Statement of Julie L. Williams Acting Comptroller of the Currency before the Committee on Banking and Financial Services U.S. House of Representatives July 28, 1998 Mr. Chairman, Ranking Member LaFalce and members of the Committee, I welcome this opportunity to appear before you today to testify on issues relating to the proper handling and safeguarding of customer financial information and the protection of consumer privacy. The OCC applauds your leadership in addressing growing concerns about how customer information is used -- and sometimes misused -- in the financial marketplace. These concerns have been heightened by recent changes in the financial services industry, particularly the twin trends of mergers and advances in technology. As banks merge or combine with other financial firms, the amount and types of information they have available has grown significantly. And, companies now can gather, analyze, and disseminate this customer data more efficiently and use it to target customers with products and services tailored to meet customers' needs and preferences. This information can result in increased business opportunities for industry and improved products and services for consumers. But surveys reveal a growing uneasiness on the part of consumers about what becomes of their personal information once it passes into the hands of the companies receiving it. With whom is that information shared and for what purpose? What safeguards do businesses have in place to prevent unauthorized individuals from obtaining personal information and using it improperly? Too often, consumers cannot satisfactorily answer these questions on the basis of the information available to them. What they do know, based on what they read and hear in the media, is that more and more well-meaning Americans each year fall victim to information fraud and identity theft, causing hardship and inconvenience. Mr. Chairman, the convergence of the two great trends of financial services consolidation and the information revolution confronts us with new challenges that need to be addressed on several fronts. Meeting the public's legitimate demands for convenience, safety, and privacy in their financial dealings requires a constructive, concerted response from Congress, the regulatory agencies, and the financial services industry itself. Fortunately, action is going forward on all three fronts. With respect to the OCC's activities, shortly after becoming Acting Comptroller, I convened a Privacy Working Group, which has already begun to look into three areas: the security of bank customer information; the adequacy of disclosure of their privacy policies; and bank implementation of the information-sharing provisions of the Fair Credit Reporting Act. Our activities in connection with these issues are described in detail in my written statement; however, this morning I will focus on the first issue area. As you have recognized, Mr. Chairman, customer information security today poses a particular, new concern. Bank personnel are sometimes persuaded by unscrupulous and persistent third parties posing as customers to divulge confidential account information over the phone. This information is then either "brokered" to legal users or to others who use the information to set up fraudulent checking or credit card accounts. Most banks have procedures in place that attempt to strike a balance that preserves the integrity of customer data without unduly inconveniencing legitimate customers. In the course of our supervisory activities, the OCC examines national banks to test security procedures for information systems. But the problem we see today is different from what many bank information security systems are designed to address: the goal of unscrupulous information brokers is not to steal the money in the customer's account nor to corrupt a bank's information system, but rather to steal information about the customer's account for use by others. Recently, we have been working with the other banking agencies, and the FBI, IRS, Secret Service, and FTC to develop guidance for the financial services industry that specifically addresses this problem of information-brokering using "pretext phone calling." But our efforts to tackle this problem have been hampered by the fact that, at present, there is no federal law that directly prohibits the procurement of customer account information from financial institutions under false pretenses. That, Mr. Chairman, is why we strongly support the Financial Information Privacy Act of 1998. We welcome the opportunity to work with the Committee on this initiative, which will benefit consumers and promises to be of great assistance to regulators and financial institutions in their efforts to safeguard confidential customer information. There are other areas that may warrant attention in the future. For example, at present, there is no requirement that companies adopt privacy policies or disclose to consumers what those policies might happen to be. Instead, we are -- for now -- looking to various industries to adopt meaningful self-regulatory policies -- policies that respond to consumers' privacy concerns, provide adequate disclosure about privacy policies, accord consumers meaningful control over the use of the information they furnish, include reasonable steps to protect the security and integrity of that information, and offer some compliance assurance mechanism. Although we have seen some promising developments in the banking industry in this area, time will tell whether industry efforts prove effective. If not, new steps will be needed. Mr. Chairman, we commend you, Mr. LaFalce and the other members of the Committee for recognizing how important the issue of consumer privacy is to the evolution of the financial services industry in the next century. We look forward to working with the Committee to address this challenge. Thank you.