FROM THE OFFICE OF PUBLIC AFFAIRS

Madam Chair, ranking Member Vento, and members of the Committee, I am pleased to have this opportunity to present the Administration's views on the protection of personal financial information. These issues are of great importance to the President and the entire Administration, and we look forward to working with Congress to provide American consumers the financial privacy protections that they deserve.

Privacy has been a cherished right to Americans since the founding of our nation. Originally, the idea was predominantly one of privacy from governmental interference: privacy in one's home and one's person. The citizenry's fear of governmental intrusions on privacy was rooted partly in American history -- our rejection of tyranny -- but also in practicality. Businesses had neither the means nor the incentive to invade one's privacy.

But over time, the notion of privacy has evolved. The right is no less cherished, but the threats to it are new. When, a century ago, Louis Brandeis famously enunciated privacy as a "right to be let alone," he was referring to privacy from the press.

Today many Americans increasingly feel their privacy threatened by those with whom they do business. In particular, financial institutions and others are able to consolidate information about spending and investing habits. Americans want the ability to earn, invest, and spend their money without having to expose their lives to those who process their transactions -- just as they would not expect a letter carrier to read their mail. Americans deserve that right and financial services firms wishing to maintain their trust would benefit by embracing it.

For much of our history, consumers were justifiably confident about their financial privacy. Most of their day-to-day transactions were conducted in cash. They obtained financial services from local firms. Records were kept on paper ledgers rather than in computers. A small town banker, a local securities broker, or an insurance agent knew the customer's financial circumstances and tolerance for risk, to best anticipate the customer's financial needs. Yet customers were confident that the banker, broker or insurance agent would not share that information. Doing so would have been considered a breach of personal trust. That confidence is understandably on the wane today.

The first cracks in that confidence began to appear in the late 1960s, as unprecedented amounts of credit information were collected in new, national databases. Congressional hearings revealed that many credit files contained inaccurate and damaging information, and that consumers often had no way to correct errors that could lead to a denial of credit, employment, or insurance.

The resulting Fair Credit Reporting Act was the first federal law directed at financial privacy. The Act limited the purposes for which credit report information could be distributed, and granted individuals access to their credit histories and the ability to correct errors. Amendments to the Act in 1996 recognized that customers should have notice and the ability to opt out of certain information transfers. Taken together, these were significant privacy protections for their times.

Much has changed, however, since the Fair Credit Reporting Act was passed in response to the mainframe computers of the 1960s. We are in the midst of three important and significant changes in the financial services sector: a technological revolution, industry consolidation, and a move away from cash towards electronic transactions.

First, today's ordinary desktop computer is significantly more powerful than the mainframe of 30 years ago. Vast amounts of information can be stored, sorted, manipulated, and analyzed at lower and lower costs. Advances in telecommunications allow for this information to be sent virtually anywhere on the globe in a fraction of a second. Financial services firms are collectively spending billions of dollars per year to further enhance their technologies.

A second key change is the growing integration and consolidation of financial services providers. Interstate banking and branching has allowed banks to grow larger than ever before, and the removal of regulatory restraints has allowed banking organizations to offer more insurance and securities services. Even those smaller banks that have avoided consolidation often broaden their services by contracting with other financial services providers. At the same time, insurance companies are offering products that compete with bank products, and investment banks are in the lending business.

These developments have brought considerable benefits to consumers, in the form of operating efficiencies, new products, and better prices for customers. The desire of large, integrated financial services firms to profit from their scale and cross-sell their products, however, has created a powerful incentive to treat consumer data as a business asset. Consolidation and technology also have allowed the relationship between financial institutions and their customers to become increasingly impersonal. Fewer customers walk into branches to deal with a personal banker, as more customers drive up to ATMs or log onto the Internet.

Third, there is an increasing use of electronic means of payments and receipts. Americans increasing use of credit cards, debit cards and (more recently) electronic bill payment in lieu of cash now allows financial services companies to collect a far greater amount of information. Direct deposit now means that a bank knows not only what you spend, but also how much you earn, and from whom.

A generation ago, financial privacy meant keeping private your salary, your bank balances, and your net worth. Today, financial privacy means keeping secret your entire way of life. The typical credit report in 1970 would have shown only that a customer had received a total of, say, $5,000 of credit, and had repaid it on time. The credit card records of 1999, by contrast, can list each and every purchase ever made by that customer, sorted by date, location, and other details. Furthermore, if credit card companies work together with merchants, then the level of detail can become even more refined -- each dish ordered at a restaurant or each book title bought at a store.

Taken together, these three trends -- a technological revolution, industry consolidation, and the movement from a cash to electronic payment and receipt system -- are the means, motive, and opportunity for financial services firms to mine consumer information for profit. Our challenge, therefore, is to protect the privacy of consumers while preserving the benefits of competition and innovation.

On May 4, the President outlined the Administration's "Financial Privacy and Consumer Protection in the 21st Century" initiative. Protecting financial privacy led the list of key principles for consumer protection.

First, the President recommended enactment of legislation to provide consumers notice and choice before their financial information be shared or sold -- the right to say "no." Central to this policy is the idea that the self-portrait painted by one's financial information belongs to the consumer, not the financial institution that processes the transactions.

Second, the President stated that consumers should not have to worry that the results of their latest physical exam will be used to deny them a home mortgage or credit card. The President therefore recommended legislation that would impose special restrictions on sharing medical information within financial conglomerates and with third parties, consistent with the Administration's overall plan for protecting medical privacy. The President made clear in his State of the Union Address his intention to work with Congress to pass a strong, comprehensive medical record privacy bill this year. He has consistently encouraged legislation that would expand our authority to protect the privacy of medical information.

Third, the President called for giving back to regulators authority to monitor compliance with privacy protections. Under the Fair Credit Reporting Act, for example, banking regulators were in 1996 prohibited from examining banks for compliance with this statute, as they do for other consumer protection statutes. Surely there is no compelling reason for treating privacy less seriously than other statutory consumer protections.

When the President announced this agenda in May, some may have viewed his proposals as ambitious. Only two months later, however, the policy of notice and choice is gaining momentum. Leadership by the President and members of this Committee and of the House has sparked a debate on this issue that has educated policy makers and produced dramatic results. Most recently, the House of Representatives passed with overwhelming bipartisan support a bill providing notice and choice before personal financial information can be shared with third parties. The House provided the enforcement mechanisms sought by the President. It also generally prohibited the use of so-called "pretext calling" -- albeit with an unwarranted exception that would allow investigators to commit fraud in child support cases, while a subpoena would be the best approach.

Acceptance of the idea of notice and choice is an important step in protecting financial privacy. Consumer choice over third party sharing, however, should be the floor, not the ceiling. We should move forward to consider how consumers can exercise choice over sharing of transaction and experience information within financial conglomerates -- especially conglomerates which, under H.R. 10 and S. 900, would be able to engage not just in financial activities, but also activities incidental and complementary to such financial activities. We should prevent exceptions from swallowing the rule by prohibiting re-use of shared data beyond the purpose for which it was shared. We should further ensure that any new federal legislation add to B as we believe H.R. 10 does, but should do so more clearly B rather than preempt existing protections in federal and state law. And we should consider how to make any privacy protection regime workable, all the while keeping in mind the significant economic benefits that information sharing can bring to consumers.

With that in mind, I will address five basic issues that we believe the Congress ought to consider as it moves forward with financial privacy legislation: what information such legislation should cover; what notice is appropriate; what choice is appropriate; what exceptions may be appropriate; and how any privacy regime is to be administered.

Madam Chair, you also requested that I discuss various privacy issues relating to the privacy practices of state governments and the federal government, and of the Treasury Department itself. I am attaching as an appendix a discussion of those issues not addressed in my testimony.

Scope

The first issue is what financial information should be protected. Under the Fair Credit Reporting Act, there are currently no limits on sharing information about consumers' transactions and experience. Thus, financial institutions currently are able to treat what a person buys with checks and credit cards as information belonging to the institution, and are free to sell it.

The Administration believes that this transaction and experience data must be protected, regardless of the type of financial institution at which it is held. Checks written on a checking account should share the same protections as checks written on a money market account. H.R. 10 adopts this sound approach.

We must consider, though, a future where financial information may be consolidated -- and potentially mined -- at non-financial firms. Many of us already provide a list of our assets to Internet web sites, where daily performance can be monitored. Consumers might be surprised if a list of stocks held at an Internet brokerage site were protected as confidential, but a list of stocks entered at another type of web site could be freely sold without notice or consent.

Eventually, we may wish to look beyond financial privacy. Like financial institutions, booksellers and other retailers can build considerable databases and can sell them without customer knowledge or consent. Your on-line bookseller may not only know what books you read, but what books you considered buying, where you vacation, what music you listen to. The Administration continues to support efforts at self-regulation. Industry efforts over the past year have been impressive, but they still have a long way to go. We will want to continue scrutiny of these non-financial areas.

Notice

Notice is fundamental to privacy protection. The Administration believes that every financial institution should establish and disclose a privacy policy that encompasses information sharing with both affiliates and third parties. Disclosure of an institution's information practices is a precondition to consumers choosing how their information will be used, or choosing to do business elsewhere.

The Administration believes that a meaningful notice should be provided before a customer opens an account and at least annually thereafter. The contents of the notice should be sufficient to inform the customer of the uses that will be made of their information and to whom it will be transferred.

That said, the exact contents of a notice might be best left to a rulemaking process where public comment can be solicited.

Choice

The next issue is that of choice -- under what circumstances customers should be able to restrict the uses a company makes of their data. The Administration believes that consumers should have the choice to opt out of -- that is, say "no" to -- the use of their data by both third parties and affiliates.

Although the uses of affiliate sharing generally tend to relate more to the consumer's original expectations than third-party sharing, this will not always be the case. Under both pending financial modernization bills, affiliates of banks will be permitted to engage in any financial activity, any activity incidental to financial activities, and to some extent in any activity complementary to such activities. Unless the language is clarified, commercial companies held pursuant to merchant banking and joint ventures -- perhaps even telemarketers -- could be considered affiliates. I would also note that restricting only third party sharing would tend to confer a competitive advantage on large banks, which have many affiliations, as opposed to small banks, which tend to use third parties to service customers.

Congress has embraced notice and choice -- for both affiliates and third parties -- in the Fair Credit Reporting Act. The FCRA has given consumers the right to notice and the opportunity to opt out before a company shares certain credit information with an affiliate. Financial firms have proven the practicality of notice and choice through the implementation of the FCRA. Most recently, U.S. Bancorp, in response to a suit brought by the Minnesota Attorney General, has agreed to notice and opt out before transaction and experience data can be shared with affiliates for direct marketing purposes and with unaffiliated third parties for purposes of marketing financial products or services of the unaffiliated third party. The settlement prohibits sharing information with third parties for purposes of marketing non-financial products.

Nonetheless, some have contended that customers need not have choice over information sharing because they possess the ultimate choice: the ability to take their business elsewhere. We believe that the idea that customers will be able to "vote with their feet" on financial privacy is generally unrealistic. Changing one's bank or broker is not a simple matter. It requires a considerable investment of effort and time, as one checking account must be run off as another is created, as direct deposit orders must be reissued, as checks must be reprinted, as new codes must be memorized, as stocks must be transferred. It is a change that most of us make only when we are extremely dissatisfied with our current circumstances.

For that reason, the Administration believes that choice must be guaranteed by law. In most cases, we support the notice of "opt out" choice -- that the sharing may occur so long as the customer is given notice and the opportunity to object. In some cases, with particularly sensitive information such as medical information, an "opt in" may be appropriate. We also believe that these choices should not be circumvented by allowing a financial institution or an affiliate to do the marketing itself, on behalf of the third party.

Choice would allow consumers to make their own decisions as to the potential tradeoff between their financial privacy and the various marketing opportunities and other potential benefits of information sharing. This personal decision is most appropriately left to an individual.

Exceptions

While the Administration is firmly for choice, we also believe that there is a need for balance. There are some types of information sharing where customer choice may not be appropriate -- where allowing customers to opt out of information sharing is counterproductive or too costly. The most obvious case is sharing of information with appropriate law enforcement authorities. Another example is the sharing of information in order to facilitate the processing of individual transactions -- clearing checks, for example.

Other types of information sharing present difficult tradeoffs. In approaching any exceptions and the general policy of choice, we think three questions are appropriate:

First, what is the consumer's reasonable expectation of privacy? This in turn largely depends on the type and sensitivity of the information. Most people expect that their checks will be processed efficiently -- even if by third parties -- but not that anyone processing the data will be able to learn how they live their lives. They also do not expect that information to be sold without their consent.

Second, what is the purpose of the transfer? Does it directly benefit the consumer or mostly just the company? Is the company using the information to directly serve the customer, or is the company primarily using or sharing the customer's information for another purpose?

Third, what are the costs of allowing choice? Does it significantly (i) disrupt the functioning of the enterprise, (ii) raise costs to consumers, or (iii) disrupt markets? Any decision should be based on a balance of these factors. The Administration strongly believes that in most cases the balance counsels for choice, whether the sharing be with a third party or an affiliate. We also support strict limits on re-use of information shared pursuant to any exception, to the extent that such use exceeds the excepted use.

Perhaps the clearest case for choice is in the area of medical privacy. Although a company may have economic incentives to share medical information, no consumer expects that in consenting to a physical examination for an insurance policy, he or she is endangering an ability to obtain credit or employment. For that reason, the Administration favors strong restrictions on the ability of any company, including insurance companies, to share medical information. We strongly oppose, however, the medical privacy provisions of H.R. 10. These provisions contain significant exceptions that would, for example, allow re-use of medical information by companies with whom the information is shared, preempt state law, and allow an insurance company to ship information to other companies under the rubric of marketing research in circumstances that neither current practice nor future regulations would likely permit.

The provisions also would create uncertainty about the authority of the Department of Health and Human Services to establish stronger protections for customers of financial services companies. Notably, the provisions in H.R. 10 apply to "insurers," who are central to the functioning of the medical system. Such a broad scope would significantly undermine efforts to craft meaningful, comprehensive medical privacy legislation, and would erode existing protections. The Administration strongly urges that these provisions be stricken from the bill in conference.

The sale of marketing information to a third party -- or using such information on behalf of a third party -- also appears to be a clear case where no exception to notice and choice is appropriate. A consumer doing business with a financial institution would not expect the information generated through that relationship be sold for unrelated, especially non-financial, purposes. In such a case, the financial institution would be selling the information primarily for its own profit, not the customer's benefit. Due to advances in technology, maintenance of a "do not market" list has become more easily achievable.

In some cases, though, the case for an exception may be stronger. Financial services firms may wish to provide customers a consolidated account statement including accounts from different affiliates within the organization. Here, the case for an exception from "opt out" appears appropriate. Customers could reasonably expect to have their financial information presented to them in a comprehensive way; the consolidated statement is done for the convenience of the customer, who is able to correct any errors; and the cost of requiring separate mailings for each account could be considerable.

Other cases present more difficult tradeoffs. For example, with respect to risk management, one could conclude that a customer who has defaulted on one loan from a financial organization should not reasonably expect to be able to shield that information from an affiliate considering a second loan. Allowing the information to be shared protects the depository institution from loss, and should result in lower prices for creditworthy borrowers. The same also could be said of information on the timeliness of a customer's payments to the institution -- assuming that such an exception is implemented in a way that ensures that the customer receives notice that such information sharing is occurring and has access to and the ability to correct such information.

The idea that a sister bank could, however, deny a loan because a consumer's credit card reveals risk-taking behavior -- say, the recent purchase of a skate board or a sports car -- is far more troublesome. Thus, any information about where a consumer is spending money, or the purposes for which the consumer is obtaining credit, should remain subject to notice and opt out. How we live our lives, what we believe, the choices we make -- all of these very personal pieces of information should not be shared without our consent.

The Need for Regulatory Flexibility

Each of the issues we have just discussed is complicated, and the answers may well change as technology and business practices advance. The complexity and uncertainty of the task at hand suggest two further points.

First, we should allow many of the details to be worked out by the regulators that know the financial services industry best, after taking into account public comment. The agencies that examine financial services firms and follow industry trends should be responsible for writing and enforcing privacy rules applicable to the firms that they regulate.

Second, a transition period would be appropriate so that financial institutions can reprogram their systems to take account of customer choices.

Conclusion

Thank you for allowing me to appear today on an issue of such importance to the Administration. I welcome your questions.

The following discussion of privacy policy issues complements the written testimony. It addresses federal government privacy policies and federal government web site privacy policies.

Government privacy policies:

The Privacy Act of 1974 establishes a set of fair information practices for the federal government's handling of personal information in systems of records. These principles include: written consent as the baseline for disclosure of personal information; notice of the specific purposes for which that information will be used; and access by individuals to their records and the ability to correct mistakes in those records. The Privacy Act does contain some exceptions, such as for certain law enforcement uses.

The Administration has no current proposals to update the Privacy Act, or the Right to Financial Privacy Act, which protects customer records maintained by certain financial institutions from improper disclosure to officials or agencies of the federal government.

This year the President established the position of the Chief Counselor for Privacy at OMB, underscoring the Administration's commitment to examining where progress can be made to improve federal government privacy policies while achieving other important government goals.

The Chief Counselor will be engaged in a "privacy dialogue" with state and local governments, as Vice President Gore announced last July 31. This dialogue will include considering the appropriate balance between the privacy of personal information collected by governments, the right of individuals to access public records, First Amendment values, and Department of Motor Vehicle information.

With respect to the IRS, the agency launched a major effort in late 1997 to eliminate unauthorized access and inspection of taxpayer records. Because the law requires the Service to terminate employees who are found to have engaged in unauthorized access, IRS focused its planning on deterring, preventing and detecting privacy violations, and on administering penalties for unauthorized access. This effort included an extensive training and education program aimed at establishing a single basic principle for all employees: do not look at, access, scan or otherwise gather information from any return or return information that you have no official need to see. IRS is constantly evaluating the success of these efforts and considering additional strategies as it learns from its experience.

Privacy on federal government web sites:

All federal agencies have web sites and every federal web site must comply with the Privacy Act. Federal agencies' web site privacy policies are diverse and are tailored to the information practices of each site. The Office of Management and Budget has provided guidance to agencies for developing their web sites. Jacob Lew, Director, Office of Management and Budget, issued a memorandum to agencies directing them to post privacy policies no later than September 1, 1999. OMB has also issued guidance on good practices for agency web sites. As of July 15, 1999, all Cabinet departments have privacy policies clearly posted on their home pages.

Treasury's web site privacy policy is conspicuously displayed as part of the home page (www.treas.gov). The Main Treasury web site does not use "cookies" (that is, a file placed on a visitor's hard drive that allows the web site to monitor the individual's use of the site) to collect information about citizens' visits to the web site. Treasury Bureaus have been notified that Main Treasury's web site should be used as a model. The Financial Management Service uses temporary cookies to maintain a connection with the user to insure the user receives a response, for example to comments, but the cookie is immediately deleted when the user leaves the site.