 |
 |
 |
Home |  |
Deposit Insurance | |
Consumer Protection | |
Industry Analysis | |
Regulations & Examinations | |
Asset Sales | |
News & Events | |
About FDIC | |
|
|||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
Home > News & Events > Conferences & Events > Is It Any of Your Business? |
|
|
|
|||
|
Is It Any of Your Business? |
|
|
In the Matter of
IS IT ANY OF YOUR BUSINESS?
CONSUMER INFORMATION,
PRIVACY, An Interagency Public Forum Thursday March 23, 2000 L. William Seidman Center Auditorium The above-entitled matter came on for hearing, pursuant to notice, at 8:45 a.m. TABLE OF CONTENTS Opening Remarks
Opening Speaker
Panel I
Panel II
Panel III
Closing Remarks
MORNING SESSION
(8:45 A.M.) CHAIRMAN TANOUE: Good morning. I am Donna Tanoue, the Chairman of the FDIC and I am honored to welcome all of you here today. For those of you with long memories, you will know that this is the Seidman Center, which was started a long time ago under the chairmanship of Bill Isaac, who presided in those days of the Continental Illinois and Penn Square, and the building was finished under the chairmanship of Bill Seidman, after whom this building is named. And, as many of you will remember, Bill presided over one of the most difficult periods in the history of the FDIC. But whenever I come to this facility, I think of all the developments that have occurred over time and how far we have come and how far we have to go. But, welcome to this forum on privacy. You know, when asked why he robbed banks, Willie Sutton said, because that is where the money is. Now today, Willie Sutton's professional descendants might say that they rob banks because that is where the information is. As we have seen in the reports of identity and information theft, modern bank robbers are after not so much money but account information. A bank's database is bounty in and of itself in today's information based economy. We all know that banks created business opportunities from these databases. Advances in technology have made these information systems more exhaustive and more economical than ever before, and bank customers benefit through new products and services, as well as faster service, and even discounts and lower costs. For example, financial institutions increasingly offer consumers a "one-stop" source for many different financial services and products. By allowing banks to share customer information with affiliates or third-party vendors, consumers can receive consolidated financial statements. They can call a single consumer hotline, and they can receive loan approvals today in minutes rather than days. And, by allowing consumer information to be used for cross-marketing purposes, institutions offer consumers the benefit of customized products and services as well as access to discounts. Now, as for faster service, allowing institutions to use credit information already in the possession of an affiliate can streamline credit approvals, shortening the time that consumers may have to wait for their funds. And when it comes to cost, as different types of financial service providers merge to offer an even wider range of products and services, the consolidation of redundant business units produces savings that benefit consumers and the industry alike. But, there are other sides to this story. In one case an institution sold millions of credit card numbers to a convicted felon who used that information to make more than 46 million dollars in fraudulent charges. A poll last year indicated that almost nine out of ten Americans are concerned about threats to their privacy. And almost eight out of 10 of those polled believe that they have lost all control of how companies use their personal information. And state legislatures -- reflecting the views of their constituents -- introduced more than 1,800 measures dealing with consumer privacy in 1998 alone. We all know that the American public has said that privacy is among the things that matter the most to them, and all of us, all of us, should listen. The tension between our desire as consumers to keep personal information private and the desire of the industry to use the information in a variety of ways, is at the epicenter, of an ongoing discussion about privacy -- and it is the reason we are all here today. Many bankers understand that the new value of this information places additional burdens, additional pressure, on them to keep the information secure and to use this information properly. But we know that some do not, and privacy practices, therefore, have not always kept pace with the new demands for this type of information. This is one reason that the Congress included provisions in the Gramm-Leach-Bliley Act to clarify and to strengthen privacy protections. To implement these provisions, the FDIC and a number of the other agencies have issued proposed rules regarding information sharing with unaffiliated third parties. You will hear more specifics about the proposed rule later this morning, and I would like to note that this discussion will be part of the formal record that we will take into account in developing the new rule. Although the new law specifies an opt out privilege, a number of privacy advocates argue that the law does not allow adequate protection for consumers. They would prefer that customers and consumers affirmatively grant permission, or "opt in", prior to any information sharing. Meanwhile, as all of you know, some industry groups have argued that adopting such an opt in type of framework would be too expensive, would hinder efforts to provide consolidated financial services, and would cripple cross-marketing initiatives. The bank regulators are also drafting a proposed Fair Credit Reporting Act regulation regarding certain information sharing with affiliates, which also would allow consumers to opt out of the information sharing. One of the issues that we will discuss today, that I hope we will explore today, is how we may read the new law together with existing privacy protections, such as those in the Fair Credit Reporting Act. Also, to protect consumer privacy without strangling the information economy, we should discuss how to define certain terms, such as the term "nonpublic personal information", as well as the term "publicly available information." And another question -- one that in many ways is more ambiguous and that will require greater judgement -- is how widely should private information be shared within a banking company? We need to think very hard about these and other issues if we want to develop sound public policy and if we want to craft regulations that will serve consumers well, protect them, support the banking industry, as well as avoid future litigation. In order to encourage public comment, the FDIC has created an Electronic Public Comment Internet site that is accessible from our home page. This site was developed to make it easier for everyone to provide us with their views and their comments, to tell us what they are thinking. Now, as you all know, the comment period is open through the end of this month, and you will find our home page at www.fdic.gov. I strongly believe that today's meeting, our meeting, this forum, is another important opportunity for consumers, privacy advocates, and the industry, to help all or us do a better job. Now for years we have all asked the question, "Are banks special?" For many consumers, banks are special because of the trust that they have in the financial services industry and in bankers in particular. In our meeting today, we can and we will explore ways to preserve this relationship in the new financial services environment. Today we will hear a broad range of views, and I underscore broad, about consumer privacy. We will be hearing the views of bankers, as well as consumer advocates, regulators, congressional staff, as well as privacy experts. Our distinguished guests will share their views and their comments and their opinions in three different panels. But, before those panels begin, we are going to start the morning with a very thought provoking presentation on the power of technology and how it is used in today's market place. This presentation will underscore the urgency of developing appropriate safeguards to protect consumer privacy while allowing customers to enjoy the full range of benefits from faster, more efficient information sharing. So, it is my pleasure and my honor to introduce our first speaker, Robert Douglas. Robert would you come forward, please. Mr. Douglas is the founder and chief privacy officer of American Privacy Consultants. Prior to starting this venture, Mr. Douglas was a Washington, D.C. private investigator for 17 years. His expertise is investigating information brokerage practices on the Internet. You may recall that he testified before the House Banking Committee in 1998 about pretext calling and identity theft, and he now helps banks to prevent illegal access to their customers' financial information. Would you all join me in welcoming Mr. Douglas. (Applause.)
PRESENTATION BY MR. DOUGLAS: I thank Chairman Tanoue for inviting me to participate this morning and let me say good morning to the distinguished moderators and members of the panels gathered here today, along with our immediate audience here at the Seidman Center and our audience joining us live via the Internet. As a former private investigator and now as a privacy consultant, I am frequently asked in this dawning of the information age coupled with the technological revolution created by the Internet, just how much information is readily available about the average citizen. The truth is almost anything can be learned about anybody in the United States today. Name, address, social security number, date of birth, phone number, height, weight, eye color, hair color, mother's maiden name, relatives names, neighbor names, criminal records, civil records, tax liens, real estate holdings, bank account numbers and balances, stock holdings, credit card account numbers, individual credit card transactions, long distance phone records, cellular phone records, pager records, 800 number records, motor vehicle records, driving records, aircraft or watercraft ownership, credit histories, medical histories, where you shop and what you buy, where you went to school, what your grades were, even you SAT scores as Vice President Gore and Governor Bush saw on the front page of the Washington Post this past week. As I have only 15 minutes, please accept my assertion that the list goes on and the slide now showing exhibits many of the other searches available on the Internet. The impact of technology on consumer privacy today is the ability to accumulate, store filter, cross-reference, analyze and disseminate vast amounts of information about anyone in a fast and cost efficient manner previously unavailable. The partial list I provided has always been available through one means or another, but until recently was rarely accessed due to the time and expense that would have been involved in locating it across thousand of different databases or paper record storage facilities. Today, all that information is being accumulated into vast super databases and packaged and sold like any other commodity. The Internet, coupled with decreasing costs and increasing capacity for accumulation and storage of data, has brought the information age to a point where anyone can now participate in the buying or selling of data about anybody. Simply put, privacy in the United States is too often a concept, not a reality. Since this forum will focus in part on determining what defines personal versus public information under Gramm-Leach-Bliley and the ramifications of this decision on consumer privacy given the current realities of technology, I would like to illuminate fact from fiction circulating in the media concerning technology and the impact on consumer financial privacy and demonstrate how a name and address can be used to obtain financial information about any individual in the United States today. Recent events and subsequent media coverage has led consumers to believe that their personal information is not being safeguarded by the financial services industry and that this information is for sale to anyone and can be purchased on the Internet. A portion of this negative publicity is deserved and is the direct consequence of a small number of financial institutions selling consumer information stored in their databases, including names, addresses, phone numbers and financial account numbers, to companies with no relationship to the consumer. The U.S. Bancorp and Charter Pacific cases illustrate this problem and served as a wakeup call to the financial services industry that consumers will not stand for such practices. Congress heard that warning bell from consumers in the closing hours of the passage of Gramm-Leach-Bliley and the ripple effect continues today. As I am aware that Minnesota Attorney General Hatch is here today, who is an expert on third party information sharing practices by financial institutions having successful prosecuted the U.S. Bancorp matter, I will leave further discussion of this area to him and others. Suffice it to say that consumers are watching and when they perceive that a financial institution has not safeguarded their personal information or has sold information for the financial benefit of the institution over the confidentiality requirements of consumers, they will demand regulatory restrictions. However, it must also be stated as a fact that technology has increased the ability of financial institutions to assist consumers in a myriad of ways from easier 24 hour access of their financial information to the ability to learn of relevant financial products and services uniquely appropriate for the individual consumer based upon data the financial institution possesses and is able to analyze on behalf of the consumer. Make no mistake about it; consumers want these conveniences, services and products made possible through data analysis and the ease of use of the Internet and telecommunication systems. But, they want, indeed demand, that privacy of their information be maintained. The challenge today for the financial services industry is to allow the individual consumer to strike the appropriate privacy balance they desire. The second area that consumers have been learning more about through the media is the common, but incorrect, belief, and I want to emphasize incorrect belief, that everyone's financial information can be accessed because of the Internet. Forbes Magazine and a CNN Moneyline News Hour presentation left consumers with the belief that everyone's financial information is being collected on the Internet and is therefore accessible to others. This belief is a combination of fact and fiction and needs to be clarified before the public comes to fear the use of the Internet to assist in financial transactions and consumer purchases anymore than they already do. Technology and the Internet do not enable access to private financial information such as bank account numbers, account balances, credit card transactions, and stock portfolios, as has been advanced by CNN, Forbes and others. Setting aside hacking of a small number of commercial websites and the subsequent revelation of credit card numbers, the reality is that financial information has been being accessed and sold long before the current rise of the Internet. In fact, financial information has been accessed by fraud for many years. The role of the Internet has simply been one of many ways information thieves advertise the sale of this data obtained through identity theft and fraud. To illustrate this fact, use any of the Internet search engines for the phrase "bank account search". Hundreds of web pages advertising the sale of financial information including balances and account numbers will be returned. However, I must state again, contrary to some media assertions, that the Internet and computer databases are allowing these websites to obtain personal financial information, the information is merely being advertised on the Internet and it is actually obtained in most cases through a form of identity theft, known as pretext. This means of stealing and selling consumers' financial information is illegal under Gramm-Leach-Bliley under all but a few narrowly defined circumstances. Unfortunately, the practice continues and is more prevalent than when I testified before Congress concerning this problem in July of 1998. Because of these so called "Internet private investigators," "information brokers" and sloppy reporting, there is a general belief that financial information is obtained and sold because of the Internet. The reality is that private financial information is most commonly obtained by identity theft. The most common method is for the information broker to obtain through the use of credit headers from credit agencies, enough biographical information on the consumer to be able to falsely pretend that he, the broker, is the actual consumer. Having convinced the financial institution by impersonating the consumer that he, the broker, is actually the consumer, the institution is deceived into providing whatever personal financial information is requested by the broker impersonating the consumer. A second method is for the broker to falsely convey to the consumer that, he, the broker, is an employee of a legitimate financial institution. Having gained the confidence, i.e. conned, the consumer, the broker induces the consumer to provide her own financial data. These are just two of dozens of schemes used by so-called "Internet private investigators" and "information brokers" to steal consumers' personal financial information. Once again, the core of any of these techniques is identity theft and is currently illegal under Gramm-Leach-Bliley with very few exceptions. There is no magic database in cyberspace holding all financial information that brokers can just tap into. There is no financial institution today selling personal financial information to brokers for resale to the public. There is no government database that holds all financial information that is accessed by "Internet private investigators." The financial institutions and the government are the victims of these often illegal practices and misperceptions, not the perpetrators. Strict enforcement of current laws under Gramm-Leach-Bliley and FTC statutes are needed to stamp out the harm these brokers and investigators are doing to the confidence of the American consumer and the reputation of the financial services industry. To illustrate the misperception that the Internet is the source of financial information being collected and sold, let's look at the Forbes cover story of November 29, 1999, and CNN's Moneyline special of March 6, 2000. Both stories relied heavily on just one of hundreds of so called "internet private investigators" that advertise on the Internet. In the Forbes piece the private investigator is referred to as a "web detective" and is asked to find as much personal information as he can just using the reporter's byline. The "web detective" obtained the reporter's birth date, address, and social security number in "about five minutes." Often this is done through the currently legal practice of credit companies selling personal biographical information on consumers. But, the "web detective" found more, and I am quoting from the piece: "[I]n all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life -- whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them." The reporter concluded this portion of the article and again, I quote, "[O]kay, so you've heard it before: America, the country that made "right to privacy" a credo, has lost its privacy to the computer. But it is far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard. For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessness links it all together." In just two paragraphs the reporters has incorrectly linked current information technology to the sale of personal financial information without providing a single fact as to how this so called "web detective" obtained the reporter's personal information. Remember, there is no database holding an individual's personal bank account information legally available to a "web detective" or anyone else absent a court order. In the CNN piece after trying unsuccessfully to locate an unpublished phone number on the Internet by himself, the reporter stated, "[T]he pros, however, can pick you clean. Hire an Internet private investigator like Daniel Cohn" -- here we go again -- "and if you had good enough reason, he'll find the phone number.... And if you convince him you have a legitimate reason" -- one would wonder what that would be -- "and you are willing to pay a bit more, Docusearch (Cohn's firm) will give you someone's bank account balances, bank account activity, and even the stocks, bonds and securities someone owns, all of which poses a double threat to the Internet as a place to do business. First the threat of federal regulation." Here CNN cuts to William Daley, Secretary of Commerce, stating, "If a web firm fails to protect consumers' privacy, if they fail to disclose, if they fail to give consumer choice, I guarantee you that the government will be forced to react." CNN's reporter then says, "And if consumers grow to distrust the Internet as a place to do business, some of them may start to avoid it just as they would an unsafe city neighborhood. The difference is that, on the Internet, you can get mugged and never even know it." I would argue that the viewers of this segment were the ones who were mugged by CNN's using the example of a single so-called Internet private investigator's untested assertion that he can provide an individual's financial information as a "threat to the Internet as a place to do business" and implying through their editing in the comments of the Secretary of Commerce that it is the Internet itself that allows firms such as Docusearch to obtain and sell personal financial information. Finally, to further highlight the misperception problem that technology has made our citizens' personal financial information available to anyone because of the accessibility of databases accessed via the Internet, one need look no further than several web pages from the Docusearch website that Forbes and CNN relied upon. And if, Mark, we could change right here, I would appreciate it. (Pause.) MR. DOUGLAS: The first overhead shows a web page advertising the sale of social security numbers. An individual wishing to purchase a consumer's personal financial information from an information broker or private investigator will almost always need to supply the information broker, excuse me, the consumer's name, current address and social security number. A name and address can be obtained from any public source or from many public sources. A social security number is more difficult to obtain and the most common method used by information brokers and private investigators is to purchase what is commonly called the credit header from the credit report that is sold by credit reporting companies outside of the Fair Credit Reporting Act. Credit reporting agencies enter into contracts with information brokers and private investigators to sell a consumer's biographical information that is collected as part of routine credit applications. These brokers are now openly reselling that personal biographical data on the Internet. This header will reveal all the biographical data the credit agency has on the consumer and may include name, maiden name, current address, history of addresses, social security number, telephone numbers and even employment information. The credit header and specifically the social security number is the starting point for many information brokers and private investigators in their quest for all other information on a consumer. And if we can hold that slide one second, if we can just go back one second -- I am sorry Mark -- we will see that, I believe right at the top here, this is from Docusearch's website and demonstrates that he is purchasing the social security numbers and reselling them on the web from credit agencies using credit headers as I just talked about there. The second overhead shows that, should the phone number of a consumer be needed and not be publicly available, it can be obtained; and this is usually used as part of a pretext also where a phone number will be necessary to pull off the impersonation of the consumer. I have included this overhead as a momentary detour from the focus on financial information to make the point that information brokers and private investigators are selling more than just financial information. Many other web sites are willing to obtain and sell phone records including complete lists of the long distance calls consumers have made. The third overhead shows a list of financial searches being sold by Docusearch and advertised on the Internet. Most of these that are first showing on this screen are legally available and are gotten from public record sources. I will again stress in regards to the bank searches listed here -- and if we can, there we go -- that I am not aware of any such data maintained or collected for dissemination via the Internet or other forms of technology for the access and sale by information brokers and private investigators via the Internet or any other means. But you can see here there was a list where they are willing to sell account balances, the account, itself, account activity -- which are the individual transactions and checks and deposits that have taken place within the account. And in general most of this, again, is obtained through pretext. One of the tip-offs is where you see no hit, no fee. That means, "I am -- ain't guaranteeing because I don't know if I am going to successfully be able to impersonate the person." So they will say, "Hey, you are not going to have to pay unless I can get it." That is one of the many tip-offs. There are about a dozen others that I could point out that show that this is not being obtained through a legal source. The final overhead shows the bank account search -- excuse me, yes -- the final overhead shows the bank account search web page of Docusearch.com where the search description specifically states that Docusearch accesses a federal database. I suspect that this will come as news to many of the participants here today and makes it somewhat understandable why CNN and Forbes produced the pieces they did. I just wonder whether the reporters ever asked Docusearch to prove that they access a federal database in order to sell consumers' financial information via the World Wide Web. There is no such database. But, there are hundreds of these web sites on the Internet today selling this very information. In closing, this forum today is another important step in the much needed attempt to define the role of privacy in the information age and in particular as it relates to the financial services industry. Hopefully, as we go forward here today and in the future in trying to determine what is privacy as it relates to tie American consumer we can also continue to separate fact from fiction and find a healthy balance between the wonderful advances of the information age and the traditional role of privacy and freedom that has been with us since the founding of this nation. Thank you very much. (Applause.) CHAIRMAN TANOUE: Thank you, Mr. Douglas. I couldn't help but think how much more information one might be able to obtain on political appointees. PANEL I CHAIRMAN TANOUE: You know we all know that there are benefits from the use of information sharing, but what are the costs? Who benefits from information sharing and how? Our first panel this morning will help us sort through these and other issues. I would like to ask the first panel to come up to the stage now. (Pause.) In doing so, I would also like -- I welcome to all of you in the room this morning -- but I would also like to welcome to the forum those individuals that are in the overflow rooms and those who are participating in the forum through the Internet today as well. (Pause.) CHAIRMAN TANOUE: This morning we are fortunate to have some of the most knowledgeable and articulate voices in the discussion here today. Panelists who will give us a very clear look at the issues from many different angles and perspectives. To begin with, we are very fortunate to have as a panel moderator, Mr. Allen Murray. Alan is the Washington Bureau Chief for the Wall Street Journal. He became bureau chief in 1993 and he has been reporting on economic issues for the Journal since 1983. Now, does he look familiar? He should because he appears daily on CNBC and he is also a regular panelist on PBS' Washington Week and Review. He obviously got where he is today, by asking very informed and probing questions. And so I wish all of the panelists, "Good luck!" Please join me in giving Mr. Murray and the panelists a warm welcome. Thank you. (Applause.) ALAN MURRAY MR. MURRAY: Chairman Tanoue, thank you very much. As the Chairman pointed out I have been in Washington now for almost 20 years. I came back in the old days when the Oval Office was used for campaign fund raising and the Lincoln bedroom was used for sex. These days they have got it kind of the other way. But in those 20 years I think the privacy issue, that has really exploded in Washington in the last year, is one of the most interesting issues that I have ever seen and will continue to be for some time. And the reason it is so interesting is because it is clearly bringing about a collision between what, in the business world, are the most interesting, the most innovative, the hottest strategies for doing business today, all of which involve getting to know your customers in a kind of a detailed way and providing customized services, marketing, even customized manufacturing. It pits those business models head on with the consumers' legitimate concerns about their own privacy. And those are things, like it or not, one way or another, are going to have to be sorted out in Washington. As Mr. Douglas pointed out earlier, this has come about not just because of the collection of information, which has been going on for a long time, and the storage of information, but because of the remarkable advances in the ability to access that information and make sense of that information. If you have been reading the papers for the last few days you have read about a company just a few miles from here by the name of MicroStrategy, which is one of the hottest data mining firms. It has the software that you use to get into these massive databases and try and make some sense out of it. And I, in working on a book that I have coming out in early June, I got to know Michael Saylor -- who is the head of that company -- over the last year, year and a half. This is a guy 35 years old. He came to Washington maybe 10 years ago. When I talked to him a year ago he was living in a modest townhouse in Northern Virginia. Then his company went public. As of two weeks ago, he was worth about 12 billion dollars. He personally was worth 12 billion dollars. He is worth a little bit less today than he was two weeks ago due to a few accounting problems. But I think that remarkable rise and fall for a company whose business is data mining tells you something about how central consumer information is to the business models of the new economy, and I want to read you just a few paragraphs -- this is a shameless effort to promote my book, which is called The Wealth of Choices -- but I want to read you a few paragraphs from the interview I did with him because I think it gives you a vision of where some people think all of this may be going. It says, "Michael Saylor wants to know everything about you. Not just your hobbies, your likes, your dislikes or what kind of car you drive. Saylor wants you to tell him your entire medical history, every last detail about your finances and everything you can think of about you and your family. 'I want to have your personality on file,' the software entrepreneur says. 'I need to have your paranoias on file.' Saylor's vision is to create the next generation of information business, which will be proactive, even telepathic, rather than reactive. His computers would know what you want, what you hate, what you need, what you fear, and they would use that information to advise, inform, guide and direct you 24 hours a day, seven days a week, via cell phone, pager, computer or palm pilot." Now, I think that tells you where some people think all of this is going. But it is not going to get there if it runs into a roadblock in Congress, and what you saw in the banking bill last year was really an almost spontaneous eruption of concerns about privacy. I say 'spontaneous" because while we have a couple of folks on the panel who have been up on the Hill talking about privacy concerns for many years, what you saw in Congress was members of Congress standing up and saying, "You know, I was subject to an identity theft," or "I got mail from a mailing list and I didn't understand how my name had gotten on this mailing list," and they are hearing from their constituents. And so, all of a sudden, this has become a very, very real issue that Congress is going to address one way or another and how it addresses it will both determine how these business models develop in the future and determine how well consumers' privacy is protected. We have a great panel here this morning to discuss this and let me introduce them. If I get this right, here from left to right. First Christopher Gallagher, of Gallagher, Callahan and Gartrell in New Hampshire, is an expert in a variety of banking, insurance, and utilities issue. General Counsel to the New Hampshire Bankers Association and also has been an advisor to the Clinton Administration on banking issues. Next to him is Jo Ann Barefoot, a partner at KPMG Consulting. She is in the Financial Services Group. She also worked as a Deputy Comptroller of the Currency in the late '70s and the early 1980s. Next to Jo Ann is Edmund Mierzwinski. He is a consumer advocate with the U.S. Public Interest Research Groups, is frequently quoted, often called to testify before Congress on a wide variety of consumer issues. Then I believe next we have Julia Johnson, Senior Vice President with the Bank One Corporation, who currently serves as Director of Information Policy and Privacy for Bank One. Beside Julia is Frank Torres, a Legislative Counsel with the Washington, D.C. Office of Consumer Union, also a well known face in Washington frequently called to testify on consumer issues and privacy issues. And then at the end is Thomas Sheehan, the Chairman, President and CEO of Grafton State Bank. Now, this is a diverse group and I hope to get some good discussion going among them, so I have asked each of them to keep their opening statements to just five minutes. We are getting a little late started here but we will end at 10:30. I promise you we will end at 10:30 because I have a teachers conference for my nine year old across the river at 11 o'clock and I am going to be there. So, why don't we start with Chris Gallagher. PRESENTATION BY MR. GALLAGHER: Good morning. Thank you. As the first panelist, I would like to publicly thank Chairman Tanoue for running this conference and for having us all here today to talk about this very important subject. I have followed Allan Murray closely each morning, but I can assure this is the most closely I have ever followed him and I find it somewhat intimidating. But I will tell you that I am honored to share this panel and this podium with you here today because the subject that we are talking about is, indeed, really hot. I think, like most of the panelists, we began preparing for this several weeks ago. What we have learned in the past two or three weeks is that everyone else has been talking about this as well. There has been a daily deluge of books, white papers, and articles about privacy, and, indeed, as Alan mentioned, some very dramatic events in the financial world, not the least of which was DoubleClick's adventures with the public. Even though our subject matter is very current, it is not a fad, I can assure you. It promises to occupy our collective attention for years to come. Why? Because privacy concerns as a social, political and economic issue are not merely a symptom of the new economic paradigm -- they are its inevitable result. Privacy is, and will continue to be, a pressing and prominent issue because it sits squarely at the intersection where something very near and dear to each of us -- our personal identity -- collides with the operating efficiencies and economics relentlessly driving this new information age. At the bottom line, the neocortex in our human brain -- what separates us from the rest of the animal kingdom -- has been evolving for 400,000 years, while we are now dealing with technologies evolving at warp speed, totally unrestrained by the physical constraints that have traditionally moderated the process of evolution. Some view this as a benefit. Others mourn the loss of security within their personal space. In any case, there is no turning back. The collection, utilization, manipulation and distribution of information about everything, including each of us, will continue. The technology enables it. The economics of the new age demand it. And nothing can contain it. Why? Because certain revolutionary principles lay beneath this evolutionary change. Moore's Law states that processing capacity doubles every 18 months with no increase in cost. Accordingly, the processing of information about everything, including each of us, will continue to be cheaper, faster, and better -- the mantra of our new economy. Metcalfe's Law, which repeals age-old economic laws concerning value, states that as the number of facilities connecting us with one another increases, their value also increases. Think of the Internet, think of the fax, and you will understand that process. Now, combine this exploding processing power and expanding connectivity with the transaction cost principles of economist Ronald Coase, who has correctly theorized that as the costs of accessing needed information diminish, firms whose business model has been to fill that information gap -- banks come to mind -- will be bypassed, or as folks in the book-selling business will tell you, these middlemen will be "Amazoned." Intermediary bypass moves commercial focus to mass customization, with its targeting of individuals as unique participants in the new economy -- one-to-one marketing. But, successful and efficient execution of such marketing requires the collection and processing of information about you, information that you have controlled your whole life; personal information by which we each define ourselves in different ways to different people. Lots of people know a lot about you, but only you know the complete picture. That's how we control our own identity. Now, as the new economics of cheaper, faster, better technologies collapse the barriers of space and distance and simplify the monumental task of watching, accumulating and identifying patterns in everything we do, this personally-managed definition of ourselves is no longer safe within our own exclusive grasp. In short, unless we choose to be a recluse, others can, and therefore must, know as much as we do about ourselves. A frightening thought, really. Until very recently a statistical majority of the so-called "privacy pragmatists" have been quite comfortable with the personal information flow used to make life more convenient. But now these folks are feeling less secure. As the Chairman mentioned, most recently, polls show a new majority favoring regulating the way personal information is collected and used. Indeed, over 60 percent of us are "very concerned" about this issue and a whopping 87 percent believe that our privacy information will be misused. The actual benefits of data mining and surveillance, including lower costs, higher efficiencies and protection against fraud, will be hard to see and likely will be buried beneath the demands for change. Elected officials will respond. So, to simplify the issue in the limited time I have, I would say to you that markets ought to be given an opportunity to respond to this issue before we further layer upon existing regulations the laws that people are now clamoring for. There is, and it will be my last point, and it happened within the last two days, the arrival of a new service called StartFree.com, which couples with protected, secluded, secure privacy, free Internet access for anyone. This was just announced the day before yesterday. It is beginning in Philadelphia. Look it up. You will see that the market can and will respond to these conflicts and these issues. I thank you very much. (Applause.) PRESENTATION BY MS. BAREFOOT: I am delighted to be here this morning and thank Chairman Tanoue and the FDIC for putting this program on, and I see a lot of friends in the audience. Our topic this morning makes me think of a favorite comic strip. It is an old Agatha Crumb one. In the first frame Selzer says, "Ms. Crumb, I have good news and bad news." In the second frame he says, "The bad news is we are broke." In the third frame she says, "Well, what is the good news?" And in the last frame he says, "We are in compliance with all federal, state and local regulations." Sort of hate to say that in the halls of the FDIC here, but, as a former regulator myself, I think it makes the point that sometimes there is a divergence between the regulatory world and what we might call reality. That goes to my theme that I want to cover in my few moments this morning, which is that we have a real danger in front of us; that in our appropriate desire to protect consumer privacy, which we need to do, we can over-regulate and really chill or kill the development of the information-age economy and the enormous consumer benefits that it offers. We have the potential that we could kill the golden goose if we are not careful. Alan did ask us to be very brief. So what I want to do in my few moments is offer sort of three observations that seem to me to be keys about understanding this issue and getting it right, and then a couple of public policy suggestions or guidelines, which I think may be provocative with some of my fellow panelists and maybe will help start, spark some discussion. Observation number one is, it is going to be a terrible mistake to dumb this issue down into a win/lose dynamic. It usually gets cast that way in the media and the political debate: That business is going to "win" at the expense of the consumer, who is going to be exploited, and this information manipulated, and the business will make money and the consumer will be violated. Some of that will happen. The privacy issues are real. But, more importantly, at the end of the day, the new information age economy is going to be win/win for industry but even more for consumers. I will use another goal analogy. A few weeks ago I was in Alaska above the Arctic Circle looking for wolves. Our pilots told us a story about a gold mining friend who had searched for 20 years on his claim, searching for miles around his cabin, couldn't find anything, finally gave up, sold the place. The new owner came in, torn down the cabin and there was the gold right underneath the cabin. And I think that that is what is happening today to American business. We realize that businesses are sitting on a gold mine in the form of information about their customers. It has always been there but, suddenly, it is newly precious because you can extract it and use it because of what technology is doing for us. That has sparked a gold rush and it is kind of a wild and crazy and unruly thing. And it is happening in the absence -- in front of -- the development of real law and order to guide what the rules ought to be; it is creating real issues. But, at the same time, we are opening up a new frontier that in the end is going to get explored and settled for everybody's benefit. I think we can too easily minimize the risks to that of regulating privacy. You cannot separate the innovations that are going to threaten privacy from the innovations that are going to unlock new consumer benefits in this new economy, in a neat way, and say, "Well, get rid of the bad and take the good." They are entangled with each other. They are the very same thing. And it is going to make it incredibly difficult to figure out how to keep the good without losing the bad in the same process. The new economy is going to be the best thing that has ever happened to consumers. Chairman Tanoue said it and each speaker may, probably, say the same thing. I think it produces a power shift from business to consumers as consumers are empowered with choices and convenience and service and the ability to shift from a bad provider to a good provider or even a good provider to a better one at low cost. Unbelievably powerful. We need to preserve that and make sure that it can go forward. Second observation is that the threats to privacy, having said all that, nevertheless, are real and they are truly scary. I heard a story from a colleague last week who said he had been to a commercial real estate seminar and one of the speakers was proposing that commercial property landlords monitor and mine the data in their tenants' e-mail and sell it to people. I mean, people are going to be coming up with things that we can't even begin to conceive. I think it is helpful to recognize that when we talk about privacy we are talking about trying to protect ourselves from different kinds of users. There are the thieves and hackers. That is one set of risks -- security risks to data. There are a bunch of people who are concerned about the government getting data. That is another issue we have in the right to financial privacy and "Know Your Customer" rules and money laundering. And then there is the heart of this whole realm of how businesses use data themselves. How they sell it -- which is really the main focus of Gramm-Leach. And how they use it actually, internally, without selling it, which, importantly, that realm is more or less untouched by Gramm-Leach but ultimately, I think, may become the most controversial issue in the whole thing. My last but not least observation is just that the market, as Chris Gallagher said, will go a long way toward regulating this. The public has just begun to have it dawn on them how much of a change this is. As people realize the potential for losing privacy I think there is no doubt that they are going to choose companies that they trust to protect their data and shun companies that get branded as piranhas and misusers of data. This is an issue, unlike most of the ones we see in banking and consumer protection, that everybody cares about. Even bankers want to be protected on privacy. The market will work, but at the end of the day, it won't be enough and we are going to have a huge need for regulation and huge costs of regulation. The big banks are estimating that Gramm-Leach is going to cost somewhere in the range of 35 to 50 million just to do the disclosures which, by the way, in some of the big banks, we are talking 10 to 16 pages worth of disclosure to explain what they do, which obviously has a chilling effect on consumer understanding. So, my time is just about up. Real quickly four thoughts on what to do from a public policy standpoint. Number one, as Chris said, go slowly, don't regulate too fast. Number two -- and I think this probably is provocative of some of our other speakers today -- I think we should legislate and regulate before we litigate and enforce to the extent we can. Gramm-Leach is the first set of ground rules we have got to work with other than the Fair Credit Reporting Act, and it is very difficult to expect industry to follow rules and be at risk for litigation when we haven't made it clear what is expected; and companies, in good faith, are going to be having trouble getting this right. Number three, I would caution against casting the privacy right as a property right. There is a lot of thinking along those lines: That we should own our data; we should be able to control whether it is used; we should have to be paid if someone wants to use it. It sounds good. I think it is completely unworkable and will get us into a lot of trouble. Last, but not least, the goal should be a "no surprises" economy for the consumer. Consumers should understand what is being done and have a chance to a say about how their information will be used. Thanks very much. (Applause.) PRESENTATION BY MR. MIERZWINSKI: Thank you very much, Chairman Tanoue for inviting me to speak. I am Ed Mierzwinski with the Public Interest Research Groups. In most of the countries in the world, privacy is treated as a human right. It is treated as a liberty, a freedom. Here in the United States, consumer privacy is a commodity. And with the decreased price of computer time, the decreased price of computer storage and increased access to information, as the key note speaker, Mr. Douglas pointed out, there is just a tremendous amount of ability now to mine information. Now, in my view, there has been also accompanying that increased ability to mine information a whole lot of mission creep. A whole lot of information is being mined solely because it can be mined, not because there is any value to the consumer -- value to the data subject -- and it is being mined without the consumer's consent, let alone, excuse me, without the consumer's choice, let alone his or her consent. Here, largely due to the political power of many of the organizations represented in this room, and I don't know if the Direct Marketing Association is here as well as the bankers, but I would certainly give them credit as well. We have had, we got off to a very good start in the early 1970s in the United States in terms of developing privacy policy. The original Fair Credit Reporting Act, for all its flaws, was based on fair information practices. It was based on a series of principles, embodied also in an old HEW report that became the basis for the principles that govern government use of information in the 1973 Privacy Act. Those principles, that give consumers notice, consent -- not choice but informed consent -- the right to access and correct their records, the right to know about any databases containing information about them, and the right to prohibit against secondary uses without their consent, made a great deal of sense when they were originally proposed and developed here in the United States, in the original Fair Credit Reporting Act and in those previous studies and laws. They became the basis for the OECD Guidelines in 1980. Those guidelines were endorsed by some of the biggest businesses in the United States at the time and by the United States. They became the basis for the European Data Directive. Meanwhile, here in the United States privacy law then passed by fits and starts. Industry likes to say, "Oh, we have a sector by sector approach because that is the logical way to do it." Well, guess what, the sectors are all converging. The sectors are all merging. The convergence of industries across sectors with telephone companies, with media companies, with the Time Warner AOL merger, with the Citibank merger with the Traveler's Insurance Company, with all the other mergers going on, with money looking more and more like information and information looking more and more like money, the role of banks is changing and the role of other companies is changing. And I submit that, rather than a sector by sector approach -- rather than a Gramm-Leach-Bliley, industry-written, anti-privacy provision that really doesn't protect consumers in any logical way and isn't based on fair information practices -- we need an overall right to privacy in federal law that applies to consumers in any transaction. I certainly think Gramm-Leach-Bliley gives us a start towards that because it includes, in addition to its flawed opt-out-some-of-the-time provisions but not-all-of-the-time provisions, it also includes the so called Sarbanes Amendment, and the Sarbanes Amendment has encouraged the States -- which Joseph Brandeis called the laboratories of democracy -- to go out and test new privacy ideas that are better than what we have in Gramm-Leach-Bliley. What is the differences between an affiliate transaction and a nonaffiliated third party transaction? What is the difference between an affiliated transaction and a joint marketing arrangement with a third party or a contractual arrangement with a third party? There is no difference to the consumer. A lot of consumers, not a lot but some consumers, go on the Jerry Springer Show every day. A lot of consumers don't want anybody to know any of the kinds of things other people say on Jerry Springer. Those consumers ought to have privacy rights. And I don't think Gramm-Leach-Bliley gives them. But I think it has encouraged and developed a healthy debate across the country. The ideas are also being presented by a new bipartisan, bicameral privacy caucus founded by Senator Shelby, a conservative Republican, along with Congressman Markey, a liberal Democrat, and Congressman Barton, a very conservative Republican. Those members of Congress are having their first meeting this afternoon, so this is a very big day for privacy here in Washington. Attorney General Hatch, one of the speakers here, is also going to be speaking to that privacy caucus as is Attorney General Spitzer of New York. And I am encouraged by the activity in the States that may bring us more privacy protections. I want to point out that consumer groups are not against information sharing. We are against information sharing without consent. We are against sharing customer information for secondary purposes, not only for marketing purposes but also for underwriting purposes, without subscribing to the fair information principles. And that is what the Markey/Shelby Bill does; it creates strong, fair information principles under an opt out privacy protection scheme that really makes a great deal more sense than Gramm-Leach-Bliley. I am encouraged by what the regulators have done in trying to stretch Gramm-Leach-Bliley to the limits in their proposed regulations but, ultimately, I think it is rearranging deck chairs on the Titanic, and that is why I am looking forward to what the States come up with. Thank you. (Applause.) PRESENTATION BY MS. JOHNSON: I would like to thank the FDIC for inviting me here today to participate in this forum. The financial service industry, consumers and the government are equal stakeholders in this issue. As the industry evolves in a post Gramm-Leach-Bliley world coincident with changing technology, it is crucial that we work in a spirit of partnership. I think that this forum provides a wonderful start to that and thank Chairman Tanoue for your leadership in bringing us together. I would like to reinforce the notion that the protection of customer information is the foundation upon which trust is built. The prudent use of information is likewise the foundation of superior customer service. Without trust and the ability to deliver the products customers want -- when and where they want them -- financial service companies cannot and will not survive. We have experienced rapid consolidation in the banking industry over the last 14 years. Yet consumers still enjoy an infinite variety of choice among providers. The Internet will expand the array of products and will, I believe, further the considerable democratization of credit in America. I don't think we truly appreciate in this country the status of the American consumer, with respect to access to credit, which is the equivalent to that enjoyed in other countries only by large businesses and sovereign governments. Also important to remember is the portability of credit in America. The fact that an individual can be born and raised in one state, schooled in another, and live and work in multiple places during the course of a career and have consistent and immediate access to credit, should not be taken for granted. The democratization of credit and the portability of credit are made possible by the collection and use of information. This system works because we all participate in it and it is reliable. It depends as much upon the free flow of public record information as it does upon the full and complete reporting of financial institutions to credit reporting services. In addition to enhancing the availability of credit, information sharing has enabled the industry to develop very sophisticated neural networks to identify and stop fraud. Losses due to fraud have dramatically decreased over the last several years. But, at the same time, the incidents and the fear of identity theft is on the rise. And I think that this is an area where we must focus more attention and we must work collaboratively to protect our customers and to assist victims. The FDIC, Treasury, the Federal Trade Commission, Justice, consumers and the banking industry have committed to working together on the prevention and remediation of identity theft. During the coming months, banks will be re-examining their own practices. We will be participating in renewed efforts to educate consumers and raise public awareness to reduce the number of consumers who suffer as victims of identity theft. Obviously, customer confidence is key to the growth of electronic commerce and we are pleased that the Internet community is actively participating in the dialogue to determine how we can balance the needs of consumers, commerce and law enforcement in the area of identity theft. Turning away from the emerging world for a moment, I would like to look back at how most large banking institutions have evolved. When interstate banking took place around 1986, a gradual expansion took place. Mergers occurred in a patchwork fashion, depending on state reciprocity laws and takeovers were effected in communities where other banks had failed. The result today is a strong banking system with, as I stated earlier, an infinite variety of financial institutions. Part of that infinite variety though is corporate structure. Many banks offer products and services through a diverse assortment of affiliates which exist for any number of reasons. To the customer, we are "the bank." A Bank One or a Wells Fargo customer, for example, with an account in Texas experiences virtually no interruption of service when visiting a branch in Arizona or Colorado. Yet Texas, Arizona or Colorado branches are each a part of a separate affiliate institution. Likewise, in some institutions, mortgage lending may take place in one affiliate while home equity lending takes place in another. In other institutions first and second mortgage lending take place in the same affiliate. There has been a lot of heat and light generated around the issue of affiliate sharing. But, I think, perhaps more heat than light. This is an area where we need to proceed deliberately and, indeed, it will be a customer communication and a customer service challenge for us to ensure our customers understand the particular benefits of information sharing in our individual institutions. The decision of Congress not to legislate restrictions in this area does not constitute a loophole or a weakness in privacy protection. It reflects an understanding that banks are structured in many ways for myriad reasons. We work very hard not to let cumbersome corporate structures and legacy systems impair our ability to serve the customer in easy, safe and convenient ways. And finally, I would like to emphasize that we view the privacy expectations of our customers as integral to customer service. We are committed to clear disclosures and to the exercise of informed choice. Our policies and our practices must not only be understandable to consumers but to our employees as well. Many of our employees wear the hats of multiple affiliates. It will require systems redesign, new business rules and extensive employee training. The time frame is very short and mistakes will be very costly. We hope consumers and the federal agencies will be pleased with our efforts and continue to work with us as trusted partners, because our future really does depend on it. Thank you. (Applause.)
PRESENTATION BY MR. TORRES: Good morning. I was told that if I speak louder it is better for the mike, but I will try not to shout too much. I was trying to think of some clever anecdote on my way over here this morning on the Metro and I was thinking about using the theme of kind of big brother. It used to be that everybody thought government was big brother and then, now, it has become almost financial institutions and all these Internet companies have been become big brother. And then thinking back in my own memory, I remembered that in our eighth grade class production of George Orwell's 1984, I was the voice of Big Brother, and that is kind of an ironic twist of fate. In the midst of the privacy battles on the Gramm-Leach-Bliley Act and in the aftermath of working on that issue, I realized -- I have always realized that privacy is an important issue for a lot of people, not just in this country, but around the world. But, I really realized that privacy was a very, very important issue when the Rob Lowe character on the West Wing, Sam Seaborne, made the comment that privacy is the issue for the New Millennium. So it is an issue that is not a trend, it is not a fad. It is not going to go away. But, I think if we all work together we can constructively address this issue in a way that protects privacy and allows the business community to do what they need to do, to serve the public. Strong privacy protections and consumer choice and consent and control over some of their information, isn't incompatible with sound business practices. I think there are a couple of factors, though, that have led us to where we are. First of all, consumers are fed up with aggressive intrusions on their private lives. Institutions like those in Minnesota and New York are caught crossing the line when it comes to privacy. And members of Congress have stood up and said, wait a minute; they are shining the light on what is going on with this issue and they are willing to work to ensure that consumers are told how their information is being collected, how it is being used, to ensure that consumers get some choice and say in the matter, and are provided access to the data. Ed already mentioned it and I am going to put in a plug again. There is a congressional privacy caucus, a briefing this afternoon, with the Attorney Generals from New York and Minnesota. This is a very important dialogue. And one that will likely continue as the debate goes on. Now, do consumers care about privacy? I think there are some enlightening numbers that have come out. According to a Forrester Research Survey of online users, 67 percent said they were "extremely" or "very" concerned about releasing personal information over the Internet. It is estimated that those fears may have resulted in as much as 2.8 billion dollars in lost sales for Internet retailers in 1999. The lack of privacy is costing business. I was looking for this number and yesterday, actually, Microsoft, of all companies, ran an ad called "privacy in the online world," and it had this number in it. And I thought, timing is everything. So, I thought that was great and thank you to Microsoft for providing me with that number. A new Business Week/Harris Poll showed that 92 percent of Internet users are uncomfortable about websites sharing their personal information. But, here is the big number for me: 57 percent favor the Government passing laws on how personal information is collected and used. So, Americans want -- this is a concern, privacy is a concern -- and they believe that Government should do something about it. The ability to collect, share and use data in all sorts of ways boggles the mind. I am on an FTC advisory commission on online security and access, and getting outside of talking to just the lobbyists and the advocates on this issue, and talking to the people that are doing this, you know, the Internet upstart companies where they are collecting information or they realize how information can be collected. I mean, it is truly mind boggling what can be done. But, here is what the problem is: Consumers in many cases aren't even aware that data is being collected about them in the first place. And they don't understand how profiles are being created - and worst of all, they are not understanding how all this information is being used. Some of it may be used to market to them, but how much is being used to make decisions about certain things. And it becomes increasingly problematic when these types of decisions are like, "Here is how much your credit is going to cost you," or "Here is the type of loan products that you will get, but you won't see these over here." So, these are some troublesome things that we need to get to. Now, what about the protections that consumers have today. As Ed pointed out, you know, the much vaunted privacy provisions of the Gramm-Leach-Bliley Act simply don't protect consumers' privacy. And it is funny if you listen to who thinks this is the best thing since sliced bread versus the privacy advocates -- some members of Congress, ARP, some unions, the American public, some of them, who don't think that Gramm-Leach-Bliley went far enough when it comes to protecting consumers. I think that is a very telling thing. And because the underlying bill is bad, the implementation of regulations provides little comfort that people's personal information will actually be kept private. That having been said, I do want to say that the regulators, given the tools that they were given, did a very good job about defining some things like basically the regulation covers any information a financial institution collects about anyone. That is a good thing. Transaction and experience data, data that you put down on an application. These things are important. On what is public versus nonpublic: Everybody has said, or people kind of think that, "Oh, well, names and addresses, that is public, because that is widely available." Well, a larger, and I don't have the exact number, but there is a big percentage of people in this country that keep unlisted telephone numbers. So, we kind of make some of these assumptions. I recently talked to the bankruptcy trustees, who are very concerned because they have a database of public information about people filing for bankruptcy. But, if you want to file for bankruptcy, you have to file all this information with the court. But, now they are concerned because this is a wealth of data. It is public data, but should they make it widely available? Should they be, should they allow widespread access to this database that they have on people? And we have got to get to some of -- what the technology allows us to do. I see my time is running out. So, I will skip down to some, what I think are some very big points. We need stronger laws. Anybody who has heard me speak before knows that that is what I have always said. We need stronger laws, like the one introduced by Senator Shelby and Bryan, and Congressman Markey and Barton. The bill that they have introduced will put power and choice in the hands of consumers regarding the collection and use of their personal information. That is simply what we are asking for. And actually some web businesses already seem to be moving in this direction, not all of them, but some of them. There no longer seems to a question, for some of these companies, of whether consumers should get notice, and very meaningful notice, of exactly how their information is being collected and used. Or that consumers should get access to this information. Or that they should have some level of control over the information that is collected about them. The challenge for us is going to be how to effectively put these principles into practice. I mean, that is going to be the tough part and what we are trying to work on. What about privacy policies? Privacy policies simply aren't a substitute for privacy protections, especially when some companies don't even follow their privacy policies. And having a privacy policy doesn't mean that you are, or give consumers any assurance that that company or business is following fundamental Fair Information Practices. And consumers are skeptical about self-regulation. Only 15 percent of those surveyed in the Business Week poll supported developing voluntary privacy standards. Nor has industry shown the willpower to adopt adequate self-regulatory programs. We saw this on children's online privacy. Companies didn't have the wherewithal to do this. Today there are lots of business models that are based on the collecting and selling of information. And we have heard about some of those today. Financial institutions want to get into this business, too -- Julie Williams referred to this in a recent speech -- and the Financial Services Roundtable, an industry trade association, recently asked the Federal Reserve for expanded powers to get into the data processing business. It is my understanding that the Federal Reserve Board turned them down, but this is an issue. My final point is, "Will consumers actually benefit from all this data sharing?" Financial institutions promise that we would see better, faster, cheaper products if they were allowed to keep and have all this data and consumers didn't get control over it. But, you know, what is the final answer for all of this? I mean, are consumers actually going to see this? Bank fees for many consumers continue to rise. Information about financial health may actually be used to the consumer's detriment if it is perceived that the consumer will not be as profitable as other customers. Both Freddie Mac and Fannie Mae have said that between 30 and 50 percent of consumers who are getting sub prime loans now -- don't qualify for conventional loans -- may actually qualify for more conventional products. Despite of all the information that is available to lenders today, people aren't getting loans that they are qualified for. What is more information going to do? Credit card issuers continue to issue credit cards to imposters, thus perpetuating identity theft even when some of this could have been prevented if they simply double check the addresses. If you have been receiving the same bill at or your credit card bill at the same address for 12 years, why is the credit card company issuing a credit card to somebody in a completely different state, who happened not only to change addresses, but also to lose their credit card at the same time? These should be sending up some red flags. Banks aren't using the information that they have today. And instead of offering affordable loan products, banks are getting into payday lending and all sorts of other things. And when lenders choose not to share information, it is usually to a customer's detriment, like sharing good credit histories that would likely mean less cost for consumers. We think maybe the right approach to this was stated maybe best by Controller of the Currency, Jerry Hawke, when he said, Why not let -- why not set up a system where it is up to the institutions that want all this information to convince the consumers in the marketplace," -- you know, the micro sellers of the world, -- to say, "If you want all this information about me, and you want to have my personality in your database, then convince me that that is the right thing for me to do. That I am going to see better, cheaper, faster and give me the choice of sharing it with you instead of stealing it from me." Sorry, I went on for so long, but thank you. (Applause.) PRESENTATION BY MR. SHEEHAN: Good morning. I want to thank Chairman Tanoue for inviting me to participate on this panel and to provide a community banker's perspective on this important and timely issue. Community banks have a long tradition of safeguarding the confidentiality of their customer information. Community banks are to a great degree in small towns of America. We have a number of community banks in larger cities, but many of our banks are in the Midwest, smaller towns, rural America. My little town of 10,000, north of Milwaukee, is an example of where most community banks are. You know, small towns are a little different than Washington, D. C. and some of the bigger cities. Sometimes you can tell it is a small town: If third street is on the edge of town, you know, that is usually an indication. And in our town you don't use turn signals because everybody knows where you are going anyway. So, it is a little different sometimes than the bigger cities. But we know that it is central to maintaining the public trust, and is key to long-term customer retention, to safeguard the customers' privacy. Customers simply have too many options in the marketplace to stay with a bank that violates their privacy and/or confidentiality. I believe it is critical for us to let our customers know through adoption and dissemination of privacy policies that their financial privacy will be respected and protected when they conduct business at a community bank. How do we safeguard our customers' information? We do it in a number of ways. We implement policies and procedures to protect confidentiality. We use passwords to access information and limit access to certain employees; we shred documents, educate and train our employees, create a culture of confidentiality and discipline employees who violate the policies. In small towns, everybody knows each other and I occasionally get calls from a customer that we have just hired one of their relatives and the customer wants to make sure that that relative doesn't have access to their personal information. We have a different level of confidentiality in small towns than you have in big cities. At the same time, no bank is an island, to paraphrase John Donne. Community banks, like all businesses, must rely on a variety of third parties if we are to provide everyday, routine banking services to our customers efficiently and at the lowest cost. Many of us use outside service providers to perform functions for the bank. A data processing service bureau is a prime example. In order to process our customers' transactions, and service their accounts, information must be shared with third parties. Just think about the process of check collection or the processing of an ATM or credit card transaction. And many community banks partner with other financial institutions to provide a fuller array of financial products and services to their customers, such as insurance and investment products, that we could not provide alone. In these instances as well, community banks keep their customers' privacy and confidentiality paramount; we carefully select reputable outsourcers and third party partners. We carefully review and limit the customer information that may be shared with the third parties and require a written contract to maintain the confidentiality of customer information. Typically, the agreement provides that the customer information remains the property of the bank; the third party may use the information only for purposes specified in the agreement and may not transfer it to anyone else; and access to the information must be limited to those employees who need it to perform the services on behalf of the bank. Many community banks do not share any customer information with third party partners for marketing purposes. The Gramm-Leach-Bliley Act contains the most comprehensive, complex consumer financial privacy protections ever enacted into federal law. Every provider of a financial service or product must annually disclose to its customers the details of its information sharing practices with affiliates and third parties. Customers will have the opportunity to "opt out" of having nonpublic personal information shared with unaffiliated third parties, but not affiliates. And third parties that do receive information may not transfer it on to others. To take account of legitimate information sharing needs, the opt-out requirement is subject to a number of exceptions. As made clear in the Conference Report on S.900, these in part are designed to prevent discrimination or competitive disadvantage to community banks because of our relative small size and organizational structure -- in particular our use of outsourcers to perform operational functions for the bank, and our relative lack of significant affiliates. Recognition of these differences is critical if community banks are to provide competitive alternative in a world of ever larger financial conglomerates. The Gramm-Leach-Bliley privacy title creates new administrative and regulatory burdens, even for the community banks that do not share any information with any parties that would require an opt out. These burdens will impact community banks disproportionately because of their finite and limited resources, further reducing their ability to compete vis-a-vis larger institutions. Some community banks may decide it is not cost effective to offer related products and services because of these burdens, once again reducing customer options and choice. A number of States are currently considering legislation that would impose different restrictions than the federal law. The new federal law should be given a chance to work. States should defer action until Gramm-Leach-Bliley has been fully implemented and its effects and consequences can be properly assessed. The bottom line is that when undertaking legislative and regulatory action to protect the customer's confidentiality, policymakers must strive to maintain an appropriate balance between the critical protection of consumer financial privacy and community banks' legitimate information sharing needs. I look forward to the discussion and question and answer portion. Thank you. (Applause.) MR. MURRAY: All right. Let's try and mix it up a bit here, in the time we have left. Mr. Gallagher, if I can start with you. Consumer advocates like Mr. Mierzwinski and Mr. Torres say that the right model should be not an opt out model, but an opt in model. It is my information. Why shouldn't you have to get my permission before you share it with either your affiliates or with outside companies? What is wrong with an opt in model? MR. GALLAGHER: Well, I think the opt in model may go too far and may break down the system. And by way of explanation to that, let's look at what has happened in this debate. You have one side saying government is the only way to solve this; we need more laws; we need to lay in more laws like opt in with all the existing laws we have. While the other is saying, markets can work and markets will work because we have a consumer that has a raft of choices and can execute those choices clearly and there is no more place of wider choice than financial services. Let me suggest that there is a third way here, which I think is evidenced in the Gramm-Leach-Bliley Act. It isn't so important that the regulators are enforcing strictly that is key. What is important about Gramm-Leach-Bliley is that it puts into effect -- and we should give it a chance to work -- a mechanism for informing these consumers. When you have an informed consumer, it is a different proposition. Self regulation didn't work because it is a little -- because everyone isn't going to do it. And when the consumers didn't know about what was going on, they weren't informed. It does -- think of how you feel when you hear, "Well, this has been going on for years. The employees in this restaurant have never washed their hands." Well, that is a very uncomfortable proposition and you are probably going to bring a sandwich next time. The idea, the idea of being informed, makes a consumer choose. Gramm-Leach-Bliley puts those into effect and that is what will make the market respond. MR. MURRAY: Okay. Mr. Mierzwinski, what about that? We don't need opt in, it would hurt the business. All we need is good information. Give us good information and let consumers make their own choices. MR. MIERZWINSKI: Well, first of all, one thing about opt in, opt out, I think -- I have talked to some of the techies and I know others have talked to the techies, opt in and opt out are the same thing from the techie perspective. So, they can do opt in cheaply. And what they are doing with opt out, I am sorry, what they are doing with disclosure now, is they're are obfuscating the issues. And I would encourage the regulators to reissue their best practices paper and to take a hard look at some of these disclosures. They are really waivers. One privacy expert ran one of them or several of them through a grammar testing software program. You had to be a graduate student to understand most of the bank privacy disclosures. So, the banks aren't doing a good job of disclosing. That is why we need some sort of control. MR. MURRAY: Ms. Barefoot, let me ask you. You argued that this, in this brave new world of information sharing, consumers win some. It is not all negative for consumers. What would consumers lose, what would the consumer lose -- not the businesses, the consumer -- lose from an opt in approach? MS. BAREFOOT: The power of consumer inertia is enormous. There is an infamous story in consumer compliance about a bank that inserted a statement in its, I think it was its Reg E disclosure statement, that said if anybody brings this in, we will give you a hundred dollars and nobody ever showed up. People don't always read the disclosures, no matter how conscientiously they are written. Therefore, which ever way it is, most of the consumers are going to be in that camp. So, you have to decide where you want the default position. My argument would be leave the ones who don't care enough to pay that much attention, and let the market go forward and see where we get. MR. MURRAY: Okay. Julie Johnson, several of you have made the argument that the market will find solutions to this. But, we live in a country that has the most vibrant banking sector in the world, in part, I would argue because people have confidence in the FDIC, because people have confidence in the regulatory structure that stands behind that. We live in a country that has the most vibrant pharmaceutical businesses in the world, in part because people have confidence in the FDA and the strong regulatory process behind that. What is wrong with a similar model for information, for privacy? Why wouldn't a good strong privacy law and regulation increase consumer confidence and allow for a more vibrant marketplace as you have in banking and pharmaceuticals? MS. JOHNSON: You are assuming that Gramm-Leach-Bliley is not a good strong privacy provision and I would argue that it is. Or that it will be and that we should be confident in that. I think that, again, we look at it as a part of customer service. It is something that is going to differentiate ourselves. As many choices as we can give the consumer, we want to. We don't want to scare the consumer. We don't want to turn them off. And frankly, banks have never been in the business of selling information about the financial condition of their customers. And they haven't and they won't going forward. So, I think again, that there has been, I don't know, a lot of, some unfortunate incidents. I think that the U.S. Bancorp was a real wake up call to anybody who ever thought about doing that kind of thing and I actually think that it was probably more carelessness on their part at U.S. Bancorp than anything else. When we talk about, in the area of telemarketing, for example, and sharing customer information, I think that we tend to forget where we came from there. It was actually an attempt to protect consumers and we spent years in the industry telling people, "Don't ever give your account number out over the telephone to anybody". So, that is how we got into this business of sharing account numbers. Again, pursuant to contracts and under strict conditions. But I think that maybe things got a little sloppy and that is where U.S. Bancorp may have wound up. MR. MURRAY: Mr. Torres, I don't want to hold you responsible for what Mr. Mierzwinski said, but I know you two are soul mates, work together on a lot of issues. He talked about the, how wonderful it is that we are having state experimentation with this issue. Now we live in a world where state borders mean, in terms of commerce, mean less and less and less everyday; where commerce is being done across those borders by Internet companies, by banks, more and more. How can state experimentation be a good idea? How can it be a good idea to afflict these vibrant new businesses with 50 different regulatory structures? MR. TORRES: Unfortunately, we don't have a federal law right now that adequately protects the privacy of consumers. So, why not let the States, like California and Minnesota, protect their consumers -- MR. MURRAY: So, state -- MR. TORRES: Who are abused under laws that and -- actually, if I could just say one thing. Under Gramm-Leach-Bliley the problem that happened in California and the problem that happened in Minnesota -- had the companies had joint marketing arrangements with those companies or they could have been classified as servicing accounts, consumers under Gramm-Leach-Bliley wouldn't get the ability to opt out from having their information shared with these companies, and you wouldn't even get the disclosure that your institution was sharing the information with these companies. Why can't States come in and act and do something about that? MR. MURRAY: So, you are saying state regulation is a good idea, if there is lack of federal action and as a prod for federal action. MR. TORRES: Right. Where we typically come down is, you know, if the federal law wants to come out and set a floor, let the States come in on top of that and pass stronger protection laws if they are necessary. MR. MURRAY: Does anybody want to argue with that? Go ahead. MR. GALLAGHER: We have had a dual banking system for years. And I believe that that has worked well and the laboratory for Democracy and the laboratory for Now Accounts and laboratory for this and that, and the other thing have worked very well and kept people competitive. When we are talking about communication of information, we are talking about something very different. And when you add opt in, you add costs, you add inefficiency. When you have different states with different rules, you add costs, you add inefficiency. Those are going to have to be picked up by the other consumers, who shouldn't have to pay those costs. Where we really want to get to in this business is right pricing. Each person paying the right price for the right service that they need and they want, and I think that will be impeded when you have different laws applicable if this were opt in. MR. MURRAY: Mr. Sheehan, we have been talking about market solutions to this issue. One market solution that is occurring, I saw a survey yesterday that said that now people who use various online services routinely, routinely lie about their personal information. That as much as one third of the information they will put on there will be incorrect. Is that a problem for financial services if people decide, in order to protect their privacy, that it is okay for them to willy-nilly put down false information? MR. SHEEHAN: Well, it may be a problem for some areas. It is not a problem for community banks. Most of our relationships are one-on-one personal relationships. We do have, obviously, other ways to connect to our banks, but we know our customers very well. We know them personally. MR. MURRAY: They can't lie. You will find out. MR. SHEEHAN: Well, they can lie but we can generally check on that in a very normal way without invading their privacy. It is a real shame that the ultimate result of all of this, because of a number of large banks' indiscretions, is causing small banks to have to deal with a greater level of burden regulatorily than we would have before. As something somebody pointed out before, disclosures are not generally read by the public and we are now going to have to implement a new disclosure that is going to be extremely time consuming, extremely expensive, you know, and really not directing itself at community banks, who have never really had a problem in protecting the privacy of their customers. MR. MURRAY: I have a question here from the audience. But, before I take it, can I take questions directly from the audience as well? Okay. I am going to do that as soon as I read, as soon as I read this question, which came to me on a card. Are there particular, this is very high tech here. Are there particular dangers or benefits for low and middle income consumers as compared to middle and upper income consumers in the way the companies are likely to use their personal information under Gramm-Leach-Bliley? Go ahead, Jo Ann. MS. BAREFOOT: I think maybe Frank touched on this and I do think this is going to be one of the sleeper issues that is coming behind this first wave of notice and choice on privacy, as the data get used in new ways, the whole thing is going to be about differentiating and treating customers differently. Different levels of service, different products, different risk assessments, different pricing, and so on. And that is going to be good in many ways as I said in my comments, but it is also going to be definitely creating issues for customers who are perceived as less desirable, less profitable, higher risk. And I think there will be a huge set of issues around discrimination. Yes. MR. MURRAY: Okay. Let's go here to the audience. If you have a question, please raise your hand so the people with the microphones can get to you. And we have a question here in the back. MR. CLARK: Yes, my name is Drew Clark with National Journal's Technology Daily. Mr. Douglas, in his introductory remarks said that he was unaware of any great database in the sky that can be accessed, but there is, of course, FINCEN. And I wondered if any of the panelists could comment on either its accessibility to financial institutions from data that is forwarded onto the Federal Government's Financial Crimes Enforcement Network, but also whether any of the data collected under "Know Your Customer mandates by the Federal Government is in any way repackaged, marketed, sold and whether that has privacy implications for the future? MR. MURRAY: Who wants to take that on? MS. JOHNSON: I am not, I am not an expert in this area at all, so maybe it is dangerous that I am even attempting an answer, but I think that we should understand that we are not in the business of collecting information for the Government. We have information that we collect in order to serve our customer, that the Government often times finds useful to use. So, I think there is a little bit of a flip there because if you are looking, you have a very suspicious activity, that can only be identified in the context of what we would see would be a normal activity for that customer based on what we know about the customer. So, I think that the issue is that the Government is a user of information that we have otherwise collected for purposes unrelated to what the Government's interests are. MR. MURRAY: Who else has a question? Right here. AUDIENCE: Going back to that opt in, opt out question. I am just wondering why, if the benefits to the consumers are so great from the dissemination and collection of this information, why would that not be incentive enough for consumers to go along with an opt in? MR. GALLAGHER: Well, I think that is a question and it is an important question. And it is the argument being made by Controller of the Currency and others. I think the answer is that the system doesn't work very well. It is largely assumed that that is the system in Europe and in fact, it is only used in Europe rarely and in only very sensitive information involving medical issues and so forth. I think, what is at the heart of all of this, is we all agree that the consumer needs to be informed, that the fair information practices that Ed has talked about are the right way to do it, notice, choice, access, security and enforcement. That is what we should all be doing. The question is should we do it statutorily? Should we allow the market to do it? Or what combination of these should we do? I think what those of us on our side of the table are saying is that we will get there, and we will get there quickly, if we let the market do its job and the market will react. It took about two weeks for DoubleClick to figure this out, and you saw what happened with DoubleClick. MR. MURRAY: It took about two weeks for DoubleClick to figure it out and we -- I will plug this a little bit, I think we wrote the first story on DoubleClick so I will take it -- it took a very short period of time for DoubleClick to figure this out. But there are thousands of companies out there. I mean, and even if you get the big ones, through self-interest to be good actors, aren't they all hurt when the next one down the food chain decides to take a looser approach? MR. TORRES: Well, it took DoubleClick two weeks to figure it out, but that was only after several lawsuits were filed against it, there is an FTC complaint, and several attorney generals started an investigation. And what did they wait for? MR. GALLAGHER: Well, and AltaVista said, "We're leaving," and the market cap went down about 22 percent. So, that's what moved them and I think that is what is going to move them all. MR. MURRAY: Anyone have a last, very quick question? All right, if not, then thank you very much. There will be a 15 minute break before the next panel begins. CHAIRMAN TANOUE: Okay. Let's start the second panel. As all of you know, each of the Federal Banking Regulatory Agencies has issued for public comment a proposed regulation regarding the privacy of consumer information as required by the Gramm-Leach-Bliley Act, and we're all accepting comments throughout the end of the month. We're also accepting comments here today, and there's a table outside where you can provide comments, out in the lobby. Our next panel will summarize the regulation, the proposed regulation, and field any questions or comments that you might have. The panel Moderator is the Honorable Edward Gramlich, Governor of the Federal Reserve Board. Before becoming a member of the Federal Reserve Board in November of 1977, Governor Gramlich served as Dean of the School of Public Policy at the University of Michigan. He also has served as chair of the Advisory Council on Social Security, Deputy Director and Acting Director of the Congressional Budget Office, and Senior Fellow at the Brookings Institute. He brings with him today all of that experience. Please help me in welcoming Governor Gramlich.
THE HONORABLE EDWARD GRAMLICH GOVERNOR GRAMLICH: Thank you very much, Donna. A couple of things to start. First, I'm battling a head cold. I sound worse than I feel so that the main cost will be on you. But, I hope my voice gets better as I go. I've actually been at the Board since 1997, only two years, and some of these privacy issues are new to me, but we are thrust right in the middle of this. Privacy seems like a very good thing if you go to cocktail parties or something and people ask you about that. Obviously, we're for it. But, one thing you learn when you take the regulator's side is that things can get a little complicated in defining exactly what information is to be protected and so forth. We have got a panel here today and these are the four institutions that are hashing out these regulations that are now out for comment. I'm not going to say too much about privacy because we've structured the panel such that the topic ought to be thoroughly covered. The first speaker is going to be Steve Cross, from the FDIC, who will give an overview of the privacy regulation and what it attempts to do. And then Scott Alvarez, my colleague at the Fed, will talk about the information and institutions to be covered. Then, Amy Friend from the OCC will talk about the distinction between customer and consumer that, before we got into this, I wasn't even aware of that important distinction. But, it is important, as you will hear. And then, finally, Richard Riese of the OTS will talk about the Opt Out Provision. The way this is worked is each one of us is thoroughly wired and so the less mobility we have up on the stage, the better. We could have some kind of tragedy here if somebody trips over somebody else's wire. (Laughter.) So I am going to read quickly the bios of all four speakers and then they can get up and I don't have to keep popping up, and we'll come up later on for the question period. Steve Cross was named Director of FDIC's Division of Compliance and Consumer Affairs in June of '99. In that capacity, he is responsible for managing the FDIC's program for supervising banks' compliance with consumer protection and disclosure laws, Fair Lending laws, and the Community Reinvestment Act. He serves on the FDIC's Senior Management Committees, including the Chairman's Working Group, the FDIC Operating Committee, and the Supervisory Appeals Review Committee. He has a Ph.D. in Economics from the University of Virginia and a B.A. in Economics from Texas Christian University. The next speaker will be Scott Alvarez, who is the Fed's Associate General Counsel of the Banking Structure Section of the Legal Division. Scott joined the Fed back in 1981 as a staff attorney and he has worked his way up to his present position. He became a Senior Attorney in 1985 and Assistant General Counsel in 1989, Associate General Counsel in 1991. He was a graduate of Princeton and he got his law degree from Georgetown University Law Center. Amy Friend is Assistant Chief Counsel of the Office of Comptroller of the Currency. Amy is chair of the privacy working group and has been representing the OCC in the privacy rulemaking under the Gramm-Leach-Bliley Act. Prior to joining OCC in January '98, Amy was Minority General Counsel for the Committee on Banking and Financial Services in the House. She worked in the Congress for ten years as General Counsel to both the House Judiciary and House Banking Committees. She's a graduate of Pennsylvania and, again, the Georgetown University Law Center. The final speaker is Richard Riese, who is the Director of Compliance Policy at the OTS. He's a member of the Consumer Compliance Task Force for something known as the Federal Financial Institutions Examination Council. He's been an Assistant Chief Counsel in OTS Enforcement and a Special Assistant to the Director of OTS. He's a graduate of the University of Delaware and has both a Law degree and a Master's in Public Policy from Pennsylvania. So, at this point, let me turn it over to Steve Cross and he will give you the broad overview of privacy. And then we'll take it from there. Thank you. (Applause.) PRESENTATION BY MR. CROSS: Governor Gramlich. For those of you in the audience, you might see that I'm giving new meaning to the team "heavy hand of government". (Laughter.) We've talked a lot about Gramm-Leach-Bliley already today. We're going to talk a lot more about it in the next forty-five minutes. The law was passed in November last year and among its many provisions was a requirement that, within six months of passage of the legislation, the agencies issue privacy regulations to implement the privacy provisions in the law. Those regulations are due May 12. Currently, there are regulations out for public comment. What I'd like to do today is talk to you very briefly about three key issues that the regulators are dealing with in these regulations. The first, as Governor Gramlich alluded to, is the issue of: What information is provided protection under the law and regulation? I have to introduce some terms. And these terms can become confusing, particularly in light of our mandate to speak in plain language. But, I'm going to use the words of the regulation, nonetheless. First is "nonpublic personal information." The second is "personally identifiable financial information." And, the third is "publicly available information." As you look at the regulation and consider comment on it, and as you hear us discuss the regulation, please pay particular attention to those three terms. The law gives individuals the opportunity to opt out of the sharing of nonpublic personal information with unaffiliated third parties in certain circumstances. So, obviously, it is critical how we define nonpublic personal information. The key questions that Scott Alvarez will be discussing with you is that question: "What is nonpublic personal information?" And "Who are the financial institutions that are subject to these provisions?" The second issue that the regulators have been wrestling with and have addressed in the regulation is the distinction that probably many of us have never previously made between a "customer" and a "consumer." They are different people under this regulation. The law requires that a financial institution provide notice of its privacy policies to all of its customers at the time of establishing a customer relationship with those individuals. The law further requires that, before it shares nonpublic personal information about a consumer, the bank must provide the consumer an opportunity to opt out. Trying to wrestle with the issue of who is the bank's consumer and who is the bank's customer is Amy Friend's enviable task. But I urge you to keep in mind that the key question that you face as potential commenters on this aspect of the regulation is: "Have we defined 'customer' and 'consumer' properly? Because that is going to govern who gets privacy notices and who has the opportunity to opt out. The third critical issue that the regulators have dealt with is the Opt Out Notice. Now, there's already been a lot of discussion today about opt in versus opt out. The law that was passed and signed into law in November provided for an opt out notice, not an opt in notice. Therefore, the regulators have worked within that framework. Financial institutions must give clear and conspicuous opt out notice. And the questions are: "What do we mean by 'clear and conspicuous?'" And, "Prior to what forms of information-sharing must that opt out notice be provided?" Because it's not all information-sharing that is covered. It's certain information-sharing. It's information-sharing with unaffiliated third parties. And there are exceptions. There are exceptions for joint marketing agreements and there are exceptions for a variety of other activities -- such as the processing of transaction account information on behalf of a financial institution. The key questions really come to "Who, what, where, when, how, why are opt out notices given?" And Richard Riese from the OTS is going to provide a more detailed overview of what's included in the regulation. In sum, the statute introduces new privacy protections for consumers and new privacy obligations on financial institutions. It also introduces a myriad of new and old terms to be used in very specific ways. As regulators, our task is to make the statutory provisions in the law operational. My colleagues will explain what we did. You, through public comment, will tell us what we did right and what we didn't do right and I encourage you to take advantage of that opportunity. Thank you. PRESENTATION BY MR. ALVAREZ: Thanks very much, Governor Gramlich, and Steve. As both Steve and Governor Gramlich mentioned, the privacy provisions in Gramm-Leach-Bliley apply to the sharing of nonpublic personal information collected by financial institutions. That starts off with two lead questions: What is a financial institution that's covered by the privacy provisions, and what kind of information is covered by the privacy provisions? Well, first of all, a financial institution very simply is any institution whose business it is to engage in financial activities. So the key question is "What is a financial activity?" Financial activities under the Gramm-Leach-Bliley Act are actually a list of activities that are kept by the Board for determining what is a permissible activity for a financial holding company. It's a list that's prepared and kept for a purpose totally unrelated to privacy. It explains what financial holding companies can engage in, what kinds of affiliations they can have. The kinds of activities that are on that list include some of the things that we would all expect to be on the list: any kind of lending activity -- consumer lending, mortgage lending, credit card activities. It includes securities brokerage activities, insurance agency, credit counseling, tax preparation services, long-term car leasing, ATM operations, check cashing, investment advice, trust services -- all the things we think of as activities that we might get from a bank or something that's close to a bank. There are two kinds of activities that folks may not expect to see on that list but are on that list. One is management consulting services. Another is travel agencies. Now, this list can be expanded by the Board and the Treasury to include other kinds of services. And every time a new activity is added to the list, everyone engaged in that activity becomes subject to the privacy provisions. And it's important to note that, in order to be covered, a company simply has to be engaged in the business of one of these activities. The company does not have to be affiliated with a bank or a savings association. So a freestanding securities brokerage firm or a freestanding travel agency would be covered by the privacy provisions. The provisions apply to sharing of information with third parties, and so a financial institution that's covered can share information with an affiliate without restriction under these privacy provisions. What we're going to speak about today is their ability to share the information with third parties. There are other laws, such as the Fair Credit Reporting Act, that may have implications on sharing with affiliates, and there's some State laws that may govern those areas. So the next question is: "What kind of information is covered?" Well, first of all, this is information that involves individuals who obtain financial products and services for personal family or household uses. The privacy provisions do not govern information obtained from a business, and they do not cover information obtained from an individual for a business purpose, or for some purpose other than their own personal family or household use. Steve mentioned one of the key terms in the Gramm-Leach-Bliley Act: Nonpublic personal information. Nonpublic personal information is divided into basically three categories. It's information that is collected, it's information that's provided by an individual to a financial institution in that individual's effort to obtain a financial service, or to allow the financial service to be provided to the person. So, for example, if an individual fills out an application form for a loan or fills out a survey to become, to get investment advice from a securities broker, both of those -- all the information on that application form or that survey would be personally identifiable financial information that would be covered by the privacy provisions. That information is covered even if the person is ultimately denied the loan by the banking institution, or even if the person decides not to pursue the investment advice, or to accept the loan. The information was provided in an effort to obtain a financial service, or in order to allow a financial service to be provided to that individual, and so that information is covered. That would include things like salary that someone makes, the number of dependents, the rent payments or monthly debt payments, or their investment goals or other kinds of information like that. The second grouping of information is any information that results from a transaction between the consumer and the financial institution in the course of providing the financial product or service. So, for example, the account balance or the places that people use their credit cards or the size of purchases that they make with a credit card, or the stocks that you decide to purchase, all of that is financial information protected by this provision. The third category is any other financial information that's collected by the financial institution in the course of the individual's relationship with the institution. For example, anything the financial institution might collect to verify the salary of the person applying for a loan, or any credit report or credit rating that might be assigned to the individual. There's an exception to this. The exception is that for publicly available information, what's covered is personally-identifiable financial information that is nonpublic. Under the rule that we've proposed, public information is any information that's available from official government records -- for example, the real estate records that are kept by the local County real estate office. Any information that's widely-distributed through public media, such as information in the phone book, information in newspapers, radio, TV, and any information that's available widely on the Internet if there's no special password or fee that's required in order to get access to the information. The third group of information that we consider public is any information that is required by law to be disclosed to the public. So, for example, anything you find in a securities disclosure document or financial information that government officials are required to publish in their disclosure statements, that would all be public information. Now the Gramm-Leach-Bliley Act has one twist when it comes to public information. And that's a sort of juxtaposition between the use of public information and nonpublic information. If there is a list of individuals that's prepared using confidential information -- nonpublic information -- then that list, everything on that list, including public information that might be on that list, is kept confidential and is subject to the opt out provisions and disclosure parts that Amy and Richard are going to discuss. So, in other words, if an institution prepares a list of the names and addresses of its customers, that list is considered to be subject to the opt out provisions because the fact that someone is a customer of a financial institution is considered to be confidential information. If the list is prepared using account names or account types or some other information about account balances, that list is considered to be a confidential list and is subject to the opt out provisions. On the other hand, if the list is something that the financial institution has obtained from the public -- for example, if they have gone down to the County office and gotten a copy of a list of everyone who has a mortgage in the County, something that's public, then that list is not confidential. The key is a list that includes public information where the list is prepared using some kind of confidential information. That kind of list is subject to the privacy provisions. Once you are a financial institution, you have collected this kind of information, then the key is what are the obligations of the institution to the consumer? And for that, I'll turn to Amy Friend and Richard Riese. (Applause.) PRESENTATION BY MS. FRIEND: Good morning. I'm going to talk about the privacy policies themselves and, as I've just learned, I'm going to talk about the distinction between customer and consumer. But, I would say that our communication during the interagency rulemaking was a little bit better than that. I think I’ve talked about this and thought about it so much that it will be just fine. The regulators took very seriously the language of the statute and congressional intent that consumers be informed about the privacy practices of the financial institutions they patronize. As a result of this, there are a number of issues that we dealt with in the regulations with respect to the contents of the privacy policies, the delivery of the privacy policies, and what they need to look like. So let me first start out by talking about the requirement in the statute that privacy policies be clear and conspicuous. The standard that we use is that the notice must be reasonably understandable and designed to call attention to the nature and significance of the information in the notice. And a lot of our discussions were informed by work in the past of some of the regulators, particularly the SEC, which has been working on plain language disclosures for some time. They had conducted a consumer survey to see what types of disclosures consumers actually read. And what they found was that information or disclosures that may be underlined, or bolded, the way we usually think of as meaning conspicuous, consumers often just overlooked thinking it’s boilerplate and it’s federal requirement and nothing really important to what they need to learn. So they overlook that. We thought that was significant. The OCC has also done some work in the area of disclosures under the Fair Credit Reporting Act. If an institution wants to share certain information, consumer reporting information, with affiliates, the law says that the institution has to give consumers notice about the sharing and an opportunity to opt out of that sharing. The requirements under the Fair Credit Reporting Act are clear and conspicuous as well. But, we had found in the last year or so that a lot of these disclosures were not particularly clear and informative. The statute says that institutions can share something called "other information." So we found that disclosures would say: "Well, we intend to share other information with affiliates unless you write to us," without telling a consumer what "other information" means. And we also found that disclosures were often found in multiple-page agreements without calling attention to itself in any way other than to say "FCRA Notice", when most people don’t know what FCRA or Fair Credit Reporting Act is. So that informed a lot of our thinking in terms of what should "clear and conspicuous" mean? How will we know that consumers actually see this and understand this? So, basically, under the regulations, it’s not sufficient for an institution to underline a notice and bury it somewhere, or to caption the notion "Gramm-Leach-Bliley Act Notice". We don’t think that that would be designed to really call attention to the nature of the information contained in the notice. So, "clear," what we said is "clear" is basically concise sentences, short explanations, active voice, no legalese or boiler plate. We did not prescribe what the language has to look like. We just gave some examples and some standards. "Conspicuous," instead of having it sort of smushed together and underlined -- we thought that additional white space, larger or wider margins, ample spacing, easy to read type face, captions in plain language, would be conspicuous. I know that in the last panel there was some discussion that consumers don’t often read disclosures. I think the objective here is that for those consumers who are concerned about privacy, they can find the privacy notice and read it if they want. Let me talk about the content. What do these notices look like? What’s required? First of all, the regulations say that the privacy notices have to accurately reflect the practices and policies of the institution. So that means that institutions have to take steps to adhere to what they say. I think Julie Johnson from Bank One I talked about employee training. Employees need to know what these privacy policies are. The regs don’t specify that but that’s the reality of what’s going to have to happen. The law is fairly specific about the content of the regulations. What we tried to do was make sure that the notices were meaningful -- provided meaningful information to consumers and were not unduly burdensome on the institution’s behalf in complying with them. So let me give you a few examples. The law says that: "Privacy policies have to disclose categories of information that a financial institution collects about its consumers." So we thought, well, what would be a meaningful disclosure? And we gave examples of disclosures about categories of information collected by identifying the source of that information. So some examples in a bank case may be, "We collect information from applications that you provide to us. We collect information from our transactions with you. We collect information from credit bureaus." And then the law says that the financial institutions have to disclose categories of this nonpublic personal information, categories of information that the bank or the institution discloses about the consumers. So we said focus on the content. Indicate the source and focus on the content. So, for instance, application information. What comes from an application? It may be assets and income information, or identifying information like name, address and social security number if that’s what’s going to be shared. Or transaction information could mean account balance. It could mean credit card usage. Consumer reports could be credit history. So it’s just giving consumers a basic understanding of the types of information that’s being collected, the types that are being disclosed in a way that we thought would be meaningful. With respect to categories of entities, third parties that may be receiving it, we said: "You have to disclose this with respect to affiliates and nonaffiliated third parties and do it by types of businesses." We didn’t think that it was very practical or meaningful to have a laundry list of names of all the entities that might be receiving this. But, more helpful if an institution disclosed significant lines of businesses of the companies that would be receiving this information. The privacy policies will have to disclose an explanation of how a consumer can opt out and provide examples -- explain the methods for exercising that right. If they are providing these information, affiliate information-sharing opt out notices under the Fair Credit Reporting Act, that will be part of a privacy policy. And they also have to inform consumers of the security measures that they’re taking to protect this nonpublic personal information. And the regulations say you don’t have to get into technical specifications. You can discuss who has access and why they have access. Now, let me talk a little bit about the timing of disclosures, and that does fit nicely into the distinction between customers and consumers. They have different rights. It triggers different requirements under the law. A customer is a consumer who has an ongoing relationship with a financial institution. A customer under the statute is entitled as a matter of right to a privacy policy at the time of establishing a relationship with a financial institution and annually thereafter while the relationship is pending. The examples in the regulations are: somebody who has a loan with a bank; somebody who has a deposit account or a trust account or an investment account. Those individuals are going to be considered customers. They have an ongoing relationship. The regulation says that the privacy notice has to be provided before the relationship is actually established. So, in a contractual arrangement, it would be before the consumer was actually obligated on a contract. Some examples: If a consumer applies for a credit card, we’re not saying that the privacy notice has to go out with the application because, at that point, it won’t be clear that that individual will be a customer. But, when a financial institution sends a card in the mail, that’s a likely time they’ll provide it because the relationship is established once the consumer activates it or goes to use it for the first time. In a mortgage situation, again, the regs don’t require a disclosure at the time of application but a disclosure before the consumer sort of signs on the dotted line at closing. And that’s consistent with other disclosure requirements under the Truth In Lending Act. So it still gives the consumer an opportunity to shop around before they’re ultimately obligated. But, again, we had to pay attention to the distinction between consumer and customer. A consumer is an individual who obtains a financial product or service from a financial institution to be used primarily for personal, family or household purposes. And it does include actually applying or giving information to prequalify for a loan because we said the act of evaluating that information on an application or through prequalification does amount to a financial service. And, therefore, consumers’ information is going to be protected even if they don’t ultimately get what they are applying for. The law says that consumers are entitled to a privacy notice and an opportunity to opt out before their information is shared with these nonaffiliated third parties. So consumers don’t automatically get a privacy policy, as a customer does, but they do get a privacy notice if the financial institution intends to share their information and they get a chance to opt out. Finally, I’ll just conclude by saying the regs provide for a method of providing these disclosures. The standard is that: An institution must provide a notice so that consumers can reasonably be expected to receive the actual notice in writing, or electronically if a consumer agrees. The discussion amongst the regulators really reflected the desire to ensure us that consumers would actually receive the notice. The regs say that oral notice itself is not sufficient, although it could supplement other notices. In the electronic delivery area, we thought that it was certainly reasonable to provide for electronic notices. But, it had to be done in a way that a consumer agreed so they would be assured of getting the notice. If an institution was conducting a transaction in person, it wouldn’t be reasonable to expect that they should then go on to a web site to pull up an electronic notice unless they had agreed. So, for the most part, if a consumer and a financial institution are conducting transactions electronically, then the consumers can receive notices electronically. And what we said is that it’s not enough to just post it on a web site. It should be part of the transaction. A consumer should acknowledge that they’ve received this privacy notice as part of conducting a transaction. In writing, we basically said that delivering -- the examples show that delivering a written notice by hand constitutes sufficient notice, or sending it to a last-known address would constitute sufficient notice. But, posting in a lobby alone would not be sufficient because there can’t be a reasonable expectation that consumers will necessarily see it.
PRESENTATION BY MR. RIESE: I wish to express my thanks to the FDIC for inviting me to participate in this panel. In honor of my esteemed colleagues I have worn my Interagency cufflinks, which you probably can’t see from there. But, on my left wrist is the word "YES" in five different languages and, on the right wrist, is the word "NO" in five different languages. I am tasked with trying to discuss with you that part of our title here: "Is it any of your business?" The part that describes in the regulation how consumers can keep their personal information from becoming someone else’s business. The part of the regulation that I’ll be presenting is in .7 through .12. And if you go to the hymnal that the FDIC has kindly provided to us, you can refer either to the preamble section, which is at page 8778, or if you want to look at the reg, it’s real easy to get to at the back section. You can go to the OTS version of the reg. And that appears at page 8814, section 573.7. I think the important thing to keep in mind right from the start is we’re using the word "opt out" that has certainly been in the jargon for some time but is increasingly becoming part of the vernacular. And we must be careful that this reg has a particular use of the word opt out. And we must be careful to remember that under the proposed regulation what "opt out" means, is it’s limited to a direction by the consumer to a financial institution not to disclose nonpublic personal information to a nonaffiliated third party. Opt out in parlance in privacy may have broader meanings but, in this regulation at this time, it has that limitation. Before disclosure of nonpublic personal information can occur, a financial institution must provide an initial notice of privacy policies, as described by Amy, and initial notice of opt out. And the consumer must be given a reasonable time to opt out after receiving the notice. And that duration will depend on the customer relationship or whether or not there’s an isolated consumer transaction occurring. And then, of course, the consumer must, within that reasonable period, not opt out. If those things occur, then the financial institution would be free to share, in accordance with its privacy policies, nonpublic personal information about that consumer or customer. Noncompliance means that no sharing of nonpublic personal information with a nonaffiliated third party can occur no matter when that information was collected. Obviously, we’re going to be implementing this regulation. This regulation concerns information you may already have in data bases, as well as that which you may get in the future. If you don’t provide the required notices for the necessary opt out, you are precluded from sharing that information about a customer until you do so. A financial institution can allow a consumer to elect either a partial opt out or a complete opt out. So you can tailor the opt out in terms of certain types of nonpublic personal information, or certain nonaffiliated third parties. So that you can say to someone: "We will share this type of information about you, information X. But, information Y, we will not share." And you can say: "We share X and we share Y. You can choose to opt out of our sharing of X, or you can choose to opt out of our sharing of Y, or you can choose to opt out of our sharing of X and Y. One of the important things that Steve pointed out -- throughout this regulation and throughout the preamble is our interest in receiving your comment and every so often we have particularly asked for and solicited comment. And, in this area, we particularly solicit comment on handling of joint accounts and on the duration of what a reasonable period is to exercise an initial opt out rate. There’s also a form, of course, and the method by which you’re supposed to provide an opt out notice. Again, it must be clear and conspicuous, and I refer you to Amy’s advice with respect to that. It can be provided by mail or electronically, but it cannot be provided orally. You cannot describe the opt out rights to a consumer over the telephone. That is not permissible as sufficient notice under the regulation. The opt out must state that the financial institution discloses, or reserves a right to disclose, certain nonpublic personal information to a nonaffiliated third party. It must include that a consumer has the right to opt out. And, finally, it must advise the consumer of the reasonable means by which the consumer may exercise that right. "Reasonable-means" to opt out includes a reply form or checkoff boxes. There are a couple of other examples that are listed in the regulation. But, one thing that we say by way of example is that it is not reasonable if you make a consumer write a separate letter to you. We allow the honoring of letters, but we do not allow you to make the only available avenue of reasonable opt out, the requirement that the individual compose and draft and write and send to you their own letter. We need to make this right more accessible, more achievable, and so that is not a permissible means of opt out. The consumer has a right to opt out at any time and the financial institution must comply as soon as reasonably practical. Opt out is effective until revoked by the consumer in writing. Again, comment is invited on the means by which financial institutions anticipate delivering notices and the experience institutions have had in terms of delivering notices, processing responses, and tracking consumer elections in the past. We are not writing on a privacy blank slate. There has been experience out there and we are soliciting comment on the methods used and the experience used in privacy to date. As has been foreshadowed already in remarks by my other panelists, not all information is within the purview of the consumer to control through the opt out process. The statute and the regulation have exceptions to this right. First, there are exceptions to the opt out right. That is, you’re entitled to notice of a policy and about how an institution handles their information, but there is no requirement that the consumer be afforded the ability to opt out. Consumers do not have the right to opt out of information that is in connection with a sharing that involves a nonaffiliated third party who performs services for the financial institution. Sharing nonpublic personal information with a nonaffiliate to market an institution’s own products or products offered pursuant to joint marketing agreements between the institution and one or more financial institutions -- those kinds of sharing between the financial institution and the marketing entity in those kinds of joint agreements -- you must tell the consumer about them but the consumer does not have the right to opt out. Customers must be told but no opt out right. The financial institution must, in disclosing nonpublic personal information, must have a contract with the receiving institution that requires the receiving institution to maintain confidentiality for the nonpublic personal information shared and limits that institution’s use of nonpublic personal information to the purpose for which it was shared. So that if an institution is sharing in one of these joint marketing arrangements, the sharing of that information must be controlled by contract and it must be limited to that marketing purpose. We invite comment on whether additional constraints on these types of nonaffiliated third party relationships should be imposed. Finally, the second type of exception applies to both privacy notices and the opt out right. Consumers need not be given notice or an opt out about sharing of nonpersonal, or personal -- yes, nonpublic personal information necessary to effect, administer or enforce transactions that they requested. As an example, financial institutions do not have to tell a consumer that if a loan defaults that the institution may disclose that information to a debt collector. Consumers can consent to waive any rights to notice and opt out. For instance, a consumer using a stock broker may wish to have the broker transfer personal information to a tax preparer at tax time and can sign a waiver to that effect. And, of course, once they do that, they don’t have an opt out right. Comment is specifically solicited on whether additional safeguards about obtaining consents should be added to the rule. And the rule also addresses how one can remove the consent once given. There are other exceptions to privacy notices and opt out rights that are listed in sections .10 and .11 of the rule. They include such things as the sharing to protect confidentiality or security of records, to prevent actual or potential fraud, to resolve consumer disputes or inquiries and, of course, to disclose information to a consumer reporting agency. Finally, in section .12 of the proposal, we deal with limits on the reuse of information that’s been shared. A nonaffiliated third party receiving nonpublic personal information is not free to use or disclose that information as they please. They may only share that information further to parties to whom the original financial institution could lawfully direct disclosure. Or, a nonaffiliated third party receiving nonpublic personal information may, under the exception, may use that information only for the purpose of that exception. For instance, a debt collector learning nonpublic personal information about a consumer while collecting the debt may not make that information public or use it for any purpose beyond collecting the debt. Again, comment is specifically invited on whether the restrictions on use of information obtained as nonpublic personal information under the exceptions would restrict a nonaffiliated third party from using the information in a form that is not personally identifiable. For instance, a service provider may receive the information with personal identifiers, but should they be allowed to use the information further in an aggregated form scrubbed clear of personal identifiers? We ask your comment on whether or not the reg is clear on that and whether or not that utilization should be permitted. That covers opt out in a very broad brush form. Again, I refer you specifically to the regulation and to the preamble and invite you to comment generally but take particular attention to those areas that we’ve focused you on. Thank you. (Applause.) GOVERNOR GRAMLICH: I’d like to thank each of the panelists. When you listen to discussions like this, I don’t know if you have the feeling that I have, but this reminds me of going swimming in the finger lakes in New York State. The water gets deep very fast. (Laughter.) Privacy seems like a simple issue but it’s very, very complicated. Now I already have four questions from the audience. So let me go through those. And I’ll ask anybody on the panel to answer the questions. And then, if we get through that, we are going to end the session at quarter of 12. But, if we get through that, we can take more. Just raise your hands. First question: "One of the key provisions in the Gramm-Leach-Bliley Act is the disclosure of privacy policy so that consumers can make informed decisions. Why then does the regulation allow lenders to delay disclosure of their privacy policies until just prior to loan closing? At that point, isn’t it too late for the applicants to take back their information and thereby preserve their right to privacy?" Somebody? MS. FRIEND: I’ll take that. I think that fits in with what I was talking about. It’s an issue that we grappled with and I think that the timing is dictated by the statutory distinction between consumers and customers and the requirement that the privacy policy be given at the time of establishing a consumer relationship. The preamble makes clear that institutions are certainly free to provide notices earlier than that time so that consumers can have information at the earliest possible time and they can shop around. But I think it was difficult to ignore the requirement that the privacy notice be given at the time of establishing the relationship. It’s hard to know at the time that somebody is filling out an application that they actually will establish a consumer relationship. I think the first panel talked a little bit about the effect of the marketplace. And this may be one of those areas where consumers will start asking for privacy policies at an earlier point if they care to and if the institution doesn’t provide it to them. And then, I think an institution would act at their peril if they said, "No, we’re not going to give it to you until a later point." GOVERNOR GRAMLICH: Okay, let’s take another one here. "If a person opts out of sharing at their financial institution and this institution is subsequently sold or merged into another bank, what is the status of the consumer’s desire to opt out?" Or the consumer’s -- yes, desire to opt out, I guess. MR. RIESE: I’m sorry. I missed that part. GOVERNOR GRAMLICH: If the institution is merged, what is the status of the opt out? MR. RIESE: I don’t know. Have we treated that? The opt out is effective to follow the information. The opt out is provided at a certain time when the relationship exists. That relationship will follow the information, and whoever possesses the information, and is effective until revoked. Do my colleagues agree? MR. ALVAREZ: Yes, I think that’s the right answer. Of course, the new institution may have a different privacy policy than the old institution. And the rules provide that, in that instance, the new institution would have to disclose the new privacy policy to the customers of the no longer existing institution. And that may provide another opportunity for the consumer to opt out. I think the rules were not -- the rules proposed didn’t have in mind this kind of merger of institutions specifically, so there may be gaps in what we’ve done. And, clearly, we would welcome comment on any gaps that there might be. GOVERNOR GRAMLICH: Okay, the next question is one that may have occurred to a number of you. Essentially, it is: "Why are travel agencies included as financial institutions?" MR. ALVAREZ: Well, that’s a consequence of the fact that travel agency activities are considered financial activities under the Gramm-Leach-Bliley Act. It wasn’t anything that was specifically related to the privacy provisions. It was because banking organizations actually engage in providing travel agency services outside the United States. It’s a common practice in some foreign countries. And the Gramm-Leach-Bliley Act makes permissible in the United States financial services that are provided outside the United States. So it is one of those collateral effects of the definition of financial activity. GOVERNOR GRAMLICH: Could a consumer orally provide consent to the disclosure of their nonpublic personal information to a nonaffiliated third party? MS. FRIEND: I believe that the regulation gave examples of written consent to specific sharing of information in specific instances. Consent is one of the exceptions to the general requirement for notice and opt out. And I don’t believe that we fully defined it but the examples indicate that consent would be in writing. MR. ALVAREZ: Though there isn’t a requirement that it be in writing. MS. FRIEND: There’s not a requirement, that’s correct. MR. ALVAREZ: It could be oral. GOVERNOR GRAMLICH: If it could be oral, how is that recorded then? I mean the institution would then take -- MR. ALVAREZ: The institution has the obligation-- GOVERNOR GRAMLICH: Take the oral, somebody saying something, and then just mark it down and it would be part of the record. UNIDENTIFIED: The regulation doesn’t specifically deal with that question and that’s why Scott suggests that it’s conceivable that it could be oral. MS. FRIEND: Right. I believe that the preamble actually invited comment about what form consent should take. GOVERNOR GRAMLICH: What are the regulators’ thoughts on coverage of trust beneficiaries as consumers or customers? (A pause.) It’s a good question. (Laughter.) MS. FRIEND: Stumped the regulators. (Laughter.) We, I know we talked about when there are joint account holders, not in the specific instance of a trust account, but we asked for comment in the preamble about if there are multiple account holders, what would constitute effective notice. And I think we just have not really fully explored when a beneficiary could be considered a consumer or a customer for purposes of getting notice, what would be required by a financial institution. So I think it seems to me that operationally there’s just a lot of questions and that providing comments will really inform the next round of rulemaking in terms of taking some of these instances into account and providing for us a little more clarity. So we invite comment. MR. CROSS: I suspect that this regulation had as many questions for comment as any regulation we’ve worked on for some period of time. And it was because of operational issues such as that that we discussed for an inordinate amount of time without coming to a resolution. GOVERNOR GRAMLICH: For those of you who are waiting for your coffee, we’ve been given another five minutes by the authorities. So we’ll take a few more questions. I still have a few more. "What is a consumer’s recourse against the bank that shares information after the customer has opted out?" MS. FRIEND: There are no private rights of action that are provided for in the statute. A consumer could certainly bring it to the attention of the bank or the bank regulator. And we do have a whole host of remedies available to the regulators if there’s a violation of the statute. GOVERNOR GRAMLICH: If the consumer does not opt out or a customer does not opt out, would he or she be able to find out who the institution is sharing their information with and for what purpose? MR. RIESE: Well, the initial privacy policy should outline to the consumer what the practices are of the institution. Now that policy will not, in the kind of detail, describe what particular nonaffiliated third parties may receive the information. But, I think this is an area where a market -- a sensitivity on the part of the institution should inform what they -- what kind of cooperation they want to have with their consumer. We’ve heard a lot in the prior panel about how much trust means between the institution and its consumer. If you get that kind of inquiry, then it seems to me that you want to keep that kind of trust in mind in terms of how you respond. The regulation itself does not particularly address the level of detail that this question implies in terms of the disclosure. GOVERNOR GRAMLICH: Section 501(B)(3) requires financial institutions to protect information which could result in substantial harm or inconvenience to any customer. Doesn’t this indicate that the term "financial" in the definition of nonpersonal public information was intended to cover (1) sensitive information used in making decisions about financial products; (2) any information in an application form, such as name, address, zip code, and so forth? MR. CROSS: Well, the regulation defines financial information as the information that a consumer provides to the institution in obtaining a financial service from that institution. So that kind of information would typically be covered. The preamble, I believe, invites comment on how we did define financial information. And I know we’ve received some perspectives that are contrary to that of the questioner and have called into question the broad definition of "financial information" that’s in the proposal. GOVERNOR GRAMLICH: This is the last one I have. "The definition of nonaffiliated third party includes certain affiliates engaged in insurance underwriting, merchant banking or investment banking activities. What is the policy behind this? The statute does not define that term in any way -- does not define the term that way." Excuse me. MR. ALVAREZ: That’s a very technical and complicated question to answer. I’ll try to do it briefly. As I mentioned before, the definition of "financial activity" is drawn from the Bank Holding Company Act and was established for a different purpose than the privacy rules. One of the permissible financial activities is doing merchant banking investments. That’s where someone may -- where a company makes short-term investments in any company. The definition of "affiliate" under the Bank Holding Company Act is triggered if a financial holding company owns 25 percent or more of another company. So it’s possible for a merchant banking business, for someone to own a hundred percent of some small start-up company somewhere for a short period of time. The issue then is: Is that portfolio company, that start-up company in my example, an affiliate so that a bank could share confidential customer information with that start-up company as it can share that information with any other affiliate without the Gramm-Leach-Bliley protections applying? And what our rule proposes is that that sharing would not be allowed without the protections that are applied to sharing information with third parties. The policy reason for that is that merchant banking investments are contemplated as short-term investments. There are many restrictions on the ability of the financial holding company to cross market or control a portfolio company. And it didn’t seem consistent with those restrictions to allow the free sharing of confidential customer information. And as a result, we proposed not allowing it. GOVERNOR GRAMLICH: We’re about at the ending point. But, if anybody out there has a burning question, maybe I can take one or two. And then we’ll stop. Okay, yes? QUESTION: (Inaudible.) MS. FRIEND: I can address that. The question was: What are the plans for implementing the section 501 standards, which are standards that the banking agencies -- well, all the agencies are supposed to promulgate regarding physical, administrative and technical safeguards for this confidential information. And I believe that the SEC in their regulations put out something that the other regulators didn’t in saying that their institutions have to have these safeguards in place. With respect to the banking agencies, we’re in the process of an interagency activity right now. Hopefully, we will be able to publish something for comment when the final privacy regulations come out. GOVERNOR GRAMLICH: We’d better -- I’m looking at the clock. We’re already five minutes beyond the extended deadline so I think, at this point, let’s give our panelists a round of applause. (Applause.) (Recess.) CHAIRMAN TANOUE: If we could start our third and final panel. Our final panel this morning will address what we might expect from Congress and from state legislatures in the near future. As you all know, the Gramm-Leach-Bliley Act gives preference to State laws that are stronger than federal law, and it also gives the States a window of opportunity to enact privacy protections. Based on recent cases of alleged privacy violations, the Congress and state legislatures are continuing to consider new actions that could have profound effects on the financial services industry. I can think of no better person to moderate this final panel than Ellen Seidman, the Director of OTS and of course a very valued and respected member of the FDIC Board of Directors. Ellen began a five-year term as Director of the OTS on October 28, 1997 -- doesn’t time fly, Ellen? Prior to that, she was a Special Assistant to President Clinton for economic policy of the National Economic Council. And she previously served as Senior Vice President for Regulation, Research and Economics at Fannie Mae, as well as a Special Assistant to the Treasury Under Secretary for Finance. Someone once told me when I first came to Washington that: "If you really want to know your way here, ask someone like Ellen Seidman." And, today, I present her to you. Ellen. (Applause.) ELLEN SEIDMAN MS. SEIDMAN: Thank you, Donna. Well, in less time than it takes to finalize the government regulation and four months after passage of the law, here we are talking about the future of privacy, where we go next. I think there are three reasons why we feel this very sort of unfinished sense. One is that I think we all recognize that Gramm-Leach-Bliley in many ways opened this debate. It certainly didn’t end it, as we’ve discussed here today. Second, even after the law was passed in November, we’ve got lots of new examples of technological intrusion, and the DoubleClick episode was discussed here earlier. Undoubtedly, there are others. These all lead people to wonder: What is it that I don’t know about what’s going on? And, finally, there’s no question but that consumer conscience has been raised. Each of these contributes to the need for us to continue to look at this issue, to continue to work it, to continue to learn. Looking forward, let me suggest that there are sort of three classes of ways in which things might come, you know, begin to unfold in the near future. First, there’s the tweaking of Gramm-Leach-Bliley. Obviously, there are some issues. I think the discussion on the regulators’ panel earlier today suggested that there may be, in addition to regulatory implementation issues, issues of regulatory implementation that really involve statutory issues. And so, even if you agree that the basic framework is right, there’s always the question of, "Do we need technical amendments or other small changes?" Second, obviously there are the State issues. Gramm-Leach-Bliley, as the Chairman just stated, allows the States to go beyond its protections for greater privacy protections, and we’ll hear a lot about that today. And, of course, the States will not all enact the same law. If the States all enacted the same law, this would all be pretty easy. As we get to fifty different laws -- there won’t be fifty but there will be a number of them -- the whole question of not only how does each of them work but how do they interact -- and how do they interact with Gramm-Leach-Bliley -- will become a major set of issues. And then, third, there’s the issue of further federal protections. As you know, President Clinton has promised a number of times, including most recently in the State of the Union, that more is coming from the Administration, and Peter Swire will be here to talk about that. In 1933, just to put this all in context, it’s about the time the FDIC was created -- you know, it’s a long time ago. In 1933, George Bernard Shaw, an astute observer of social relationships, spoke to an audience in New York and remarked, "An American has no sense of privacy. He does not know what it means. There is no such thing in the country." That was in 1933. How much different is it today? And how much are we discovering our sense of privacy? Let me introduce the members of my panel who really will give us, I think, a very lively discussion of the future, and will definitely be well worth your postponing your lunch. We know that this is lunch hour and we’re going to try to move very fast. And we’re doing this in a slightly screwy order, mainly so that we can be exciting. Okay? First of all, we have Peter Swire, who is the Government’s Chief Counsel for Privacy at the Office of Management and Budget, a position he’s held since 1999. Peter’s on leave from Ohio State University College of Law and the editorship of Cyberspace Law Abstracts. And he’s published numerous articles on privacy, including the book that I suspect generated the title of this forum, namely, "None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive. Next, we’ll hear from Laurie Schaffer, who is Staff Director for the Financial Institution Subcommittee of the House Banking Committee. In this position, Laurie played an important role in the privacy debates during Gramm-Leach-Bliley, and she will undoubtedly continue to play an important role. And she’ll give us a little of Chairman Leach’s perspective, and maybe the broader House perspective. Third, we have Geoff Gray, who is Senior Professional Staff Member on the Senate Banking Committee. As Senator Gramm’s representative during the privacy discussions, he, too, will tell us a little bit about the Senator’s perspective and, again, where he thinks things may be going in the next -- in the last bit of this Congress, and in the future. Our fourth panelist is Mike Hatch. And we’re extremely honored to have him here today. He’s our one non-Washingtonian, and we’re really pleased that he came to join us. He’s the Attorney General of the State of Minnesota. And as the Attorney General, he is well-known as an outspoken advocate for consumers, senior citizens, and victims of crime. Most relevant here, of course, is that he’s also taken on banks on privacy, most notably in the U.S. Bancorp case. And this is not, you know, some wild Attorney General who doesn’t know anything about finance taking on the finance companies. Earlier in his career, Mike was the Commissioner of Commerce for the State of Minnesota, and he was the primary regulator of banks, insurance companies, securities, and real estate firms doing business in Minnesota. And, finally, we will have the counterpoint to Mike. This is what’s going to make it all very exciting and worth your while to stay through. We have Rick Fischer, who is a partner in the law firm of Morrison and Foster. Rick has represented banks and other financial services companies for many, many years, recently focusing on Internet and technology issues, including in particular privacy. He’s also written and spoken extensively on privacy, including a leading treatise, The Law of Financial Privacy, which is now in its third edition. So this should be a lively panel and we invite you all to think of your questions as they’re speaking and get ready to join in. Peter. PRESENTATION BY MR. SWIRE: Thank you, Ellen, and thanks to the FDIC for putting together this spectacular conference. What I was asked to speak about was this future of privacy idea. And so the focus will be on where we are today and where we’re going to be going next. In my brief remarks, I’m going to first talk about the inevitability of societal decisions about privacy today. We’re just facing these decisions coming at us at an unprecedented rate. I’ll briefly talk about some things the Administration has done in other areas besides finances, and then talk about some reasons why financial data seems to be very special and is treated specially in the politics and the law. Thinking about society and why we’re facing privacy so much today, let me suggest that there is a lack of a status quo. We don’t have any baseline to really refer to. If we think back to ancient history in the information age, let’s say twenty years ago, there were relatively few databases. They were on big main frame computers. There weren’t that many twenty, thirty years ago, computers out there. And there were relatively few rules about how data would be shared back and forth between companies or organizations. But, our new reality today is many more databases. Your lap top, your desk top has more capacity than a main frame did a generation ago. They’re all networked together so the flows can be instantaneous and global. And the flows of information are in much greater detail than they were a generation ago. So, when we think about the status quo, if we stay under the old world, a few rules, rules being government rules or industry rules, if we stay with a few rules, the number of data flows will go up just enormously between all these databases using these networks. So that’s one tip from the status quo. On the other hand, if we try to have the same information known about us that we did twenty or thirty years ago, keep that as the status quo, we’d have to put a lot of different rules in place, more than probably anybody really would want to contemplate. And so we can’t live in the world of just a few databases and just a few rules. We’re in a world where all of this data is going to be flowing around and we’re going to have to face decisions about that. Let me illustrate first with public records -- your State driver’s records, lots of records in the public space. A generation ago, there was legal openness. You could go down to the courthouse and see what the record said there. But, there was practical obscurity at a practical level. It took a lot of time and effort to go down to the courthouse and pull one file. And people didn’t do it that much except when they had some particular reason, they were in litigation or something. The reality today is still legal openness. You have a legal right to see these records. The change is that there is a practical openness, that these are available in nationwide databases. And for fairly modest fees we can search through these records and use them for all sorts of things we didn’t use them for before. That’s a change. And that leads to questions that we’re at the beginning of discussing as a society about what’s a public record, and what’s nonpublic personal information? Terms that are familiar from earlier panels today. Because what used to be public legally was hidden down in the files. But, what’s public legally is now available to practical people in practical days in ways that they weren’t before. Let me just give you one example that’s come up in discussions about the Bankruptcy Bill moving through Congress right now. In the public part of the bankruptcy files today are your bank account numbers. And so one question going forward is, if we have an Internet system for looking at bankruptcy records, does that mean we want to have all those people’s bank account numbers, securities account numbers, social security account numbers, up there on the Internet for everyone to see? They’re public records. That’s the way we’ve done it before. But, if we put them publicly on the Internet there is a change. And you can imagine many people of good faith thinking that’s something to at least think twice or three times about. In terms of financial records, the status quo idea, what has changed since a generation ago? Well, twenty, thirty years ago, financial records were your Fair Credit Reporting Act records. A credit card account of $5,000 you once paid late for sixty days. Today, the level of detail is different. It’s every purchase you’ve made on that credit card, and a level of detailed payor/payee kind of level that we didn’t have before. Another change that we all know about is industry convergence. So who’s in a banking or financial institution has obviously changed. And so the data that used to be within a bank now spreads out in new ways to lots of different folks. The societal response to that is familiar to people here: the Fair Credit Reporting Act of 1970, a tradition of self-regulation within banks, a confidentiality and trust tradition within banks, but more recently a legislative overlay from last fall. And then, in terms of the future, the Administration has said, and we’re working on this proposal for additional legislation that will be issued in the coming weeks, and the one thing the President has said specifically is that there will be meaningful choice within the corporate conglomerate, within the holding company. So that’s what we have to say at this point. But, we are working actively on that project. When you think about the lack of a status quo, just why things are changing, it’s easiest to explain in the Internet side. So what was the old reality twenty years ago on the Internet? There were a few scientists and the rest of us hadn’t heard of it. But, today, it’s the web pages. It’s the DoubleClick industry. It’s new, unique identifiers whenever you go on line. And it’s going to keep coming every few months in Internet speed of new technical challenges of how data flows. So I tried to explain why there’s not a status quo, why we’re just facing change, a flood of change in this area of information practices. But, I also said that we’re facing societal decisions, and I want to talk about societal decisions for a minute. That can mean decisions made by the technology people, written into the software of your browser, written into the hardware of what kind of structures and infrastructure we have. It’s the engineers in the company as the standard-setting groups that will make decisions. Societal decisions are made in companies in a marketing way. So, companies decide what products to create or not to create. They decide what contracts they’re going to have with their business partners, with their joint marketing associates, for instance. And those contracts are going to describe information practices. We have to write things that have never been written before. Sometimes, it will be self-regulation. Sometimes, it will be law or regulation or tort rules or something else. But, somehow or another, as we reengineer for the Information Age, we’re reengineering which data flow should go, and we face these decisions. We can’t avoid looking at these decisions. So, with that as a backdrop, that we’re in a period of change, let me just briefly touch on some nonfinancial parts of what the Administration has been doing on privacy. For the Internet, we have had a position of self-regulation which reflects the fact that there’s such rapid change that the issues that come up, that come and go, have happened so quickly that we’ve been very, very cautious to think we know how to write any laws or regulations that are appropriate for that. And so by having the bully pulpit, having leadership, having encouragement for industries to get together and create codes of conduct, we’ve tried to push the debate along, speed up the learning process much faster than it would have done otherwise. On the government records, we’ve taken action in privacy in the last year so that, today, 100 percent of federal agencies have clearly posted privacy policies. Today, we’re putting into effect Privacy Impact Assessments in federal agencies so that when you build a new IT system, you work through the logic of what the data flows should be. In addition though to the Internet, to the basic commercial world where we’ve encouraged self-regulation, we’ve identified three main areas of sensitive information where we think legal protections are appropriate. The first of these is medical rules. And so the President in October at the Oval Office announced proposed Medical Privacy Rules that would affect medical providers, medical plans. And the President in the State of the Union promised these rules would go final this year. They would take effect two years after they go final. So your medical records, your psychiatric transcript, shouldn’t be given to your employer, shouldn’t be out there for the world to see. We think legal rules are appropriate. A second kind of sensitive information is children, especially on line where the parents aren’t always there. And so the President supported and signed the Children’s On Line Privacy Protection Act in 1998. Those rules take effect in April. And the third category of sensitive data, we have said, is financial data. And this has been a question that’s come back from industry: "Why is financial treated differently?" Well, one reason is when you ask Americans, George Bernard Shaw notwithstanding, when you ask Americans, they tell you financial data is sensitive. Medical and financial come back in all sorts of real discussions with real people as very sensitive. They don’t want their next-door neighbor or the person down the hall at work, their boss, browsing through that. Beyond that idea that we just see that it’s sensitive by asking people, financial records are an important list of every purchase you’ve ever made. Your transaction accounts, especially now as we move to debit cards and credit cards, are a master list to other data bases. If I get your debit and credit histories, then I can go back to the restaurant and find out from their computer what dishes your ordered. I can go back to the bookstore and find out exactly what books you have bought. And so the financial transaction purchase list is different, in part, because it’s so comprehensive a guide to tracking down all those other aspects of people’s lives. And the third point about financial records as sensitive or special is that, as we have the holding companies change, we move from core banking services to a lot of things that go out from that core towards travel agency, towards lots and lots of other new activities, activities we think are appropriate -- and the Administration has supported, including in holding companies. But, it may not be that just because you have a checking account you want to have your data go out to the travel agency, or go out to the other sorts of things that are going to grow in the new financial world. And so for all those reasons, we think financial is special and deserves legal treatment. So, to wrap up, what I have here are a couple of thoughts for you for the future. One is to prepare yourself and your organization for these coming decisions on privacy. We didn’t stop in November. These decisions are going to keep coming. Second is to recognize that some data is more sensitive than other data. We know that from our own experience; the world is going to reflect that in the rules. And the third thing is what we sometimes call the Friends and Family test -- Family and Friends Test. If you go home at dinner and talk to your spouse or your friends on a Saturday night, one simple thing is to describe the practices your company is doing: "Here’s this neat new way we have to sort of really keep track of our customers." And if you can describe that and your family members say, "That makes sense, that’s a real benefit to customers," that’s a good guide. If your family instead gets that look on their face, you know, that "This is something, gee, I really wish you weren’t telling me," or "I don’t feel comfortable here," or whatever, that may be a guide that other Americans and the rest will maybe also have negative reactions. And I think that sort of feeling was reflected by the President when he spoke at the Aspen Institute earlier this month. In a speech on Internet Privacy and other topics, he said to these assembled companies: "Do you have privacy policies that you could be proud of?" he said. "Do you have privacy policies you would be glad to have reported in the media?" If so -- and now I’ve finished the quote. If so, your policies are much more likely to survive public and press and political scrutiny. And if you’re proud of them, if you can let them be public, those are policies that will help your organizations prosper in this future of privacy in the Information Age we’re all facing. Thanks very much. PRESENTATION BY MS. SCHAFFER: Thank you very much. I want to thank Ellen and Chairman Tanoue and the FDIC for sponsoring this panel as well, this conference. I hope today to give you briefly a view of how we got to where we were in the Gramm-Leach-Bliley Act, what sort of the general feeling is, at least from Chairman Leach and the Majority of the House Banking Committee, and perhaps that will reflect on where things may go in the future, at least in terms of this year. Before I start, I want to note that Kirsten Johnson, who works for Congressman Vento, is in the audience, did quite a lot on the privacy provisions of the bill, and deserves a lot of credit in terms of how they came out. Mr. Leach said on the Floor in responding to Mr. Markey on his -- there was a motion to recommit on the Gramm-Leach-Bliley Act, and Mr. Markey had a privacy provision that provided for opt out for affiliate sharing as well as opt out for third party sharing. And in response to that, Chairman Leach stood up and said that: "The Gramm-Leach-Bliley Act represented the greatest expansion of privacy rights in modern day finance." And I thought it was a remarkable moment for me personally to be on the floor and to have worked for Chairman Leach because there was complete silence in the room. And that doesn’t happen very often. During a lot of debates, members go back and forth. But, the privacy was an emotional issue. And Chairman Leach talked about what had been done on the bill, what steps were being taken, how this was really the first time that Congress had addressed financial privacy. And I saw a lot of supporters of Mr. Markey’s motion to recommit shaking their heads yes. In fact, there was one Democratic member from I believe Oregon, from the Northwest anyway, who said that in her wildest dreams, she could have never imagined that Congress would have considered and actually passed a provision like was in Gramm-Leach-Bliley. And the question is, "How did we get there and where will we go in the future?" There was a hope when we started Financial Modernization that we could address the issues of privacy separately. And the reason is, not that people aren’t committed to the question of financial privacy, but because they are very hard, difficult issues. There needs to be an appropriate balance. There needs to be a balance between clearly protecting consumers’ interests but not denying them credit, not denying them access to new services and not stopping innovation. And the question is how do you address that? And that was a lot of the struggle. And I think, if you talk to Kirsten or Geoff Gray, who worked on this from the Senate side, a lot of the struggle we had was finding the appropriate balance. And I, unfortunately, missed the Regulators Panel, but I heard reference to some of the discussion about the regulation. There is some ambiguity in the statute, and part of the reason was Congress was dealing it within a relatively short time and trying to make sure that we protected privacy but did not have unintended consequences. Those are important issues. From that perspective, Chairman Leach would like to see the regulations go into effect. We’d like to have comments, hold some oversight hearings, before we move forward and tackle other aspects of privacy. You know, there was a quote in the American Banker yesterday, if anybody saw the front page, that talked about 500 million pieces of opt out notices and mail being mailed out at the end of the year. I talked to my parents and explained to them how they’re going to get opt out notices from all these institutions. You know, from their banks, from their insurance companies, from a variety of people -- they’re elderly -- and the variety of people that they do business with and have financial relationships. And they sort of looked at me and they said, "What are you talking about?" I mean, they want financial privacy. They want to be protected. But, when I sort of explained to them what was going to show up in their mail, they sort of looked at me like I had lost my mind. So I think it’s important to see what is going to happen, how these rules are going to be implemented. There are a number of pieces of legislation pending in both the House and the Senate right now. Mr. Shelby and Mr. Markey have legislation concerning opting in. Leahy has a bill concerning opting out. Something interesting was introduced just the other day. Asa Hutchinson and Jim Moran introduced legislation to form a commission, a bipartisan commission. This bill is H.R. 4049 for those of you who are interested. It’s a seventeen-member bipartisan commission, members appointed by Republican and Democrat persons, all sides, to look at a variety of privacy issues -- financial, social security, driver’s license, medical -- a range of financial issues to study and evaluate and report back. In some ways, I think this is the appropriate way to go. We don’t have a lot of information about what consumers want and don’t want. You know, there’s a lot of anecdotal information. But, everybody, when you ask them, if you ask them whether they want their information shared, everybody says no. But, sometimes, when you talk to people and you say, "Well, if you could get this package, or if you could get this benefit, would you do it?" And people sort of -- they’re not sure. So, when people say that -- give you polls or give you information about what people want or don’t want, you have to ask what the questions are being asked and what is being explained. To be honest, those are the issues we were trying to deal with in addressing the privacy provisions, and trying to make sure we don’t stop innovation but we protect privacy. I think there is a hope going forward both in the full Committee and the in the Financial Institution Subcommittee that will have an opportunity to do some oversight hearings on the privacy provisions, perhaps this summer, and try to really take a good look at what’s being done. In terms of the issue of affiliate-sharing, it’s again a very, very difficult issue. I mean, if the results, for example, were a package of products where you have a reduced price, there may be some benefit to that. You know, it reminds me a little bit -- it’s not a perfect example -- but it reminds me a little bit of the anti-tying provisions. As many of you know, those provisions basically say you can’t condition one product on purchasing another product. A number of years ago, perhaps five or six years ago, the Fed provided an exemption to allow product combinations for reduced prices. And those, I think if you go into your banks, you’ll see a lot of those. If you set up a number of accounts, you can get a reduced fee for having those accounts. That turned out to be a benefit. While everybody is against tying, is against coercion, there was an approach that allowed products and services to be offered where the consumer could benefit, there wasn’t coercion, and it was a balanced approach. I would suggest that, in terms of looking at privacy, in terms of looking at the questions of affiliate-sharing, we need to step back and really understand what we were doing and where we’re going and how these issues will be addressed. Thank you. (Applause.) PRESENTATION BY MR. GRAY: Thank you for having me. I am Geoff Gray with the Senate Banking Committee Staff. I will be very brief. I recognize that Attorney General Hatch has to be out of here at 1 o’clock. I’m tempted to filibuster for another twenty minutes in that regard, but I think I will be brief anyway. (Laughter.) I just wanted to make a few quick points. I think most of you know Senator Graham’s positions on these kinds of issues. Not surprisingly, it is a market-based approach. We’re all for privacy. Disclosures of privacy policies so individuals can make their choices based on the policies that various vendors have in conducting their business, is the best way to go in his view. I think he would also probably make the point that when we talk about the special dangers of financial privacy, and these are our most intimate secrets, I think he’d say that if your most intimate secrets are at your bank, that you lead a very boring life. When Gramm-Leach-Bliley was enacted, we made the point that there are fourteen plus federal statutes already on the books regarding privacy. That’s often overlooked -- Fair Credit Reporting Act, a number of other issues. Additionally, a lot of state laws are already on the books. Particularly frustrating in this is that -- and this is the one point I really want to make -- is that there is a disconnect out there, often when we talk about privacy, between the problem that we are looking to solve and what we’re doing about it. During the debate of Gramm-Leach-Bliley, oftentimes, the U.S. Bancorp case was cited. We have Attorney General Hatch here with us today, who filed that case. Also, I noted in the debate in the Commerce Committee, a lot of folks brought up the issue of identity theft. One member raised the issue that their identity was stolen the year before. Someone filed a false tax return for them. But, we don’t generally then look at what was on the books, for example, in ‘98 when we passed the Identify Theft Act. The U.S. Bancorp case, the very fact that it was filed, indicated that there were laws on the books for which you could file a case. And, in fact, it was settled. And, you know, most would characterize that case as being settled favorably to the State of Minnesota. That was filed based on the Fair Credit Reporting Act and a whole host of State consumer fraud, false and deceptive practices provisions, that were on the books. So, when we point to that case and say, "Look at the U.S. Bancorp case, that’s why we need new privacy laws," you know, I really find a disconnect there. So, when this panel was designed and I was told that I should speak about the new privacy laws that we’re going to do this year or next, you know, I thought this is something we really need to put the brakes on here. We’ve just enacted comprehensive privacy laws. We haven’t even gone through the regulatory process yet. Those things come into effect November 13th and we’re already talking about the new laws we’ve got to get on the books quickly here. All of the states are involved in activities now with regard to state laws. We carefully left in place the option on Gramm-Leach-Bliley for states to enact tougher laws. So this was just a floor, not a ceiling. We haven’t let that process proceed. We haven’t analyzed the cost of these laws that we put in place. Greenspan has warned us, warned in a letter just last year or the year before as well that, you know, "Let’s not do anything to put the brakes on our information economy. We don’t want to shut down the Information Age before it gets off the ground." This could be very expensive. Our economy is booming. Others in Europe, for example, with the more constrictive privacy directive that they operate under, certainly that economy is not one for us to pattern ourselves off of. Others are looking to pattern off of our economy. So, I think, in closing so that we can move on here, I think we need to make sure that we do not operate with a disconnect; that we target the problem that needs to be solved and that we wait and look at the laws that we’ve put on the books before rushing to put new ones on the board. Thank you. PRESENTATION BY ATTORNEY GENERAL HATCH: Good afternoon. My name is Mike Hatch, and I’m the Attorney General in the State of Minnesota. To look to the future, I think we should look to where we’ve been. And in terms of financial privacy, some examples over the last year, last couple of years, include Charter Pacific selling -- what? Three point seven million, I think, credit cards to people to -- excuse me, not to people -- 3.7 credit card numbers to an ex-con who promptly charged up about $40 million of product to people at $50 an increment. Or, a NationsBank where a $40 million settlement occurred because the CD maturity dates of senior citizens were sold off to a broker, who turned around and sold -- actually to an affiliate – who turned around and hustled these people into high risk, high-commission products. Perhaps the best one is Forbes Magazine, not what you’d call a black helicopter magazine, where the reporter hired an investigator and said, "Come back in a week and tell me all you can find." And he went to the guy’s checking account. He came back. He found all of the checks. He got the data. And, by the way, found out he didn’t lead a boring life. He said, "Here’s your psychotherapist, here’s your monthly bills, here’s your liquor bills, here’s your favorite restaurant, here’s your income, here’s your stock portfolio..." that he got out of the broker dealer, which was affiliated with the bank. He got all the information. He got his unlisted phone numbers, his social security number. He got the works. If I have access to your checking account, I know what organizations you’re a member of. I know if you’ve had a chemical dependency. I know that, if you’re going through mental illness. Basically I’ve got access to everything about you. And if I’m your employer and I can get it, it’s pretty good. If I’m anybody and you’re not aware of it -- how about if I’m a competitor, if I’m a business and I can get access to a business checking account? I asked that to a Chamber group: "How many people here think that access to checks written by a business constitutes a business plan?" Every member of that Chamber of Commerce raised their hand. "How many people here think there should be an opt in? Affirmative disclosure..." -- excuse me -- "...affirmative permission before any of my information is transferred?" Every business raised their hand, which I was stunned at because -- this was at the ending of it -- that organization supposedly was opposed to opt in legislation. Where are we going? I suspect by year end -- and I’ll say I "suspect" because I don’t want to disclose -- we certainly have a Data Practices Act in the State of Minnesota. But I suspect at the year end you will see lawsuits filed by at least one Attorney General and it will be with telemarketing companies that do business with major banks in this State. And I think what you’re going to find is that there’s tremendous slamming going on -- in other words, unauthorized transactions -- not backed up by tapes, as claimed. I think you’ll find, by year end, you will find telemarketing companies where the target of the information given by banks -- which could be done pursuant to joint marketing agreements, and depending upon how you define "financial products" -- were targeted to senior citizens who didn’t know better. You can give all the disclosure you want to a 92-year old person and if they don’t understand it, it doesn’t matter. And if you’ve got people, if you sell to a 92-year old a health club discount program, or eye shadow makeup on a discount program -- something that is a valued service that every bank should want to give to its customers -- then I think that there are problems. Now where are we going to go with this thing? I think we’re going to see some lawsuits. Not just against the telemarketing firms but also with the banks that shared that information. And you can go into whether it’s RICO or all sorts of other issues. You’re going to see some liabilities, especially if it’s pointed to senior citizens. Keep in mind there are laws in this country at both federal and state level that are designed to protect senior citizens. And if their savings, if their nest egg, is abused because the information that a bank gave them allows telemarketers to fraudulently and deceptively swindle these people, then I think you’re going to see lawsuits. Now, eventually out of this, I think what’s going to occur is there’s going to be some real privacy legislation passed. I don’t consider this last Act privacy. I consider it a Bank Disclosure Act. I think it’s a crummy law. I think it’s basically lobbyists who got their way with the Congress. And I think what’s going to happen is that people, as these lawsuits progress -- and they will happen -- think of the vanishing premium cases that insurance companies got hit on with universal life insurance during the eighties -- and as you have these entities come together, think of a bank liability that could occur regardless of the firewalls, regardless of whatever insulation supposedly is put into the equation. We have examples today -- in fact, I had a complaint this week. A major bank took a senior citizen’s, an 85-year old lady -- and this is fairly common -- an 85-year old woman, took her out of her savings account, put it into what she thought was a one-year CD. She writes to say, "Gee, it wasn’t a one-year CD, it was a ten-year CD. And it wasn’t with the bank, it was part of a participation in a jumbo CD offered by an Alabama savings and loan. Now those kind of things, as they occur, more issues come up. Is that a privacy issue? Is that an issue with regard to Glass-Steagall, or the repeal, that essentially has occurred? I think it’s a combination of the two. Now, where do we go in the future, whether it be with just bank data or other issues as arise with privacy? I think people are going to find that data is property. It’s a liberty issue in Europe. It’s a liberty, freedom. It can be a liberty issue in Asia as well as it relates to some bank data. In America, we’re probably going to see it become a property right. Maybe, not under current law, not under common law, but perhaps by statutes, or perhaps because banks and other entities who want to sell information want to protect it. Ask the data brokers, the list brokers: "Is data property?" And they’re going to say, "You bet ya. That’s where the money comes in." Most of the magazines you get at your shop, at your home from direct mailers, they make their money -- if they can break even on the products they sell, they’re happy -- their net profit comes off the sale of those lists, off the rental of those lists. That’s where you make your money. Virtually every company would be happy if they just made the net profit off that list rental. Somewhere along the line, companies protect themselves. Or maybe by legislation if opt in occurs, which it ought to, and given the outrage that may occur with some of these lawsuits, I think it will. People will have that property right and, to protect themselves from the sale of it, they will tell people, "We will pay you a percentage, a royalty," whatever it is, "with regard to the rental of your name." "We’ll pay our costs. You’re going to get a percentage of that." And you will see companies put up on web sites where you can join. If you want to join a company, get paid at year end or whatever the figure is, you know, whatever your percentage is, you participate. Now that opt in, the beauty of that system, it’s not only an opt in of your choosing but more importantly, direct marketers, banks, insurance companies, anybody else that wants that type of information is going to have a customer list of people who actually want the information. It’s going to be a valuable list and people will be able to pick and see what their credits are during the year and be able to choose how they wish to spend the proceeds. People have -- the issue as to what is "privacy" gets into an issue of absolute accountability. "What do you want disclosed about you?" When I was in private practice for the last eight years, I represented a number of banks and insurance companies. One of the frequent questions, even though there are medical privacy laws, that were given to me by what are called third party administrators of self-insured plans, was: "What do I do when the employer asks -- ‘I want to know who’s been into chemical dependency treatment. I want to know what people have had for certain types of treatment.’ -- Asking for categories. Should I disclose it?" The easy answer is, "No, don’t disclose it. There’s an ADA. You can get ADA violations and everything else." And they say, "That’s fine. You can tell me what the law is. This is a major client for me; I got to deliver. What’s my liability? I don’t care about the company’s liability." You get into all these issues as to what type of data is transferred and how people use it. It is -- I do think that it is a major issue. I think it’s one that’s going to accelerate. There will be more problems develop, more lawsuits. Like it or not, that’s going to happen, especially when you’re seeing a predominant amount of the targeting that’s coming from this bank data, I think, it will be shown to be coming and targeted to senior citizens, people who cannot fend for themselves. And, indeed, in the end -- I think I should close out -- otherwise, the problem here is, when you look at this seal -- when I was a Bank Commissioner in the eighties, I had to close twenty-five banks -- and we had the experience on one occasion of a small banker, a small-town bank -- he wanted to be able to go to the town and say, "Listen, this bank is going to close. We’re insolvent. I want to sell some stock in it. And the reason why I want to do this is because when we close this bank, we won’t ever have a unit bank here in Lamberton again." We met with the FDIC officials and it was pretty unprecedented. You don’t allow --everything is supposed to be confidential, secret. You close the bank Friday afternoon. You reopen it Monday and away you go. We went ahead with it anyway. It was an experiment. The banker met -- he actually did raise money. He wasn’t able to close the deal and the bank had to be closed about a week or two later. But what was interesting about it was there was so much confidence in that banking system, in that organization, that seal behind me, that nobody did a run on the bank. They trusted the system. The banker was allowed to try to go raise that money. You know the first day you serve as a bank regulator or work for a bank, you know that confidence in the system is most important. Without that confidence, the system doesn’t work. We go to the bank tomorrow and withdraw our money. The bank system fails. You know that; I know that. There are still people who come from the Depression who still put their money and they sew it up in drapes because they don’t trust that system. That seal is extremely important. The credibility of banks -- the security, the safety, the confidentiality of the banks is extremely important. If we allow banks to become boiler rooms, if we allow banks to become a sort of department store, you can take the key off that seal and, frankly, a lot of people in this country won’t have that kind of confidence and then you will have problems with the banking system. Because we will have economic problems. It’s important; confidentiality is important for banks as it is for the consumer and, indeed, it’s as important for the economy as a whole. Thank you. (Applause.) PRESENTATION BY MR. FISCHER: Well, as the counterpoint I think I ought to start out first by saying that there are at least a few points that I agree with Mike Hatch on completely. First, I would agree that the statute, as Mike said, is a crummy law, in my judgment. And I’ll explain why I think that that’s absolutely right. Also, I’m prepared today, if I had a vote, to vote for any law that would outlaw evil. A law that would outlaw bankers who would disclose credit card numbers to felons, to telemarketing companies that would slam consumers, and any company that would sell cosmetics to infirmed 92-year old people. So, as a start, it’s very important to understand that there are things in which we all agree. One thing that struck me though through the earlier panels that I listened to was the complexity of this particular statute. We’ve heard about customers, consumers. We’ve even heard about nonconsumer consumers. We’ve heard about public information that’s not public information, policies that aren’t really your current policies but could be your policy some day. A decade ago, we heard about nonbank banks. And now we hear about nonfinancial institution financial institutions. And all of this for the benefit of consumers. It reminds me of my favorite story growing up. That’s Alice In Wonderland. Obviously, there are lots of people -- we’ve just heard one -- saying "Off with their heads." So it has me anxiously awaiting for the White Rabbit and the Queen of Hearts. But, let’s step back and take a look at what’s really going on here: Concerns, and I think, frankly, founded concerns about financial institutions -- or at least allegations of financial institutions -- providing information to third parties to market products to their customers without any knowledge of those customers. All right, disclosure of information; third parties; marketing purposes. Should be easy to fix, right? Well, apparently, not. Let’s take a look at a very, very complicated statute. And in all fairness to the regulators, complicated regulations which actually have to flow from it. Look at the statute, look at the regulations and ask yourself whether they will really deal with the main consumer concerns, which Mike clearly expressed: identity theft, financial risk to consumers, government access to information -- which he didn’t mentioned being from the government, but in fact is one of the greatest consumer concerns with respect to privacy. And, in fact, the statute may not even deal with third party choice for marketing purposes. Why? You heard why in the first panel. It’s simply too complicated. Consumers won’t understand. Is it 500,000? Is it 500 million? Is it two billion notices that will come out this fall? How about a very simple, straightforward disclosure – I’m not saying that the regulators have choice at the moment but how about something that says: "We provide information about you to third parties, information from your applications -- like your income -- from credit reports, even information we gain about you from your accounts, like your average balance and your payment history. We disclose that to third parties so they can market to you financial products like A, B and C, and nonfinancial products like X, Y and Z. If you don’t want us to do that, please say no, or check here. Call this 800 number and it’s your choice. We’ll do what you say." One page, very short, called "Consumer Choice." We’ve heard a lot today about opt in and opt out. But, the future is neither. The future is choice. In terms of banks and consumers and more complicated rules, we’ve seen that. And I think, as a practical matter, looking at it as privacy lawyer, I should say, "I have two children in college and one in grad school. I should be very thankful for all of this." But, in fact, Mike is quite right about a couple of things. One, the States do, in fact, have the right, the power, I believe, to enact tougher laws, at least as they apply to nonaffiliated third parties. They could adopt opt in. They could even prohibit the disclosure of information entirely. I would hope, however, that the State of Minnesota and other States would think first and enact later. You still have to address the primary concerns: identity theft, financial loss, government access to information, as well as third party marketing. And States should ask themselves: "Will those tougher laws really address any of those situations?" One point is important, however. Mike didn’t mention this. The States don’t have the ability, at least in my judgment, to enact tougher laws as it relates to sharing of information with affiliates. Frankly, I think banks should get there themselves and I think that they are and will. So what do I see in the future? First, I see a tremendous amount of confusion. I see enormous expense. I see a recognition that the present approach is fundamentally flawed. Then I see an effort to start all over again with a very simple disclosure that provides clear choice and a convenient, easy way to exercise that choice so that those who want to opt out can do so and those who don’t care or don’t want to opt out can enjoy the benefits of the Information Society. And perhaps even be compensated for that. I think that, in fact, is the future. Mike Hatch I think correctly said, not so much that privacy or information is a property right, but rather the future is compensating consumers for using that information about them. If we complicate the process with opt in and a myriad of statutes at the State level, we’ll never get there in the Information Society. Thank you. (Applause.) MS. SEIDMAN: What we’re going to do is take questions directly from the floor. Are there people who would like to ask some questions? (No response.) MS. SEIDMAN: Oh, come on. You can’t want lunch that much. (No response.) MS. SEIDMAN: Okay, I’m going to ask a question and then maybe that will give you time to think or write, or whatever. In the earlier panel, Jo Ann Barefoot asked the question: What is the default? And Laurie raised this issue with respect to her elderly parents. If in fact, Americans just asked the general question – "Do you want your checks shared?" -- would say no. Why is the appropriate default letting the information flow rather than saying, no, the information can’t flow unless you opt in? And, obviously, as a bank regulator, you know, I expect some folks to talk about things like operational things and servicing mortgages and all of that. But, let’s sort of accept the proposition that we might be able to define the operational pieces and think about the marketing issues, think about it in terms of cross-marketing. Anyone want to take that? MR. FISCHER: Well, let me start out. First -- and Mike Hatch also referenced disclosure of information on checks – and I think you really have to focus the debate on what is, in fact, being shared even in those circumstances where information is being shared for marketing purposes, and the last thing that you would find shared would be information on checks. But, to the point is: Why is that a default? I think, if you’re looking for any opportunity to provide information for marketing purposes at all, then you have three groups of people -- those who care enough to opt out, those who would enjoy the benefits of whatever offers they’re getting, and those that really don’t care, that don’t focus and don’t care. At least, what I’ve heard and the studies I’ve seen, the vast majority of people in a general sense are in that third category. Therefore, if the default position is no disclosure at all, the cost of reaching the handful of people, the smaller percentage of people who affirmatively say yes, undoes the operation entirely. MS. SEIDMAN: Anyone else want to comment? MR. GRAY: I’d like to just add to that, this also brings up another one of those flawed premises. And that is that folks are out there looking for ways to hurt their customers. It’s, "Gee, I’m going to take all your checks to the psychotherapist and the liquor store and post them on the Internet." It’s not something that’s likely to be going on. How long is that bank going to keep its customers when they start receiving solicitations from psychotherapy groups because they know they’ve gotten these checks from payments to other psychotherapy groups. This is just not -- there is a natural market check on a lot of this activity that isn’t talked about, and beginning from the premise that all these institutions are really out to try to find a way to hurt their customers as much as they can is not the way to look at this. I mean, folks want to keep their relationships. They want to help their customers. They want happy customers that continue to do business with them. So we really need to think about real world checks on these things as well. MS. SEIDMAN: Anyone else? Peter? MR. SWIRE: Well, the last one, the last comment about the market check -- can you hear me? Is this working? Okay. On that point, I think we can overstate how well the market check works. If, for instance, as was mentioned in the previous panel, the notice is not handed out until the loan closing, there’s a question about whether there’s very good market shopping that happens at the stage where customers are still making up their mind. And so getting information to the customers at the time when they’re really deciding seems like a good principle to really make the market work. A second point on market checks is, if some solicitation, some phone call at dinnertime, whatever, comes in to you that you don’t like, that you find offensive, it may be very, very hard to know which part of your life actually released that information -- whether it came from your bank, whether it came from other places. And so the market works best when you actually can hold people accountable for what they do. Because information flows can be so complicated and circuitous, oftentimes, you can’t find out where the leak came from, as it were. And so the market doesn’t work as well as it would if it weren’t like that. MS. SCHAFFER: I guess, Ellen, something that Rick said about "Why can’t we have a simple form and just tell people what you do and let them make up their mind," I mean I guess my reaction to that would be that, in some ways, that I think was what a lot of people had hoped to achieve. It gets, processes get very complicated and are very difficult. And I think, in terms of the information on the check, I think, if people are given the opportunity to basically say "This information is collected. Do you want it shared or not?" And given the opportunity to say yes or no. You know, there should be -- I guess in some sense the frustration we feel a little bit is -- it should be a simple process. It did not turn out to be a simple process. There turned out to be a lot of ambiguities in the statute because of timing, because it was hard to get accurate information about what was really going on, what institutions were sharing or not sharing, what consumers were really interested in. And as a result, when we were struggling and putting it together, a lot of decisions were made to leave some flexibility to the agencies because we did not have time nor accurate information. And I will tell you very honestly there was a frustration on the part of Congress, or part of staff certainly and Members working on the issue, that you were not getting a clear idea of what was being shared and what wasn’t, what was being collected and what wasn’t. You know, when we started in the House Banking Committee, nobody was doing anything. You know, everything was as pure as snow. And then, as the process went on, it was like, well, maybe, you know. So there was a desire to try to do the right thing, to try to have it simple. But, there was also a lack of really good information. And so a lot was left to the agencies. But, you know, one thing I wanted to mention is this is a very flash point issue in Congress. The Privacy Amendment passed the House by 427/1. And as you know, there were 435 members of the House. So that gives you a clear idea of what this issue means in Congress. And there was a lot of lobbying against it, but it gives you a very clear idea of what it meant. MS. SEIDMAN: Question from the floor? Okay. I have one question that we got sent up. This is for Peter, but I think actually some other folks may want to answer it to. You mentioned that we, the industry, should be prepared for future legislation in the financial services area. How does a bank do that? New disclosures, new regulatory requirements, cost money. I actually suggest maybe they should just take Rick’s position and send out a blanket question of "Do you want in or out?" And that will prepare them for a whole lot. Which, by the way, Amy or Rich or one of the other, Steve, other people, will undoubtedly scream if I’m wrong -- I think you can actually do that under the proposed regs. It is your decisions to not make it an all or nothing proposition that will make the opt out form and/or the privacy statement long. Now the question of who has to do what, when, that is complicated. But, the actual document itself I think need not be sixteen pages long. Anyway, go ahead, Peter. Do you want to talk about it? MR. SWIRE: Sure. So the question is how can the banks know how to prepare for a future that isn’t here yet? Or for some regulatory proposal that isn’t here yet. One answer is that I think industry trade associations -- I know American Bankers Association is here today and a number of others -- have been actively talking with their members and with regulators. I’ve gone and spoken at many of those groups, to try to identify what the issues are that seem to be of greatest interest and public concern. And some of it’s not very mysterious. A lot of it, when I say the "Family and Friends test," is talking to your customers, talking to ordinary people about where the concerns are as part of market research and part of being ready for this future that’s coming at us. And I don’t think we’re hiding -- I don’t think we have deep Machiavellian plans anywhere. We’re in the process of forming a particular proposal right now that will be released relatively soon. And there will be plenty of public debate and opportunity to comment. But, the goal is to listen and talk with people who are knowledgeable about this, including your customers. And I think that’s the best guide. MS. SEIDMAN: Does someone else want to respond? MR. FISCHER: Let me comment on two things. First, going back, I talked about crummy legislation. And I think one thing is, in fairness to Congress -- and, Laurie, you said this -- this was a highly-debated piece of legislation. And when people fight over clauses, types of information and types of people that would receive it, what you get is a very complicated statute. And that’s what we have. And so those, including myself, who were fighting lots of the privacy provisions trench by trench, in fact, got as a reward a very complicated statute. That’s a fair statement. Going from there, you look at it and you say, "How do you prepare for the future?" it’s really two things. I liked Peter’s comment about Family and Friends. What I tell people with whom I work is: Think about the front page. Think about the front page of the Washington Post or the New York Times. And if that’s where your practice is discussed, how will you feel about it in that context? What I’m hoping is that Peter is right, that there will be at some point, once we go through this digestion stage, other legislation. But, that we realize that this is one case where less is more -- for everybody. Less is more for Congress. Less is more for the regulators that have to enforce this statute. Less is more for financial institutions and, in particular, less is more for the consumers who have to make a choice and really can’t do it. Ellen, on your point in terms of the short notice, you can provide a short notice, which is an across-the-board opt out. But, you still have to wrap it around all of the detailed disclosures about information practices and the like. And I think what we have to do is get from that complexity to something that’s quite simple and provides for consumer choice. MS. SCHAFFER: Ellen, you know, I’d like to -- a little bit – because it goes back to what we were talking about before, but picking up on what you just said. You know, it’s easy to provide the simple notice. But, I gather from some of the discussion there was a lot of comment about when things have to be done and how much information has to be given. A lot of that in the statute was an attempt to deal with different kinds of relationships, to really address the industry’s concerns about not having to do, you know, whether the ATM machine or not was a customer relationship. When is a relationship established and how do you deal with it? And a lot of it was an effort to really address different types of relationships, different types of customers and what different types of institutions felt they wanted or didn’t want. It is very, very -- because relationships are so varied, it was a very, very tough issue and tough nut to try to crack and figure out when you had to disclose what. And I think that’s some of what the agency has faced in trying to put this together. MR. GRAY: I’d like to add also, in response to how do you prepare for what might come at you next, that it’s not easy to prepare because you don’t know what’s going to come at you next. I still hear the disconnect even today with regard to what the problem is and what we’re doing. I heard the point about you get calls at home and we’ve got to stop that. I mean there is the Telephone and the Consumer Protection Act of ’91. Telemarketing Consumer Fraud and Abuse Protection Act that same year. All of those addressed ways to stop people from calling you at home. That’s on the books already. You could get unreasonable things sent to you. There are the concepts of suitability versus privacy that are directly at odds. You’re simultaneously told, for example with regard to securities, that you need to go out there and make sure that you’re not selling something to someone that they ought not to buy. You should have a good idea as to what their status is, what their financial situation is, what would be appropriate to sell them. And then, simultaneously, you’re told, "How dare you," for collecting and sharing this information within even your company? So these concepts are at direct odds with each other and government does not always present these things to you in a rational form. You see the same thing with bankruptcy and CRA. Simultaneously, credit grantors are told: You’re being unreasonable and irresponsible in the way that you make credit available to people who don’t know how to properly handle that credit. You ought not to make credit widely available to those who can’t properly handle it, Where -- in under-served areas or in the inner-city. Then they’re simultaneously told that: You have an obligation to go out and seek out those who are under-served, that have no credit, and extend credit to them. You know, those concepts are at direct odds with each other. So, in sum, how you prepare for what’s coming next? I don’t know. MS. SEIDMAN: I think I will avoid my usual CRA disagreements. (Laughter.) Let me just raise one last issue, which somebody raised, which has to do with insurance companies because it hasn’t been covered. The insurance part of this statute is supposed to be, as is insurance regulation in general, enforced by the States, and it’s too bad Mike had to leave. Laurie seems to be eager to answer this question. How is that all going to work if the insurance regulators aren’t quite as quick on their feet as the federal regulators? MS. SCHAFFER: Well, you know, to be quite honest and quite frank, the way the bill deals with the insurance issue is, if the States don’t do it, then their ability to adopt rules concerning some insurance sales practices provisions are limited. That seems like an odd compromise. It was done because the McCarran-Ferguson Act and, fundamentally, insurance, is subject to State regulation. And that is a whole separate issue that had to be addressed in the legislation and that Congress and I think the federal government has yet to deal with some of those questions. Perhaps, it’s a less than perfect solution but it was the political compromise and primary way to do it. MR. GRAY: Well, it actually goes beyond politics. It’s a constitutional issue. The reason the States were not mandated to enforce this federal standard is that’s unconstitutional. You can’t set a federal standard, say "Here’s what you do," like we did for all the bank regulators, and then say, "Now, States, go out and enforce that. And, incidentally, you’re going to have to spend some money to do that." An unfunded federal mandate, an unconstitutional forcing of the States to enforce a federal standard. So we couldn’t do that. We had to suggest it’s a good idea. MS. SCHAFFER: And part of the problem, of course, was because we didn’t have State regulation of insurance. There is no federal regulation. So you had to deal with the State issue. MR. FISCHER: One thing, if you step back, though the statute doesn’t require regulations of the States, you’re absolutely right, but the statute speaks for itself in terms of the requirements for insurance companies. They still, as financial institutions, have disclosure obligations. You’re also going to have seven agencies publish substantially similar regulations, which is all the Courts need in terms of guidance as to what these requirements mean. There are unfair and deceptive practice statutes in every State. If, in fact, an insurance company violates the law -- I’m not saying that they ever would -- but, if they did, you have the statute that says it’s illegal and you have interpretations from seven agencies in terms of what that means -- and enforcement ability under State law today. MS. SEIDMAN: So you’re essentially saying that the statute is self-executing? MR. FISCHER: Absolutely. MS. SEIDMAN: Okay. I think we’ve over-stayed our time, although I don’t think our welcome. And I think Chairman Tanoue wants to close the session. Thank you all. (Applause.) CHAIRMAN TANOUE: In closing this forum today, I want to thank all of the moderators and the speakers. And I express not only my appreciation but, hopefully, your collective appreciation on that front. I see this forum as part of a continuum, a continuum in terms of discussions of financial privacy. As technology progresses and there are further developments, the issues will continue to develop as well. And the dialogue that we engage in today will continue. As we look to the future, I take this opportunity to seize this bully pulpit and to urge our insured institutions to seize the opportunity to really embrace the opportunity to continue to build upon successful approaches that will protect consumers’ privacy. In particular, I suggest that our insured institutions view privacy in terms of customer service, not merely regulatory compliance and that our insured institutions anticipate measures to address consumer concerns. You know, as Chairman of the FDIC, I’m often reminded of the words of FDR that he spoke in 1933. He said something in those days that I believe is meaningful today and still resonates. FDR said this. He said: "There’s something in the financial sector more important than currency, more important than gold, and that is the confidence of the people." With that thought in the context of privacy, I close this forum. Thank you all for joining us today. (Applause.) (Whereupon, at 1:30 p.m., the meeting was concluded.) |
| Last Updated 04/06/2000 | communications@fdic.gov |
|
|
| Home Contact Us Search Help SiteMap Forms Freedom of Information Act (FOIA) Service Center Website Policies USA.gov |
| FDIC Office of Inspector General |