|1120 Connecticut Avenue, N.W.
Washington, D.C. 20036
April 11, 1997
RE: Data Base Workshop Request to Comment/Participate, P9744806 and Consumer Privacy 1997 Request to Comment/Participate, P954807
Dear Secretary Clark:
Thank you for the opportunity to comment, and request to participate in, several of the Federal Trade Commission's (FTC) sessions that will be held at the FTC's Public Workshop on Consumer Information Privacy on June 10-12, 1997. The American Bankers Association (ABA) has long considered the issue of "privacy" as central to financial institutions and our membership encourages healthy debate on the parameters of this subject. We are especially interested in the first two subjects mentioned in the March 6 notice, namely; computerized data bases containing sensitive consumer identifying information and consumer online privacy. Representatives of our Association respectfully seek permission to participate in both of these workshops.
The American Bankers Association ("ABA") brings together all elements of the banking community to best represent the interests of rapidly changing industry. Its membership which includes community, regional, and money center banks and holding companies, as well as saving associations, trust companies and savings banks makes ABA the banking trade association in the country.
In the first session, the Federal Trade Commission is seeking comments on the possible concerns related to computerized data bases that contain sensitive consumer identifying information that are often referred to as "look-up services." The study that the FTC is preparing for Congress on this subject will explore consumer privacy concerns regarding the collection, sale and use of their identifying information but will not cover concerns with the use of certain other data bases such as consumer-credit reports for employment purposes. In the second session, the Commission is seeking comments on consumer online privacy. The ABA is providing limited responses at this time, but we will supplement our submission prior to or at the Workshop.
In response to one of the recommendations of ABA's final report of the Association's Payment System Task Force, we recently created a Privacy Working Group (PWG) to address the myriad of privacy issues facing the banking industry. This group will be in a position to review the many questions raised by the FTC, so that there may be a more complete response to the March 6 request at a future date. ABA is also compiling a compendium of privacy essays written by members of the private and public sector (including Commissioner Varney) that will address privacy and electronic commerce. This compilation from experts, we believe, will add tremendously to the debate on where the information age will present the most challenges for consumers, business and the government. We will provide the Commission a copy upon completion.1
COMPUTERIZED DATA BASES
The Commission seeks comments on 35 questions related to perceived sensitive consumer identifying information. In general, our Association wishes to stress the value of data bases that assist our industry in handling fraud. As we have discussed with the Commission on prior occasions, the financial industry has affirmative obligations to report possible violations of federal law such as credit card fraud, insider abuse and money laundering. In a fraud assessment study participated in by ABA, and released by Trans Union National Fraud Center in 1996, it was concluded that:
The vast majority of participants utilize databases related to fraud. The scope and type of databases vary widely within and across industries. One common denominator is a lack of standardization in which databases are used, and a lack of centralization. Overwhelmingly, the demand of participants was for a centralized fraud database with the ability to identify subjects, companies, fraud groups, fraud trends and span multiple industries.(1)
Under 12 CFR 21, national banks are required to report known or suspected criminal offenses, within specified thresholds, or transactions over $5,000 that they suspect involve money laundering or violate the Bank Secrecy Act. Similar regulations by other regulators apply to their financial institutions. In addition, financial institutions will soon be required to establish "Know Your Customer" (KYC) procedures. The Office of the Comptroller of the Currency (OCC) has already encouraged banks to have KYC policies in place prior to any mandate. Excerpts from the September 1996 OCC handbook on Bank Secrecy Act compliance emphasizes the need to identify and verify account holders (see attached). Therefore, it is essential that institutions have all of the tools at their disposal to verify the identity of all account holders so that the bank fulfills the requirement to know their customer.
One of the many tools to verify identity are account screening software programs that determine if personnel identifiers such as social security numbers (SSN) are valid. In addition, several businesses provide computer systems that link many different types of data and can be used to develop patterns, trends and potential for fraudulent activity. Other types of databases include those that take public information (bank fraud convictions) and make them available to potential employers. These systems, with accompanying written alerts, can help save the financial industry from tremendous losses due to fraud.(2) The cost of these systems and the total packages available vary from a flat fee for the service to a cost incurred only when there is a "hit" with the information request. Regardless of the type of service involved, our industry's mandate to protect against fraud necessitates continued availability of these systems. Obviously, individuals that are listed in these databases are not notified by the bank if they have committed a crime because of the regulations prohibiting such a disclosure (31 USC § 5318).
CONSUMER ONLINE PRIVACY
The second session covers issues related to online privacy. Some preliminary responses follow: financial institutions will deal with personally identifiable information collected online in confidence, just as they have treated sensitive information collected otherwise throughout the industry's history.
The collection of personally identifiable information for relationship and risk management purposes for use within a holding company is an uncontroversial practice. The disclosure of risk management related information to third parties is a sensitive issue, but also a necessary practice when pursued to protect the integrity of the payment and financial system. Similarly, authentication mechanisms involving personally identifiable information may have some controversial applications, but be widely viewed as entirely appropriate when consumer's assets and personal information are protected through the use of this technologies.
Generally the online collection of information and the use of aggregated information about consumers is functionally equivalent to traditional industry uses of customer and GEO/DEMO data.
The primary benefits of collection, compilation, and use of personal consumer information are that marketing efforts can be targeted to those most likely to be interested, thus reducing the waste associated with mass marketing. Personal information-rich databases also permit the partial customization of product offerings to consumers. These uses of information increase the richness and number of options available to consumers and increases competition by permitting niche competitors to enter the market.
Fraud risks associated with some of the information collected by some marketers, intermediaries, and information sellers is an issue of increasing concern to bankers. The risk of unauthorized transactions resulting from intentional or unintentional disclosure of credit/debit card or deposit account related information held by third parties (merchants) is borne primarily by the customer's financial institution and limited risk by the customer. These risks are separate from identity and financial fraud risks associated with the availability of other personally identifiable information such as SSN, DOB, Mothers Maiden Name, etc.
Disclosure of transaction level payment information or financial transaction account identifying information (such as bank, bank card, account number, and PINS) by third parties for purposes other than transaction processing or valid risk management purposes (including authorization verification and credit reporting functions) creates intolerable risks to consumers and their respective financial institutions.
We would appreciate the opportunity to provide additional information at a later time.
If you have any additional questions, please do not hesitate to contact me at (202)663-5029.
1. Fraud Assessment and Impact Study, National Fraud Investigation Center Inc. & Trans Union, 1995-6, pg. 27. We have attached portions of the study for your information.
2. For example, in the 1994 ABA Check Fraud Survey we estimated that over $815 million were lost to that type of fraud.