October 9, 2001
BEFORE THE FEDERAL TRADE
RE: REQUEST FOR COMMENTS ON SECURITY OF INFORMATION UNDER THE GRAMM-LEACH-BLILEY ACT
FTC NOTICE: GRAMM-LEACH-BLILEY ACT PRIVACY SAFEGUARDS RULE, 16 CFR PART 314--COMMENTS (66 F.R. 41162, August 7, 2001)
COMMENTS OF THE DEBT BUYERS ASSOCIATION
I. A description of the Debt Buyers Association (DBA).
The DBA is a non-profit corporation comprised of a network of industry professionals dedicated to building a reliable and credible market for delinquent receivables. The Association was founded in March of 1997 and incorporated as a California non-profit corporation in March of 1999. The DBA has a membership of 200 firms. These members include collection
agencies, collection attorneys and investors, all of whom apply standard collection techniques in an effort to collect the purchased debt. These efforts are no different than those that are applied by contingency fee collection professionals.
Debt buyers may also resell all or portions of delinquent receivables portfolios to other debt buyers. The practices and characteristics of the resale market do not materially differ from the market for debt sold by the original creditor.
The sellers of delinquent debt include American Express, Bank of America, Chase Manhattan Bank, First USA, Fleet Bank, GE Capital, First Select and many other major credit grantors. This marketplace has, increasingly, been recognized by credit grantors as a valuable resource that permits them to realize a return on what would otherwise be non-performing assets. As a result, the debt buying marketplace has enjoyed remarkable growth in recent years.
It is estimated that there were five sellers of delinquent debt in 1992. By 1998, that number had grown to 225, and it is projected that there will be 300 major sellers of delinquent debt by 2005. The face value of all such debt sold in 1993 was $1.3 billion. By 1997, that number had grown to $15 billion and sales reached approximately $25 billion in 2000. The Debt Buyers Association estimates that the amount of debt to be sold in 2001 will exceed that in 2000.
The stability of this market is important both to the major credit grantors who have been provided with an alternative to traditional collection methods and to those who buy delinquent receivables. Additionally, Wall Street has recognized the viability of this market by creating additional sources of capital through securitized offerings. All of this activity indicates the vital and vibrant role played by the purchase and sale of delinquent debt portfolios in the consumer credit marketplace.
II. COMMENTS ON THE PROPOSAL
A. We Support the Flexible Security Program
The DBA applauds the Commission's decision to allow each financial institution to fashion a security program that meets that institution's actual needs and business practices.
B. The security requirements should apply only to "customer" information.
The Commission has asked for comments on whether the Act's intention to safeguard only "customer" rather than "consumer" information requires broader protection than the statute allows. We think not. In Part 313, the Commission has created a safe harbor disclosure for "financial institutions" that do not share financial information (other than the exempted transactions in sections 313.14 and 313.15). And it has also crafted similar safe harbor notice requirements for other situations. If the Commission now decides to go further than the statute intended, then the relatively simple and easily understood safe harbor language in Part 313 may become more complicated without really providing consumers with more useful information.
Indeed, the entire G-L-B notice system has been criticized as too complex. Customers are flooded with brochures from their financial providers. These envelopes or invoice stuffers are often quickly transferred from the incoming mail pile to the outgoing trash pile. Please do not make it more complicated by going beyond the requirement of the statute. Confusion will be enhanced rather than reduced.
C. Because many of DBA's members are debt collectors, the flexible security program allows compliance with other regulatory regimes.
We would also note that many members of the Debt Buyers Association are "debt collectors" under the Fair Debt Collection Practices Act. This Act prohibits "debt collectors" from providing information about debtors to third parties except as allowed by the FDCPA. Providing reasonable security and restricting access to a G-L-B customer's "non-public financial information" is part of a debt collector's FDCPA compliance. Further, many members of the DBA are licensed by state agencies which are concerned about privacy. Many states have enacted their own state FDCPA statutes and regulations and/or unfair practices laws and regulations which establish requirements and incentives to maintain the security of the "debt collector's" data about the debts. Thus, the flexible approach proposed by the Commission will enable these "financial institution/debt collectors" to fashion security procedures designed to accommodate multiple regulatory programs.
D. Our comments on security obligations to be imposed on service providers.
The Commission is considering requiring financial institutions who use service providers which might not be financial institutions under Part 313 and/or the G-L-B to require by contract the creation of a security program by the transferee and some level of supervision and oversight by the transferor. The DBA urges the Commission not to require such provisions or supervision obligations over a service provider which is (i) either a financial institution in its own right or (ii) is exempt from the notice and disclosure rules under Sections 313.13 and 313.14.
We believe there is no need for such a requirement. And the cost to comply is outweighed by the benefits which might be achieved.
The Commission has asked whether the transferees of information which is exempt from the notice and opt out rules of 16 CFR sections 313.14 and 313.15 should be required by contract coupled with supervision to adopt security procedures. The DBA urges that those exchanges of non-public customer information exempted from the notice and opt out provisions not be subject to a Commission security requirement.
We note that there is no suggestion that these exempted transactions have caused serious "leaks" of non-public financial information of customers. In other words, there may be no problem to address in practical terms. And, there will be costs involved to comply, and there has been no suggestion that the costs of compliance will provide sufficient additional benefits to consumers.
In the buying and selling of delinquent debt, the parties involved with the due diligence review of portfolios are, on an industry-wide basis, subject to agreements to prevent disclosure of confidential information which protects the businesses and the consumers at the same time.
The specific act buying and selling of delinquent debt does not require the parties involved in the transaction to provide initial and annual G-L-B notices. There are buyers and sellers and others involved in the due diligence used for purchases. Some of the "others" may be "service providers" providing ancillary services to a prospective buyer (running accounts through the Social Security Master Death Index or running debtors' names and social security numbers through proprietary data bases of persons who have filed for bankruptcy or other data bases to help evaluate a portfolio). These service providers and debt buyers/sellers are very concerned about the security of their data and protecting against its unauthorized disclosure. These entities do not need an additional layer of federally mandated contractual requirements and oversight. The DBA believes that the additional cost of compliance will not create additional benefits to the consumer.
Because the transfer of information from the owner of a delinquent debt to a debt collector in order to enforce the transaction is an exempted activity under Part 313.14(b), the DBA encourages the Commission not to impose contractual obligations on "financial institutions" using service providers for this exempted activity. Some DBA members may have 30 to 60 law firms and/or collection agencies under contract throughout the 50 states. Having to create contractual provisions that meet each service provider's size and method of doing business is unduly burdensome. The same applies for the supervision requirement that would be imposed.
Another reason for exempting this activity from the security requirement is that the service providers already are subject to regulatory security programs. Accounts may be assigned to collection agencies. Or accounts may be assigned to collection lawyers. Or both. Both collection agencies and collection lawyers are "debt collectors" under the Fair Debt Collection Practices Act and have obligations not to disclose information about debts to third parties. Collection agencies are frequently licensed by state agencies. Law firms are subject to canons of ethics and disciplinary rules.
Each of these entity groups is well aware of the need to protect debtor information from disclosure to third parties. Both of these entity groups are concerned about securing their office facilities and electronic systems and data from internal and external intrusions without the need for additional regulations and the associated cost of compliance.
The Commission has asked for comments about whether a "financial institution" sharing non-public customer information with another "financial institution" service provider should be obligated to impose by contract a requirement for the service provider to establish a security program and for the financial institution to provide some oversight of the recipient's security program for safeguarding customer information. Or should that transaction be exempted from the contract and oversight requirement? We believe the answer is: "Exemption from the contract and oversight requirement."
All financial institutions must adopt security procedures and manuals under the proposal. Those procedures need to be geared to the nature of the institution's business. The DBA believes this is enough of a mandate, and there is no requirement to impose additional obligations on the transmitting financial institution to be the "watch dog" over the recipient "financial institution" service provider. The transmitting institution may well impose security requirements in its contract or method of dealing with the recipient. But that should be a matter between businesses. The Commission should assume that all "financial institutions" will obey its regulations and have appropriate security systems in place.
Thus, we encourage the Commission to determine that persons exempt from the G-L-B disclosure requirements in 16 CFR sections 313.13 and 313.14 are not to be required to have contractual obligations to provide a security program when acting as a "service provider" to a "financial institution".
For substantially the same reasons, we urge that when a "financial institution" uses another "financial institution" as a service provider, no additional contractual security requirements or supervision be imposed.
Herbert A. Rosenthal