is more directed to Mr. Gensler than to anyone else. However, if anyone else has an opinion, if you would please address the question.

    Under the statutory scheme that you describe as far as maybe addressing certain problems, exempting certain people, things that we always call ''exceptions,'' if we address these exceptions legislatively, the question is would we be able to respond on a timely basis as the marketplace changes and technology changes. The legislative process has never been characterized as timely, especially with the speed of change in today's marketplace. Is there any other way to address it other than through ''exceptions'' language?

    Mr. GENSLER. I think, Congressman, you raise a very good point. What we anticipate and suggest is that statutorily you provide for a series of exceptions which we believe can be appropriately drafted. Drafted in a narrow sense with a clear prohibition on reuse. If there is an exception, you don't want to have a large loophole. Then provide for regulatory authority through the customary public comment process to write rules and to enforce those rules going forward. So there would be some flexibility around the regulatory process with some clear, narrow exceptions as this subcommittee and the House work on H.R. 10.
 Page 160       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. GONZALEZ. Anyone else?

    Mr. REIDER. Just a brief comment. As I commented in my prepared remarks this morning, as a State regulator and part of the NAIC, we constantly monitor what we feel are concerns on the part of the consumer, and we go out and do an on-site review of a company, and if we see any abuse, that can result in a penalty or a recommendation of a regulation or statute to protect that consumer.

    Let me give you an example. In the State of Connecticut we have the Privacy Act, and in this last legislative session there was concern over medical privacy. So the law was changed so that information cannot be shared in any way, shape or form, even among affiliates without express permission of the person.

    I do agree that we pretty much all come from the same place here and that is we have that responsibility, but it is a moving target. We have done some work with the Federal people on the Citi-Travelers situation, and we are prepared to work closely together to monitor what occurs in the coming months.

    If you look at affiliates today, that may mean one thing. And in a conglomeration, it may mean something different. And as that unfolds, we are going to have to see if there is abuse.

    There was also mention of encouragement of the industry to police themselves. The American people may not understand all of the specifics, but I can assure you being close to the home base, and as your offices know from contact that the American people are concerned and want to be sure that we approach this in a very balanced fashion.
 Page 161       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Chairwoman ROUKEMA. Thank you.

    I believe that Mr. Sandlin of Texas is next in order.

    Mr. SANDLIN. Thank you, Madam Chairwoman. I have no questions right now.

    Chairwoman ROUKEMA. Ms. Mahoney.

    Mrs. MALONEY. It is Maloney.

    Chairwoman ROUKEMA. I apologize. I know who you are.

    Mrs. MALONEY. I would like to follow up with the comments, I guess, that was the State regulator, George Reider.

    Do you think that Federal law should be a floor and that tougher State laws should remain regarding medical and financial privacy?

    Mr. REIDER. Let me comment on this specific matter. The NAIC has deep concern, and we have expressed our thoughts on H.R. 10 and have attempted to work with others. We have not taken a specific opinion on privacy. As a practical standpoint, we do not believe in the preemption of State laws. Under H.R. 10, and we strongly support the fact that there should be financial services modernization, but we have to be certain that consumers are protected, and in H.R. 10 it states that the State regulators shall have the authority to regulate the business of insurance, but conditioned on Section 104. I am not here to make a statement other than to say as you are looking to protect privacy and the States already have laws protecting consumer privacy, as I shared with you the recent change in the legislature, I don't think that you want to do anything to disturb those State laws.
 Page 162       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Again, I think that it is important as you are changing the playing field that we be sensitive to this particular matter. But we believe that we should work in a cooperative way, and I can say clearly that we do not believe in State pre-emption.

    Mrs. MALONEY. Are you aware of any State laws that would be in jeopardy of being pre-empted with regard to affiliate sharing?

    Mr. REIDER. We will review that legislation and review what is said here. When it refers back to Section 104 we do have a concern that there is some pre-emption, and we would want to be sure to protect people's privacy.

    Mrs. MALONEY. I would like to ask Governor——

    Mr. GENSLER. Just on that, I did want to try to answer your question.

    There are numerous State privacy laws with regard to medical privacy that, it is the Administration's belief, the provisions as currently incorporated in H.R. 10 would run the risk of pre-empting; and the Administration is very concerned about allowing H.R. 10 to pre-empt those, in some cases, stronger State laws.

    With regard to financial privacy, while we think it might be appropriate to clarify that on financial privacy, H.R. 10 does not preempt State laws. We believe it has been written in such a way that it does not pre-empt those laws.
 Page 163       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mrs. MALONEY. Thank you. Governor Gramlich.

    Actually Mr. Reider, you mentioned earlier the talks with the Citi and Travelers negotiations on privacy and medical privacy protections. Do you think that H.R. 10 as drafted, helps, harms or maintains the principles that you have been striving for in that particular approval?

    Mr. GRAMLICH. In medical privacy?

    Mrs. MALONEY. Medical and financial privacy. All privacy.

    Mr. GRAMLICH. Well, in financial privacy I think the testimony said on balance it does, but there are differences because the Fair Credit Reporting Act, as you have heard, already applies to affiliates, though to a narrower type of information. If H.R. 10 were changed in the way that the Administration wanted it, then it would clearly strengthen privacy. I think there is no question there.

    So I think on balance since it applies to a broader set of information, that there would be strengthening.

    On the medical privacy, we are a central bank. I don't want to get into that issue. We did mention in the testimony one example, but it was just an example to show how consumers value privacy. I meant to use that as an example, not to wade into the whole question of medical privacy.
 Page 164       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mrs. MALONEY. If we are going to be limiting sharing for purposes of marketing, I would like to ask any or all members how would you define marketing and are there other secondary uses of information that might not be covered by this?

    Mr. GENSLER. The approach for some of the reasons that you have just raised, the approach that the Administration has suggested is that consumers get clear notice and choice and that they be allowed some exceptions, but the exceptions would sort of work down. So rather than saying it is prohibited or there must be choice for marketing, it would be that there is choice for all of the uses of this private information, and yet here are the exceptions, as H.R. 10 did in eight categories, here are the exceptions where that choice would not be allowed to stop that sharing, but for some of the reasons that you just raised in your question.

    Mr. REIDER. I would like to say when I spoke of the change in the law regarding personal medical information, that was not specific to the Travelers by any means. That was a more general comment.

    Chairwoman ROUKEMA. I might say that you have raised an important question with respect to whether or not these State laws are preempted. My position is that we will have to work on this issue and see how it can be addressed in conference. But my interpretation, or at least our staff interpretation, is that the State laws are not preempted. There may be some need for clarification on this point. I do not believe that was the intention. I would be happy to have any further comments or legal analysis that you have on this point. Please send it to us and address it to the Members of the subcommittee.

 Page 165       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. GENSLER. We would be glad to share that, particularly on the medical side.

    Chairwoman ROUKEMA. Yes, I was referring to medical privacy.

    Mr. VENTO. If there are exceptions in this bill, it has been implied that it is riddled with exceptions that are unnecessary, if you come across those that are unnecessary, I would like you to point them out for me. I know that there is one for marketing which applies to small institutions that generally do their marketing through third parties which deals with some of the disparity referred to by Mr. Gensler. If that is the case, I would like to know about it.

    We also have the debate about the unrelated service and products issue. That might be a way to deal with some of the marketing for affiliates to come back and look at it a different way. If it is just a matter of writing a software program, I would like to know that. Nobody has asked that question. But I think it probably involves more than that. The exceptions written in work for third parties, but they may not be workable for affiliates. So a lot revolves around these exceptions; and I think, Madam Chairwoman, you would agree that trying to understand that or get through that is important.

    Chairwoman ROUKEMA. Yes. We have to understand that if we are going to avoid these so-called unintended consequences.

    Mr. VENTO. Or the suggestion that the regulators will not regulate. I guess at some point we have to hand this over to you and ask you to make it work. So if you have problems with the exceptions or it is not clear—and one of the examples I was giving the staff, does disclosure and affirmative responsibility apply to all affiliates, and the language is not clear that it does. So clearly that needs to be established, that they are under the same presumption of responsibility that the initial institution is.
 Page 166       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Chairwoman ROUKEMA. Mr. Watt, do you have questions? I am trying to conclude this panel before a vote. Of course you can never predict when that vote will occur.

    Mr. WATT. I think I will pass in light of the fact that I had to be late coming in, and I don't want to duplicate any questions that have already been asked.

    Chairwoman ROUKEMA. And of course under the rules, Mr. Watt, you are free to submit follow-up questions in writing to the panel.

    All right.

    Yes, Mr. Dingell.

    Mr. DINGELL. Madam Chairwoman, thank you for the privilege of joining the subcommittee and asking one quick question.

    Your testimony emphasizes the President supports the right to say ''no'' as to financial privacy being shared and sold. Is this option the best response or should we be looking for something new? Or is the opt-out provisions in the statute the best we can do and maybe if the panel can respond to that.

    Mr. GENSLER. I think the Administration supports all of the dramatic effort that the House has done, but sees the House provisions in H.R. 10 as a floor and not a ceiling. We think that it would be appropriate to have opt-out and choice provisions for affiliate sharing as well. And we have commented in our testimony regarding the importance for exceptions, but they need to be narrow exceptions. And then we have highlighted some of our concerns on medical privacy, as well and the concerns around the medical privacy provisions as provided in H.R. 10.
 Page 167       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. DINGELL. Does anyone else on the panel wish to respond to the question? Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you. We express our extreme appreciation for all of your help here today. I know that this will be an ongoing process. We look forward to working closely with all the witnesses from the first panel for your advice.

    Mr. Vento had to leave for a vote in the Resources Committee, and he advised me to go ahead and introduce the second panel and begin the testimony. We hope to get the second panel underway before we have a series of votes.

    We are looking forward to the second panel with great anticipation. You have heard the first panel so you can understand that there are some issues here between regulators and groups representing the banking, securities, and insurance areas, as well as medical trade associations. There are some differences of opinion. I hope that they are not going to prove to be irreconcilable, but they do deserve a full hearing here. We welcome you all here today.

    In the order in which you will be giving testimony, Mr. Richard Fischer is a Partner in the law firm of Morrison and Foerster. He is testifying on behalf of the American Bankers Association, the Consumers Bankers Association and the Financial Services Roundtable and Visa, U.S.A., Inc. That is quite an array of talent there.

    Mr. FISCHER. It is quite a challenge.
 Page 168       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Chairwoman ROUKEMA. The second witness will be Mr. Brandon Becker, who is also a partner with a law firm, Wilmer, Cutler & Pickering. Mr. Becker is testifying on behalf of the Securities Industry Association, SIA.

    The third witness is Roberta Meyer, Senior Counsel, Consumer Affairs Unit of the American Council of Life Insurance. Ms. Meyer is representing the life and health insurance industry here today.

    The fourth witness is Mr. Matthew Fink, President of the Investment Company Institute. Mr. Fink is representing the trade association for the mutual fund industry.

    The fifth witness is Dr. Donald Palmisano. Dr. Palmisano is a trustee of the American Medical Association and is speaking on their behalf today.

    Our final witness is Dr. Richard Harding, who is Vice President of the American Psychiatric Association.

    Just to alert our final two panelists, I cannot resist this. I use this line all the time as part of my confessional. I am married to a doctor and I worked his way through medical school. The confessional part of this is he and others have accused me ever since of practicing medicine without a license. I am just putting you on the alert. I have some firm beliefs on medical ethics and the practice of medicine.

    Thank you very much.
 Page 169       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. Fischer.

STATEMENT OF L. RICHARD FISCHER, PARTNER, MORRISON AND FOERSTER, ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION, CONSUMER BANKERS ASSOCIATION, FINANCIAL SERVICES ROUNDTABLE, AND VISA U.S.A., INC.

    Mr. FISCHER. Madam Chairwoman and subcommittee Members, my name is Rick Fischer. I have worked on privacy issues for nearly 30 years. I appear today on behalf of the American Bankers Association, the Consumer Bankers Association, the Financial Services Roundtable and Visa U.S.A.

    These past two days you have heard much about financial privacy. The testimony shows that privacy is very complex. Because this is the last panel, I will avoid many of the issues that have already been covered by others, such as the industry's history of protecting privacy and the many laws that already deal with the subject. They are discussed in my written statement.

    The organizations I represent here today have been active on privacy issues for years, and they have supported privacy legislation, when appropriate, including recent congressional efforts to address identity theft and pretext calling. I first appeared before this subcommittee in 1978 to support passage of the Financial Privacy Act to restrict Government access to bank customer records.

    Nevertheless, the importance of information to the American economy in general cannot be overstated. Many experts, including Federal Reserve Chairman Greenspan, credit the strength of U.S. economy today largely to the availability of information, and it is particularly important to financial institutions. It is critical, for example, to a bank's ability to control risk and combat fraud.
 Page 170       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    It also enables banks to improve services in countless ways that benefit consumers. Information sharing allows banks to offer one stop shopping. A customer can through one monthly statement or through telephone calls make decisions about a checking account, mortgage loan, and other services from a bank and its affiliates. Information sharing also is key to the secondary mortgage market and its lower interest rates. It also allows a bank to offer higher savings rates or lower loan rates to customers of its affiliates.

    These are examples of information shared for marketing purposes—an appropriate use of information which directly benefits consumers. More is set forth in the written testimony.

    In fact, as Governor Gramlich pointed out this morning, one of the principal benefits of H.R. 10 is that consumers will be provided with greater choices and opportunities from banks, and banks will be able to broaden their relationships with customers. Thus, further redistributions on the flow of information could have unintended effects on the U.S. economy, consumers and banks alike. Such restrictions would harm consumers by reducing the availability of products and services consumers demand today. New sharing restrictions also could stifle the development of new products and services.

    With this in mind, I want to make three points about the privacy provisions of H.R. 10. First, we believe that clarifications are necessary to avoid significant unintended effects. I think earlier testimony makes this quite clear of the need for those clarifications. For instance, H.R. 10 could threaten popular programs that provide frequent flyer miles, gas rebates and other benefits to consumers. We have also heard this morning questions about competition between large and small financial institutions. I don't believe that the legislation was intended to create those problems. I think clarifications would solve them.
 Page 171       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Second, as you have heard, privacy is a complex issue. Every single member on the prior panel talked about the complexity of this issue. As Governor Gramlich and Chairman Pitofsky have said, enacting new privacy legislation requires a careful balancing effort. This is especially true in a competitive industry like banking. No bank could survive with a reputation for indifference about customer confidentiality. I think the actions and reactions on the West Coast demonstrate that the market works in this regard.

    Third, as the panel of experts said yesterday, if Congress enacts the H.R. 10 privacy provisions, they should be the uniform law of the land so that the same requirements apply to all financial institutions, and the same protections are given to all consumers across the country. In the meantime, we look forward to working further with the Congress and bank regulators on privacy matters. For example, we would welcome the opportunity to undertake joint Government-private sector efforts to further educate consumers about privacy issues.

    Thank you. I would be happy to answer any questions.

    Chairwoman ROUKEMA. Thank you. There are going to be a series of votes on, but I believe we have time for Mr. Becker of the SIA to give his testimony. Mr. Becker, please.

STATEMENT OF BRANDON BECKER, PARTNER, WILMER, CUTLER & PICKERING, ON BEHALF OF THE SECURITIES INDUSTRY ASSOCIATION

 Page 172       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. BECKER. Madam Chairwoman and Members of the subcommittee, my name is Brandon Becker and I am a partner in the law firm of Wilmer, Cutler & Pickering. Today I am appearing on behalf of the Securities Industry Association. Madam Chairwoman, we commend you and other Members of the subcommittee for holding these hearings which fill an important gap in the record concerning financial modernization.

    As you know, last June SIA called for hearings such as these when it stated its support for the House financial modernization legislation. Accordingly we very much appreciate your prompt consideration of these issues.

    The most important point to underscore today is that the best and most dependable constraint on the misuse of customer information is the competitive marketplace. A firm that uses customer information in ways customers find objectionable quickly will lose investor confidence and market share as well.

    Moreover, wholly apart from the privacy provisions of H.R. 10, consumers already enjoy legal protection against the misuse of their financial personal information. A broad set of common law principles, statutory provisions and administrative regulations impose on securities firms a duty to protect private information that customers entrust with them. Thus, it is important to recognize that Congress need not address in H.R. 10 all potential types of misuse of customer information in the financial services industry. Other safeguards do exist.

    In the context of financial modernization legislation, however, SIA supports the privacy provisions of H.R. 10 because those provisions take a market-based approach for protecting consumer privacy. Instead of imposing a set of new one-size-fits-all regulatory burdens, the privacy provisions of H.R. 10 promote privacy by enhancing consumer choice and thereby bolstering the operation of competitive market forces.
 Page 173       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Nevertheless, additional privacy regulation is unnecessary and could in fact be harmful to consumers. For example, restrictions on information sharing among affiliates would impose significant administrative costs on diversified financial services firms. An opt-out right that applies to the internal sharing of information among affiliates would effectively prohibit the use of shared computer systems and require firms to incur substantial development costs to develop and maintain stand-alone bank office systems for each of their affiliates leading to duplicative costs and inefficiency.

    Accordingly, Congress should amend H.R. 10 to preempt State laws that might impose additional, more burdensome regulations. Several States are considering such proposals today. In today's national market for financial services, however, firms cannot reasonably comply with 50 different and sometimes conflicting standards for privacy protection. Thus the State that adopts the most restrictive privacy regulations will set the policy for the Nation, because national financial services firms will have to conform their nationwide operations to that State's regulations.

    Congress should not let individual States override its judgment that with H.R. 10's comprehensive information disclosure provisions in place, further privacy regulations are unnecessary. Although the SIA supports the privacy provisions in H.R. 10 as part of Congress's financial modernization initiative, two of its specific provisions need modification.

    First, the language in Section 501 describing the congressional purpose behind the privacy provisions has the potential to be misconstrued as providing a basis for a private cause of action under State common or statutory law.
 Page 174       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Second, the language in Section 503 requiring annual notification about privacy policies is unduly burdensome and unnecessary. This provision would appear to require a firm to make annual privacy disclosures even to customers that are inactive and that do not otherwise receive any regular notices from the firm. Congress should modify or eliminate this annual disclosure requirement.

    Finally, SIA believes that it's crucial that Congress not alter the exceptions in the legislation that are carefully tailored to ensure the disclosure and opt-out provisions do not impede standard and appropriate industry practices.

    In conclusion, I would again like to thank the subcommittee and Madam Chairwoman on behalf of the SIA for providing this important opportunity to share our views on the privacy provisions of H.R. 10. SIA believes that the prompt enactment of financial services modernization is essential for the Nation's growth and the enhancement of consumer services. Within that overall context of reform, SIA believes that notwithstanding the existing protections for consumer privacy interests, the H.R. 10 privacy provisions are an acceptable way forward to address both business concerns and consumer expectations.

    Thank you again for this opportunity. I welcome any questions.

    Chairwoman ROUKEMA. I thank you, Mr. Becker.

    I think this is an appropriate time for us to break now. We are going to have a fifteen-minute vote and two ten-minute votes. I'm sorry, it will be three five-minute votes in succession. We should be back here in hopefully 25 minutes to continue this hearing. Hopefully we will be able to gather more Members here at that time for the rest of the hearing. The subcommittee hearing will stand in recess.
 Page 175       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Thank you.

    [Recess.]

    Chairwoman ROUKEMA. The hearing will come to order.

    Mr. Vento has left word that he will be back as soon as possible. He has advised me however, that given the voting schedule that is in progress today, that we begin without him. Of course you do know that all of your testimony will be made a part of the official record. Many Members who cannot be here will be reviewing the official record later. I hope that all witnesses understand that and it is not diminishing the value of your testimony or its impact.

    I would also note for the record that the comments of Mr. Fischer have been noted by MasterCard, which associates itself with the testimony that Mr. Fischer has given. Under the rules of the committee, with unanimous consent, their written testimony will be submitted for the official record.

    Mr. FISCHER. Thank you, Madam Chairwoman.

    Chairwoman ROUKEMA. Thank you.

    And with that I would like to recognize Ms. Meyer of the American Council of Life Insurance.

 Page 176       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
STATEMENT OF ROBERTA B. MEYER, SENIOR COUNSEL, CONSUMER AFFAIRS UNIT, AMERICAN COUNCIL OF LIFE INSURANCE

    Ms. MEYER. Thank you. The ACLI wishes to thank you for holding this hearing, and for taking the lead on these emerging privacy issues. We appreciate being given the opportunity to present our views on these issues which are critically important to ACLI member companies, as well as to their customers. The very nature of the life disability income and long-term care insurance business involves personal and confidential relationships between insurers and their policyholders, but in order to do business insurers must be able to obtain, use and share their customers' personal information to perform traditional, legitimate insurance business functions. These functions are essential to insurers' ability to serve and meet their contractual obligations to their existing and prospective customers.

    The ACLI companies also believe that the sharing of information with third parties and with affiliates is often the only way that customers can receive the level of service, the efficiency and the product choice that they demand, both in the existing marketplace and in the marketplace that will be created upon passage of H.R. 10. Insurers are fully aware of the unique position of responsibility that they have regarding an individual's personal medical and financial information. ACLI policy on privacy has been to long support the NAIC Insurance Information and Privacy Model Act which has been enacted in nineteen States across the country.

    It is noteworthy that many, if not most, of our member companies that do business in any of the States that have enacted this law actually adhere to it across the country. While insurers are constantly concerned with protecting the confidentiality of their customers' personal information, in order for them to do business, they must share such information to perform traditional legitimate insurance business functions, to underwrite the applications of prospective customers, to administer and service existing contracts, to perform related or service functions or even to deliver a policy through an agent who is paid by, but may not be an employee of, the company. Insurers must also disclose personal information in order to comply with regulatory or legal mandates or in furtherance of certain public policy goals such as to detect or deter fraud.
 Page 177       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    It is also necessary for insurers to share information in connection with various ordinary business transactions like reinsurance transactions or in connection with mergers and acquisitions.

    In our written testimony we did go into great detail with respect to the number of situations in which insurers must share information in order to best serve our customers. We tend to think of insurance as a product that is provided by a single business enterprise, but in reality insurers often use affiliate or unaffiliated third parties to perform essential and core business functions that are related to individual insurance policies.

    They also use affiliates and third parties to perform functions not necessarily related to an individual policy, but related to the servicing and administration of insurance products generally.

    I want to comment briefly on the medical privacy provisions in H.R. 10. The insurance industry recognizes that this language is not intended to be a final solution and that more comprehensive legislation is needed. It is noteworthy that the language of the medical privacy provisions themselves actually provide that the language is designed to sunset when an omnibus bill is enacted as required under HIPAA. While we believe that these provisions are worthwhile we do suggest that they should not be an impediment to enactment of H.R. 10.

    With respect to the financial privacy provisions, we believe that the ultimate effectiveness of these provisions will not be known for some time and may be determined in large part by the regulations that are eventually promulgated. We do believe, however, that they are reflective of a conscious effort to balance consumers' legitimate privacy concerns with equally important consumer demands for convenient, prompt and efficient service and innovative products.
 Page 178       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Importantly from our perspective, we believe that the language would also permit the sharing of information to the extent necessary to accomplish appropriate and traditional business insurance functions as well as for us to pass on to our customers the potential benefits and opportunities connected with the ability to affiliate as permitted under H.R. 10.

    We do believe that the measured approach taken by the House on H.R. 10 was well advised, and will protect consumers without eliminating the incentive of the financial service industries to continue their pursuit of financial services modernization.

    The ACLI appreciates having had the opportunity to present our views and we look forward to working with the subcommittee as it deliberates on these important issues.

    We particularly appreciate the sentiment expressed in your opening remarks yesterday, Madam Chairwoman, that the need to address the privacy issue in a thoughtful and comprehensive manner could proceed on a separate track from H.R. 10.

    Chairwoman ROUKEMA. Thank you.

    Mr. Fink of the Investment Company Institute.

STATEMENT OF MATTHEW P. FINK, PRESIDENT, INVESTMENT COMPANY INSTITUTE

 Page 179       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. FINK. Madam Chairwoman, Mr. Vento, and Members of the subcommittee, I am Matthew Fink, President of the Investment Company Institute, the national association of the mutual fund industry. The mutual fund industry has enjoyed steady success over the last sixty years, and the foundation of that success is the confidence of millions of individual shareholders. For that reason, our industry has always taken very seriously issues concerning the use and protection of our shareholders' personal financial information.

    In fact over a year ago—before this subcommittee and other committees of Congress got heavily into this issue—we urged the National Association of Securities Dealers, a self-regulatory organization for securities firms and mutual funds, to adopt a rule governing the sharing of confidential customer information by NASD members.

    Mutual funds have a very unique and rather complex business structure, and it is necessary to understand this structure when you look at issues concerning information sharing which are at the heart of privacy discussions.

    Attached to my written testimony is a rather complicated chart that shows you the typical organization of a mutual fund company. The mutual fund itself is simply a pool of assets and does not have any employees of its own. Therefore, the fund's operations are conducted by a wide number of both affiliated and non-affiliated service providers. This includes the fund's adviser, which is the company that runs the fund and picks the stocks or bonds for the fund, the fund's principal underwriter, which is in charge of distributing the fund shares, the transfer agent, which keeps records of shareholder accounts, and the fund's custodian, which holds the fund's assets.

 Page 180       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    To allow a mutual fund to operate, it is essential that shareholder information flow unimpeded among the mutual fund and these various service providers. Information sharing must occur simply to maintain a shareholder's account: for example, to provide the shareholder and the Internal Revenue Service with tax information every year. Information also needs to be shared to properly service a shareholder's relationship with the entire mutual fund organization: for example, to advise the shareholder of the creation of a new fund that is available for purchase or to prepare consolidated account statements that give the shareholder information about all the different funds the shareholder is invested in.

    I think it is fair to say that this type of information sharing is unlikely to give rise to the concerns over financial privacy because, as a practical matter, I think most of us, when we invest in a mutual fund, do not realize that it may be a series of five or ten separate affiliates, but look at the fund organization as a whole.

    I think few, if any, shareholders would be concerned with the fact that as a technical and legalistic matter, each of the entities in the fund complex is a separate corporation. In contrast to this type of what I will call ''harmless'' information sharing among affiliates, I am not aware of any mutual fund organization that sells its shareholder personal information to unaffiliated third parties or that views the shareholder information as a source of additional revenue.

    I cannot emphasize too strongly the importance of assuring that any legislation addressing financial privacy recognizes the unique structural characteristics of mutual funds. Standing back to be a bit philosophical, I think what you have been struggling for, as I heard the earlier panel and read the testimony yesterday, is a balance between two very important customer needs. One is to give customers, in our case mutual fund shareholders, control over their personal information and prevent use that they might consider objectionable, and second, ensuring that customers efficiently receive financial products and services. I have concluded that the privacy provisions in H.R. 10 as recently passed by the House effectively strike such a balance. They would require all financial institutions, including mutual funds, to disclose their policies to customers on sharing personal information. They also would permit customers to opt-out of any arrangements that involve sharing of information with unaffiliated entities for reasons not related to servicing customers. I think those provisions should be in the final bill.
 Page 181       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Proposals that would impose additional restrictions on the sharing of information might very well diminish the range and quality of services that mutual funds provide to their customers. For example, if a mutual fund was required to allow its shareholders to opt-out of information sharing between the fund and these various service providers, funds simply might be unable to service the accounts as they have traditionally done. Because mutual funds operations are invariably carried out by third party and affiliated service providers, this problem of blocking or requiring an opt-out would be a very bad problem for mutual funds.

    At the very minimum, if there was opt-out for information sharing among affiliates, fund organizations would have to develop and maintain systems that track opt-out information on an ongoing basis. In addition, they would have to institute procedures to train personnel on compliance, and the costs I think would be quite substantial and very difficult to justify—given what I call the ''harmless'' nature of this information sharing and the small number of people likely to opt-out.

    There is one issue I would like to raise in conclusion, although I think H.R. 10 strikes about the right balance. There is one major problem that the subcommittee needs to be aware of, which other witnesses mentioned, and I gather there is a difference of opinion on the subcommittee; that is inconsistent State law requirements that could upset the balance. Such requirements would be very burdensome for companies like mutual fund organizations that operate on a national basis.

    And I might say, Madam Chairwoman, we lived with such a system for about fifty years. From 1940 until 1996, mutual funds, though heavily regulated under the Investment Company Act of 1940 by the Securities and Exchange Commission, also were subject to changing laws and regulations in the 50 States, and it was a tremendous nightmare that Congress rectified in 1996. I would hate to see a repetition of that problem in the privacy area.
 Page 182       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Therefore, I would think that if there is final legislation to protect financial privacy, it should clearly override inconsistent State laws. Thank you.

    Chairwoman ROUKEMA. Thank you.

    Now, Dr. Palmisano of the American Medical Association.

STATEMENT OF DR. DONALD J. PALMISANO, M.D., J.D., BOARD OF TRUSTEES, AMERICAN MEDICAL ASSOCIATION

    Dr. PALMISANO. Thank you and good afternoon. My name is Donald Palmisano. I am a general and vascular surgeon in New Orleans. I am also on the Executive Committee on the Board of Trustees of the American Medical Association. I would like to thank Chairwoman Roukema on behalf of the AMA for the invitation to talk with you today about the medical privacy issues in H.R. 10.

    Quite frankly, physicians and patients are quite concerned that private medical records could be widely shared among affiliated entities under H.R. 10. I think it comes down to the fact that health insurers play a double role here. In their role in H.R. 10, insurers are financial services institutions that seek to benefit from affiliating with banks, mortgage companies, holding companies, brokers, dealers and other insurers. Yet in the context of the debate on comprehensive medical privacy legislation, insurers style themselves as providers, seeking only to improve the quality and efficiency of care for populations.

 Page 183       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Well, which is it? Health insurers are privileged and it is a privilege to have access to our most personal medical information so they can pay claims for medical care. But when insurers function as financial services institutions, our medical record becomes more and more like an item of commerce, a consumer market profile. The AMA believes very strongly that health insurers should not be able to use the privileges of one role to exploit the opportunities of the other role.

    Once the provisions of H.R. 10 tear down the current barriers that prevent affiliations among banks, security firms and insurers, nothing much prevents our personal medical information from being disseminated among any of these new affiliates and, while well intentioned, we do not believe that the medical privacy provisions in Section 351 of the bill cure this problem. So as I said before, we appreciate attention being focused on this issue.

    So what will we do to help cure the problem? The AMA favors an explicit opt-in provision for medical information, we think the most prudent course is to modify H.R. 10 to completely prohibit the transfer of medical information, even among affiliates, without the explicit consent of the individual. Use and redisclosure should be limited to what the individual knowingly and voluntarily consents to.

    This position reflects AMA policy that as a general rule patients have the right to control disclosures of their personal medical information, with narrowly tailored exceptions for certain defined public benefits. As a doctor, I am constantly creating new records. These records serve as clinical tools to help in the diagnosis and treatment of my patients. When the record migrates from its primary purpose as a clinical tool, patient consent becomes even more important. These secondary issues are just not currently anticipated by patients and they need a constant process to inform them and give them a choice.
 Page 184       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Financial institutions, including insurers, their affiliates, and any unaffiliated third parties, should all be required to affirmatively get an individual's consent to disclose their personally identifiable medical information. An opt-out provision just is not enough, even if it did apply to medical information disclosures under the terms of the bill, which it currently does not.

    Two quick points I would like to make before concluding. First it is our understanding, from the Dear Colleague letters, that Dr. Ganske fully intends his medical privacy provisions to not preempt State laws, not now, not in the future. We agree and think it is essential to allow for protective State laws to remain in force. This would certainly be consistent with the preemption language in Title V of this bill.

    Second, we are not arguing that H.R. 10 should become a vehicle for comprehensive medical privacy legislation. Still, if provisions are included at all, they should afford the full range of protections for medical information, at least as it would be shared and used in the financial services context. If Congress is unable to significantly improve these provisions, we would rather see the entire section struck than to pass into law so-called protections that allow personal medical information to flow freely in commerce without individual's knowledge or consent. It is not our preferred outcome but it is preferable to passing a version of H.R. 10 that codifies sweeping access to private medical information.

    If you take one thing away today from my statement on behalf of the AMA let it be this: Information cannot be unshared. Once a financial institution has our medical information, it becomes a permanent part of our consumer profile and it doesn't matter what passes later or what might offer more protections. So if the Congress has to err at all in this matter, let it be on the side of protecting patients and their private medical information; not codifying financial institutions' desire to use that information for marketing purposes.
 Page 185       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    I thank you for listening to the AMA's concerns and I am happy to answer your questions. Thanks.

    Chairwoman ROUKEMA. Thank you.

    Dr. Harding of the American Psychiatric Association.

STATEMENT OF DR. RICHARD K. HARDING, M.D., VICE CHAIRMAN, CLINICAL AFFAIRS, PROFESSOR OF NEUROPSYCHIATRY AND PEDIATRICS, UNIVERSITY OF SOUTH CAROLINA SCHOOL OF MEDICINE

    Dr. HARDING. Madam Chairwoman, I am Richard Harding, M.D., Vice Chairman of Clinical Affairs and Clinical Professor of Neuropsychiatry and Pediatrics at the University of South Carolina, and Vice President of the American Psychiatric Association, and serve on the National Committee on Vital and Health Statistics which was charged by Congress to make legislative recommendations on protecting the privacy of medical records.

    The views I am presenting today are my views and those of the American Psychiatric Association and not the National Committee on Vital and Health Statistics necessarily.

    First let me thank you, Madam Chairwoman, for your outstanding support for non-discriminatory insurance coverage of mental illness and for your overall leadership on mental health issues and, indeed, health issues in general and for your attention to the serious patient privacy concerns raised in reference to Section 351 of H.R. 10.
 Page 186       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Because these provisions would overturn the principle of patient consent before disclosure of medical records, and may overturn certain State privacy laws, it represents a significant step backward for patient privacy. Moreover, since doctor-patient confidentiality is an essential element of effective medical treatment, these provisions will also have significant ramifications for the quality of health, and particularly mental health care in our country.

    Without a very high level of patient privacy, many patients will be reluctant to seek needed health care and for making a full and frank disclosure of information needed for their treatment. For these and other reasons, over forty physician and patient groups, including the American Lung Association, American Academy of Family Physicians and two major unions oppose these provisions.

    Although we have very significant concerns about Section 351, the sponsor of these provisions has stated that it is his intention not to preempt State privacy laws. He also expressed his general support for the principle of patient consent before the disclosure of medical records. These are two critically important principles that we strongly support. When combined with other changes I outline in my written testimony, these principles offer some hope of a positive resolution of this issue.

    However, we do urge Members of the subcommittee to err on the side of caution and, indeed, of protecting privacy when considering these provisions. Just as the first rule of medicine is to do no harm, we hope the subcommittee will adopt the same approach on medical records privacy issues.

 Page 187       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    If the Congress permits extensive use and disclosure of patients' medical records without informed voluntary consent of patients in H.R. 10, it will be enormously difficult, if not impossible, to undo the damage later. At least if we do no harm, States's efforts to address this issue can continue.

    The safest approach may be to delete the medical records provision of H.R. 10—that is, Section 351—and address the issue subsequently through comprehensive legislation.

    Finally, it is critically important to recognize the difference between medical records privacy and financial privacy. If financial information is disclosed, it can be an embarrassment and in some cases cause a financial loss. But it is not overly difficult to recover from any personal discomfort and one can win compensation for his financial losses.

    But medical record information can include information on heart disease, terminal illness, domestic violence and other women's issues, and psychiatric treatment including alcoholism. As the U.S. Supreme Court recognized in its Jaffee vs. Redmond decision in 1996, I believe, disclosures of this information can cause ''personal disgrace as well as discrimination.'' These disclosures can jeopardize our careers, our friendships, and even our marriages.

    And if such disclosures occur, there are truly few meaningful remedies. Seeking redress will simply lead to further dissemination of the highly private information that the patient wished to keep secret, nor can a financial settlement do much to compensate the individual for these highly personal losses. For all of these reasons, very tight restrictions on access as well as disclosure of medical records information is essential.
 Page 188       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Thank you for inviting me to testify, and I look forward to working with the subcommittee on these issues.

    Chairwoman ROUKEMA. Thank you.

    This panel has given me additional problems, especially the last two who are testifying on behalf of the medical community. I stated my own biases in my introduction. I have a bit more understanding of your perspective, but I am afraid that we have an honest difference of opinion on the strategies here. I am speaking now with respect to medical privacy. There is no contradiction here concerning the absolute need to do no harm and to go on for more comprehensive medical privacy.

    Dr. Ganske would be one of the first to admit that his provision, Section 351, was not intended to be comprehensive medical privacy legislation. He attempted to deal, to the extent possible, with the fact that we are now permitting financial institutions that include insurance companies and enter into affiliations with banks, securities firms and other institutions.

    So I am really perplexed here as to what the strategy should be as we are dealing with this problem.

    Let me ask the insurance industry and maybe the banker, Mr. Fischer, how you respond to this question or this potential for violation of an individual's medical privacy. How do you protect yourself against a lot of lawsuits as a matter of fact that could come about? How do you feel that the legislation before us is either inadequate or can be improved, recognizing the legitimate concerns that the medical community has raised?
 Page 189       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Ms. Meyer, would you like to be the first and then Mr. Fischer if you would, please. This is a very complex issue and we have got to deal with it.

    Ms. MEYER. Exactly. And for better or for worse, this information and our ability to obtain it and to use it and to share it to—to do what customers come to us to do is essential to our business. So it is very important to us.

    I think it is important to state too that we recognize that these confidentiality provisions are not intended to be the comprehensive approach to medical records privacy and agree that they, in fact, are a first step.

    We think that they are appropriate and that they do require consent to disclose information that our member companies have generally gotten either directly from the individual or with the individual's authorization. And the only circumstances that we are permitted to disclose it without their consent are for basic insurance functions that they came to us to do in the first place. In other words, we need to disclose to underwriters their applications and to pay their claims.

    Chairwoman ROUKEMA. Ms. Meyer, forgive me, but that is discretionary on your part. That is not statutory requirement, as I understand it. That is discretionary and/or someone's interpretation of regulation that you have just described, although it is the common industry practice that you have just described.

    Ms. MEYER. The practices that I described are permitted under existing privacy laws that are enacted in the States across the country, and I believe by virtue of the fact that they either require an individual's consent to disclose information or you have to be performing a legitimate insurance function.
 Page 190       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    And in addition to which, I believe that is in line with what is being proposed under the H.R. 10 medical privacy provisions. Am I responding to——

    Chairwoman ROUKEMA. I think so, but we will have to go over it in a little more detail at another time. Did you finish? I interrupted you. Did you make your point?

    Ms. MEYER. Yes, I think that I had, thank you.

    Chairwoman ROUKEMA. I want to give time to Mr. Fischer.

    Mr. FISCHER. Yes, Madam Chairwoman, we have looked at this issue. We recognize that a special standard applies to medical information. We acknowledge the particular sensitivity with respect to medical information. We have been supportive of the efforts to protect that information. We have left, frankly, the details of that protection to people who are much closer to it and much more directly affected than we are.

    None of the banks, individual banks that I have talked with, have any interest in receiving medical information. The reports suggesting that, I think, are simply not true as I have seen it. We have left the details, we have been supportive of the approach.

    Chairwoman ROUKEMA. You say, then, that we should move to improve this section of the bill. Changes should be consistent with what the medical representatives have said, and consistent with what I believe was Dr. Ganske's original intention. This would move us beyond just this first phase of medical privacy and perhaps institute some further protections?
 Page 191       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. FISCHER. Madam Chairwoman, we do not say that. What we do say is that Congress has recognized that there is a very narrow need for payment cards and other payment devices to pay for the medical service. Our only interest is making sure that people can continue to pay for those services. Once you look at the privacy protection and the information beyond that, what we frankly have said is that it does make sense to protect it. The details of that protection really should be left to those that are closer to that industry.

    Chairwoman ROUKEMA. Would the doctors want to respond?

    Dr. Harding.

    Dr. HARDING. I think it is important to keep separate the issue of medical privacy and financial privacy. And in addressing Section 351, which is medical privacy, it has consent and then a series of issues that would not require consent, and that is where we start getting uneasy, because in this thing there are things such as in Section 2, research projects don't require consent. Well, what is a research project? Is that marketing and so forth?

    So that the issue becomes one of when consent is followed clearly, there is very little problem. But this section is almost entirely the exceptions to that consent.

    Chairwoman ROUKEMA. Dr. Palmisano.

    Dr. PALMISANO. Yes, Madam Chairwoman, I echo what the doctor has said. And we have found this to be a very complex area. The American Medical Association has studied this area and we came out with a complex report that was approved by a house of delegates in June 1998, and then they said go into more detail in some areas, and we did. We formed a task force.
 Page 192       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    So part of the past year we have been talking to experts all over the Nation and we gave an interim report at this meeting that just ended in June of this year and we have found that patients will not disclose information if they think this information is going to go laterally.

    For instance they come in, I treat somebody, a young woman is in an auto accident and I am a surgeon and she comes to me with a laceration on the forehead and I suture that laceration up. And I have a medical record that goes back ten years, and there is some information that she elects not to share with anyone else, and I understand that and keep it confidential.

    I get a request from the insurance company because of a blanket consent that she gave that says we have the right to inspect all the records and so on and so on. All they really need is information for the laceration: what I did, what the charges are for payment purposes, to make sure there is no fraud. They can look at her and see if she has had a laceration. But they want history about a depression, separation from her husband. They want the entire record. These are just some of the issues that we face.

    We also have patients who call and say, ''I have been contacted by some third party saying there is a new medication. Why do they know that I have diabetes? Why do they know that I have HIV?'' That is the problem we are facing now and we are concerned that 351 as written, as my colleague has pointed out, the exceptions eat up this particular rule. And research is under intense debate as to what constitutes research. Marketing research? Research to enhance the company's profitability? What is research? So we don't believe that is the answer.
 Page 193       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    And at the appropriate time, I will give you three options that the American Medical Association recommends to fix this. I alluded somewhat to it.

    Chairwoman ROUKEMA. Yes, please submit that to me. We don't have time to go into that now.

    Is there any final statement that anyone wants to make on this subject before I turn to Mr. Vento?

    Ms. Meyer.

    Ms. MEYER. I think the ACLI would like to make the point that we recognize that this is a first step, that this is a very complicated issue, and as you all know, the Congress has been working on the issue of medical records privacy for years, and that in fact we are supportive of a comprehensive approach to this very difficult issue. So we know that, in fact, there are concerns and that this does involve hard stuff.

    Chairwoman ROUKEMA. All right. As you probably know, or if you don't know you should know, this issue of medical privacy is very important to me. Last week the Commerce Committee initiated hearings on this subject which, of course, we will be following closely. I am sure you will be.

    I don't think that negates the necessity for doing something in H.R. 10. That is my conviction in terms of the strategy. By a strategy, I mean at least making the opening, given what is going to be happening to the merger and acquisition of financial institutions under H.R. 10.
 Page 194       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Thank you.

    Mr. Vento.

    Mr. VENTO. Thank you, Madam Chairwoman. I regret that I couldn't be here to personally listen to the testimony. But I do have before me—I was reading a letter that was sent to our colleague or Chairman in the Commerce Committee, signed by the AMA and a whole group of other health care groups. It is called the Consumer Coalition for Health Privacy, and in it it says, ''We believe, however, that so far as H.R. 10 authorizes the sharing of information between affiliates, it is appropriate to address the medical privacy in this specific context. In particular, there needs to be a specific prohibition on sharing of medical information without notice and consent.''

    Well, we got that, number one. We got that in the bill, I assume. We had this in the bill, I might say, Chairman Leach and myself, before our colleague from Iowa, Mr. Ganske—Dr. Ganske—put it in. And this is very similar to what we actually had added in the bill in the Banking Committee. And what we are trying to do is prohibit the misuse of this information as we merge insurance securities and banking companies together. I mean, there are all sorts of devious things that can happen. Someone might have a life insurance policy and we might have someone come to him with a structured payout where they take and give him or her the money and then pick it up at the end. So there are all sorts of misuses of this that could occur in the context of this new type of affiliate structure.

    So that is all we are trying to do. We understand there is a bigger picture here in terms of the Health and Human Services and there is a larger picture in terms of medical privacy which is being circumvented by the Internet and by, you know, the accumulation of records and the necessity of those records being in place and pharmacists and, you know, it potentially is a very much a concern.
 Page 195       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    But I related to the committee yesterday my own experience some 30 years ago as a State legislator when we couldn't even get the information from the insurance companies to actually do a bid to, actually provide for bids on health insurance on a group. They held the information and would not release it for anticompetitive purposes. And so there are some serious problems.

    So I think that the insurance companies and some of the provisions that you were referring to are basically included, because there is, obviously, a sharing. It really requires us not just to know the needs on the patient side in terms of privacy, but also to understand the transactions and the necessity of information in terms of how insurance works. Which is, you know—we are all laymen, I am a layman in this particular area, but I think that participating in research projects to me means medical research. But even there, maybe there should be consent. I grant you that some folks would want to have some consent in terms of information, but I think in a general sense that that is not—I mean, even if it was understood to be medical research I think you could probably find those that made quite an argument that that is in the public interest.

    Dr. Palmisano.

    Dr. PALMISANO. Yes, sir, the example you gave, deidentified information could be used to serve that purpose in order to get a bid, and that is one of the things we concluded in our extensive research at the American Medical Association dealing with the experts. So we think that could be solved and we know that research includes more than just medical research. And when people do things with other people's information, you should have the patient's consent.
 Page 196       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. VENTO. Well, I don't think that that is necessary if it doesn't have the personal identifier on there and you are trying to use it for a competitive issue.

    Dr. PALMISANO. If it is deidentified, we don't have a problem with deidentified.

    Mr. VENTO. I think that has been blown out of proportion in my view, and most people from a commonsense standpoint, having something in this bill that bars the information and doesn't do any harm—if I could use the pejorative term that is used by the medical profession, ''do no harm,'' here is to have something positive. And I hope that the good intentions and work of the Commerce Committee and the Health and Human Services materializes into something.

    But meanwhile, I think we should have—we should be working to at least put some sort of barrier here that addresses the merger of companies. That is what we are interested in. We are not interested in taking over the jurisdiction of other committees or of the Health and Human Services Secretary in terms of writing the rules. We couldn't do it even if we took the time. Probably it is beyond us.

    So I hope that that is understood. And I will certainly study your testimony for other nuances; and this letter to Chairman Bliley in which you obviously endorse that particular policy path, I will put in the record. That is my assessment of the letter in any case. Without objection, Madam Chairwoman.
 Page 197       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Chairwoman ROUKEMA. So moved.

    Mr. VENTO. Beyond that, the testimony of others, of course, raises questions with regards to privacy. And I think one of the questions that stuck out here to me is, Mr. Fischer, could you give me an example or two of how information sharing restrictions would harm consumers by restricting availability of products and services they might want or request based on what is in the bill?

    Mr. FISCHER. I would be happy to do that. For example, it is not uncommon at all for a retailer to effectively outsource their entire credit operation. It is called private label credit cards and in a situation like that, the core relationship is with the retailer, but the information that relates to the fact that somebody has purchased school clothing, for example——

    Mr. VENTO. Excuse me; the presumption that they have opted-out? Is that the presumption? That they have opted-out under the provisions of that statute?

    Mr. FISCHER. It is that they have opted-out.

    Mr. VENTO. That is your presumption in terms of making the statement.

    Mr. FISCHER. Or that they simply don't understand and they have seen a lot of information about privacy and the concerns about privacy, and if in fact they are told that here is an opportunity to protect their privacy and they opt-out under those circumstances.
 Page 198       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. VENTO. The exception in the opt-out section of the bill does not cover that? My interpretation is that it may.

    Mr. FISCHER. Well, that as we have said earlier, we believe that there are a lot of clarifications that really still should be made in terms of the H.R. 10 provisions. That is one of them, sir.

    Mr. VENTO. Madam Chairwoman, I know Mr. Inslee, if he has to go, I will yield back. I just have one additional question I wanted to raise and that was the issue of in terms of affiliates. It has been pointed out that there is some disparity between affiliates and non-affiliated types of structures. I don't think anyone intended for subsidiaries not to be covered, but that is another debate. But I think the basic issue is if it is a non-holding company, a smaller bank, a smaller financial institution, that they suggest that there is a disparity here and that people or individuals don't expect affiliates to in fact share any of the information that the parent holding company might have or that they will share with the parent company, and that there is some sort of disparity.

    One of the suggestions made was that what we are dealing with generally, that there is not as much of a problem, and I think that that is correct. There is not as much of a problem in terms of information sharing when we are dealing with—unless we are dealing with unrelated services and/or products. Unrelated services and products.

    Could you comment on that with regards to your viewpoint of changing or opting-out with regards to unrelated services or products and the issue in terms of whether it is an affiliate or non-affiliate status of the institution.
 Page 199       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. FISCHER. In most situations if you are talking about sharing information between two affiliated financial services companies, the type of entity that we are looking at here under H.R. 10, the services that these entities are providing are by definition financial services. In one case they may be deposit accounts, in another case it may be loans, in another case it may be insurance or mutual funds, as Mr. Fink described. But in each case they are really financial services products.

    Some of the press reports in terms of use of information for non-financial products really does not arise except in very unusual circumstances in an affiliate sharing context. The market reaction to disclosure of information to third parties, particularly for telemarket purposes, non-financial products and services, I think is what got the reaction.

    Mr. VENTO. I think it is the list exchange. How about the size issue or the holding company versus non-holding company issue?

    Mr. FISCHER. I think there was no intention in the legislation—I am being presumptive, obviously, in saying this—to create a disparity between big institutions and small. The fact of the matter is that there are as many large institutions that rely as heavily on outsource and service organizations as small. The legislation does, in fact, have an exemption for processing and servicing. It has an exemption for a use of agents to market your products, financial products. It has another exception for two financial institutions that are not related sharing information to meet their common needs.

    The combination of those exceptions, I would expect, would level that playing field, if you will, as between large and small. There is no question but that there are issues with respect to the exceptions across the boards in terms of clarity that needs to be addressed.
 Page 200       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. VENTO. Thank you, Madam Chairwoman. Thank you, Congressman Inslee.

    Chairwoman ROUKEMA. Mr. Inslee, please.

    Mr. INSLEE. Thank you. I wanted to see if we could reach some agreement on this here so I want to ask an easy question to start with. I want to give you a scenario and I would like your thoughts on whether it should be or should not be allowed.

    Assume we have got a person, Emma Smith, and she opens a checking and savings account at her bank. And she reads some of these articles in the newspaper and what Congress is up to and so she writes a letter to her bank and it says, ''Dear Friendly Bank, I care about my privacy. Do not share my account information with your affiliates for marketing purposes. Thank you very much, Emma Smith.''

    Her bank then, in its incredibly powerful computers, profiles her bank account on a daily basis and one day they discover that she has $10,000 cash she just got from some unknown source. In fact she inherited it, and they think that this is a good opportunity to sell a product, so the bank—or actually its computer, due to preordained software—sends that information to the bank's affiliated securities company or brokerage house with the information that Emma Smith has $10,000 cash; just got it in; we believe she is a good target to market some of your good, new, hot IPOs or some hot stock.

    The question I want to ask, I think it is a yes or no answer if you can give it to me: Should the affiliated company of the bank under that circumstance be able to ignore Emma Smith's specific direction to the bank and use her account information to try to market to her a stock? And I want to ask that to the first four folks, if you can give me a yes or no answer or thoughts in that regard.
 Page 201       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. FISCHER. They shouldn't be able to use that information under those circumstances.

    Mr. BECKER. No, they shouldn't.

    Ms. MEYER. That is an interesting question from our perspective. I guess if she has given a specific request not to use the information, they shouldn't be able to use it.

    Mr. FINK. I would agree.

    Chairwoman ROUKEMA. Would the gentleman yield?

    Mr. INSLEE. Certainly.

    Chairwoman ROUKEMA. Have you asked the question in the context of statutory authority or regulatory prohibition or are they just responding in terms of their own feelings, not in terms of whether or not it could be done under the law?

    Mr. INSLEE. I will give them a chance to answer that.

    Chairwoman ROUKEMA. All right. Thank you.

    Mr. INSLEE. We have agreement, the five of us on the answer to that question, I think.
 Page 202       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Now, if that is the case, is it not appropriate for the U.S. Congress to incorporate in our unanimous opinion in this regard and find a way to draft a provision that would prevent such activities with affiliates as well as third parties? And I would ask all four of to you take a stab at that answer.

    Mr. FISCHER. I will start it all. I don't believe, respectfully, that that that is a parallel situation. Most financial institutions, hopefully all, but at least most financial institutions today do honor a ''do not call'' and ''do not mail'' list.

    In other words, if a customer says I don't want to hear from you except to receive my statements, they honor that. You heard from the direct marketing association yesterday, that is their rules. Most banks, or at least large banks, are members of the association, they follow those rules. Once you start going beyond that to something that really looks at notifications and opt-out, and similar rules are talking about something that is far more complex.

    Mr. INSLEE. Did anybody want to say anything significantly different than that?

    Mr. BECKER. Only to underscore that I think that setting up the factual predicate really blows by the fundamental question which is whether or not there should be a Federal requirement for what the marketplace is already doing. I don't think as a business matter, businesses who ignore their customers' preferences stay in business for long. That is what our testimony said. We did not endorse Federal legislation to mandate good business practice in this area because we think it is unnecessary and could lead to very significant costs for consumers.
 Page 203       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. FINK. I think Mr. Fischer answered it. Under current law, people can and do provide ''do not call,'' and I think that is just an example of it. I think the bill, as I understand it, goes further and does not allow sharing, which is a much more difficult bar.

    Chairwoman ROUKEMA. In connection with that, if the gentleman would yield for just one moment.

    Mr. INSLEE. Certainly.

    Chairwoman ROUKEMA. I had this question that came back to me as Mr. Becker spoke. Those legal protections, as you said and Mr. Becker alluded to in his testimony, said they already exist. But they have not existed in the context of what we see the future of financial modernization being out there in terms of much larger and diverse holding companies, affiliations and operating subsidiaries. So it would appear to add another facet or twist to the privacy issue; or does it not, in your opinion?

    Mr. FINK. I don't think it is that black and white, because the industry I represent has been able from the beginning to be affiliated with securities firms, with insurance companies, and for the last twenty years with banks. Securities firms and banks for twenty years have been affiliated. So, there were never bars, or they have come down in the last twenty years.

    So you are not going to go from night to day when you enact H.R. 10. It is a movement forward, but a lot has already happened. We are not moving from a world of no affiliations to complete affiliation. There are currently affiliations, as I said, of security firms/banks, mutual fund companies/banks and mutual fund/securities firms. Most of the pieces have already happened. I am not denying H.R. 10 doesn't do something, but it is not quite a whole brave new world.
 Page 204       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. INSLEE. I will just tell you that my perception is that banks, number one, are doing this; and number two, want to do this. And let me tell you where I get that perception. One is their great desire for these affiliations and therefore H.R. 10. And number two, in my discussions with bankers, I have repeatedly heard them say—these are individual bankers, these are not folks who are paid lobbyists, although there is nothing wrong with paid lobbyists—have said, you know, ''All we are really doing here is we are trying to provide a service to our customers. That is all we are trying to do here.'' And I go, ''What do you mean?'' And they say, ''All we are trying to do is if Emma Smith has $10,000 in her bank account, we are trying to help her. We want the ability to try to help her to find the appropriate investment to make with that $10,000.''

    And that is fine for the banks to have that motivation, but my belief—and I am going to ask you again to reiterate this—should not the consumer in these circumstances have the legal right to tell their banker not to use that information to try and market a product to them unless the consumer wants that service? Should not the consumer have that legal right?

    Mr. Fischer.

    Mr. FISCHER. Comptroller Hawke today talked about reasonable expectations and also statements from customers about certain types of activities that they found unacceptable. You also, sir, made a similar point in your example about telemarketing in that same panel. There is absolutely no question in my mind that under existing law today, and I said this earlier in my answer, if a consumer says ''do not do this,'' then their expectation, which is enforceable under law today, is that you will not do it and if you fail to do it you will be punished.
 Page 205       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    If you look at the situation, and I am not commenting on the underlying facts at all, in Minnesota where the allegation was that reasonable expectation was breached, in that case you didn't even have to say don't do it. The alleged activities were such, third parties, telemarketing information, that it was simply beyond the expectations and if that is not enforceable, I have never seen it.

    In this particular situation when you are talking about affiliates, if you have someone say ''do not use my information,'' as far as I am concerned—and this is how I advise financial institutions—you cannot use that information. I was going to say then, to go beyond that, though, and say that now we need to create a structure that not only says that you have to honor your customers' requests to not send things to them, which is existing law, but you have to put into place the sort of very broad initial annual and other disclosure requirements that are included in H.R. 10 and expand that to the affiliate relationship which is the core of the purpose of H.R. 10. That is where I say has crossed the line.

    Mr. INSLEE. Would the Chair indulge me just for another minute or so?

    Chairwoman ROUKEMA. We do have a vote, you understand. You can have the time. Go right ahead.

    Mr. INSLEE. One more question. If in fact you believe, which I appreciate that consumers ought not to be violated in that sense, if they give a specific direction to a bank, what I hear you saying then is you think that prohibition already exists. And if that is true—many of us believe it does not, because of the transactional exception for the Fair Credit Reporting Act—why don't we make sure of that and incorporate that in some language that prevents that marketing activity and gives them a specific opt-out? Why not do that?
 Page 206       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. FISCHER. Obviously I wasn't clear in what I said. It is not that the practice is prohibited, it is that you must honor the request of your customer. That was the example. You must honor it.

    Mr. INSLEE. If that is the case, then what you are telling me is that you must honor the consumer's statement not to share it, but we don't want to be obligated to tell the consumers we are doing it. So you can do it in the dark of night as long as they don't find out and we will go ahead and just sort of do this as long as they don't find out. Is that what I understand you are saying?

    Mr. FISCHER. There is almost no financial institution of any size, which means anyone with any affiliates, that today does not tell their customers that they are sharing with their affiliate, not with respect to all information, but with respect to most information.

    In other words today—and you heard that appropriately acknowledged in the regulatory panel this morning—today, customers are receiving notices that you are sharing information with affiliates as it relates to applications, credit reports and everything else, except experience information, and today they have the ability to opt-out. And as you have heard, that very few of them do.

    And I would respectfully disagree with the Comptroller. It is not because the notices are poor. We are following their suggestions in that respect. It is that customers do recognize the difference between their affiliates, their bank's affiliates who they trust, and third-party marketers who they simply do not.
 Page 207       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. VENTO. If the gentleman would yield to me briefly. I think that it is a very important point. And as far as U.S. Bancorp, which is headquartered in Minneapolis, Minnesota, as the gentleman from Washington knows, the allegations that were made actually went to the fact that they had asked consumers whether they could market. That is the allegation. And then in spite of the fact that they had checked off that they didn't want to be marketed, they did market them. And so that is the allegation. Nobody has ever demonstrated it. In fact, I know that there are some pretty vociferous differences with regards to it.

    But in any case, the point is that they have now, of course, adopted something that is called the opt-out, for whatever it works.

    But one of my questions on that is do you happen to know, Mr. Fischer, if the U.S. banks, or other banks working with telemarketers to promote dental policies for their customers adopted uniform banking industry privacy principles as outlined in the attachments to your testimony?

    Mr. FISCHER. Sir, I cannot comment on that specific case, but I can say that the vast majority of banks, particularly larger banks, have adopted those policies. The Comptroller indicated this morning that nearly 70 percent, when they looked at it, had adopted them in the online world. Undoubtedly there is more today and it applies much beyond that.

    Mr. VENTO. Getting back to Mr. Inslee's question, we have to go quickly, but there is an honest difference about disclosure. I think the disclosure now that goes on under the Fair Credit Reporting Act is sort of convoluted, because institutions are bound to permit you to opt-out of certain provisions, but other provisions they are not bound to do and generally do not.
 Page 208       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    The message that you get into disclosure and fairness, which is, of course, the answer they should be giving me with regards to the fraction of percent here, one that I feel obligated to put on the record here, is a missed message. So it may actually go higher with clarification. So we know that, but since it wasn't on the record—I do think there is some merit in it, even if it isn't as effective as the advocates would assume. I thank the gentleman for yielding.

    Chairwoman ROUKEMA. Mr. Inslee, we will have to leave for a vote now. Do you want to submit your further question in writing or do you want to return here?

    Mr. INSLEE. I am going to defer to your judgment, which is to submit my question in writing.

    Chairwoman ROUKEMA. That was the conference that Mr. Vento and I had earlier.

    Mr. VENTO. I would ask unanimous consent to put in the record the statement by Mr. Robert Litan yesterday that did not get put in the record.

    Chairwoman ROUKEMA. Absolutely. I thought I had already taken care of that, but yes that is approved.

    Thank you. There are some remaining questions, we could probably be here the rest of the day, but I do want you to know how seriously we are taking your testimony. We will be continuing these hearings at some time in the near future. I do invite you to please submit to us any final remarks that you have or additional comments based on these last two questions or any afterthoughts that you have had. We will distribute them. Thank you very much. We greatly appreciate it. Sorry we have to dash off.
 Page 209       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    This hearing is closed and the subcommittee is adjourned.

    [Whereupon, at 2:07 p.m., the hearing was adjourned.]