MASTERCARD INTERNATIONAL
May 28, 2004
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Public Information
Room
Office of the Comptroller of the Currency
250E Street, SW
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-09
Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314
Jennifer J. Johnson Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No, R.-1188
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2004-16
To Whom It May Concern:
MasterCard
International Incorporated ("MasterCard")1
submits this comment letter in response to the Proposed Rule ("Proposal")
issued by the Board of Governors of the Federal Reserve ("Board"),
the Office of the Comptroller of the Currency, the Federal Deposit
Insurance Corporation, the National Credit Union Administration,
and the Office of Thrift Supervision (collectively, "Agencies")
implementing Section 411 of the Fair and Accurate Credit Transactions
Act of 2003 ("FACT Act"). MasterCard appreciates the opportunity
to provide its comments on this important issue.
Background
Section 411(a)
of the FACT Act adds a new Section 604(g)(2) to the Fair Credit
Reporting
Act ("FCRA") to prohibit creditors
from obtaining or using medical information pertaining to a consumer
in connection with any determination of the consumer's eligibility,
or continued eligibility, for credit. The Agencies must prescribe
regulations that permit creditors to obtain or use medical information
for eligibility purposes where necessary and appropriate to protect
legitimate operational, transactional, risk, consumer, and other
needs, consistent with the congressional intent to restrict the use
of medical information for inappropriate purposes.
Section
411(b) of the FACT Act adds a new Section 603(d)(3) to the FCRA to
restrict
the
sharing of medical information and related lists
or descriptions with affiliates. In particular, Section 603(d)(3)
states that the statutory exclusions to the definition of a "consumer
report" provided in Section 603(d)(2) do not apply if medical
information or certain related lists is disclosed to an affiliate.
The effect of Section 603(d)(3) is that medical information that
otherwise meets the statutory definition of a "consumer report" may
not be shared among affiliates, unless certain exceptions apply,
including for disclosures in connection with the business of annuities
or disclosures for any purpose permitted without authorization under
certain regulations issued pursuant to the Health Insurance Portability
and Accountability Act of 1996. In Section 604(g)(3)(C) of the FCRA
Congress authorized the Agencies to provide additional exceptions
by regulation or order.
In General
The Proposal reflects careful consideration and thorough review
by the Agencies. The Agencies have addressed a complicated issue
and developed a Proposal that, for creditors within the stated scope
of the Proposal, generally preserves the ability to obtain and use
medical information for credit eligibility purposes where necessary
and appropriate to protect legitimate operational, transactional,
risk, consumer, and other needs, as intended by Congress. There are
a number of issues raised by the Proposal, however, that merit further
review. Perhaps most importantly, the Proposal creates uncertainty
regarding those entities that are not within the stated scope of
the Proposal. This issue as well as several others are addressed
below.
Purpose and Scope ( .1)
Each
of the Agencies has addressed the scope of its respective Proposal.
Generally speaking, each of the Agencies asserts that the scope
of its Proposal applies only to entities subject to that Agency's
jurisdiction (including certain affiliated entities in some circumstances).
For example, the Proposal would apply to a variety of creditors
that are banks or federally chartered credit unions. The Proposal
would not, however, appear to apply to a wide variety of finance
companies or other creditors, such as auto dealers, loan brokers,
or other arrangers of credit. We do not believe this was the congressional
intent and we urge the Agencies to broaden the scope of the final
rule ("Final Rule") to encompass all creditors.
Section
603(g)(2) generally states that, "[e]xcept as permitted
pursuant to...regulations prescribed under paragraph (5)(A), a creditor
shall not obtain or use medical information...pertaining to a consumer
in connection with any determination of the consumer's eligibility,
or continued eligibility, for credit." In paragraph (5)(A) of
Section 603(g), Congress then provided that "[e]ach Federal
banking agency and the National Credit Union Administration shall...prescribe
regulations that permit transactions under [Section 603(g)(2)] that
are determined to be necessary and appropriate to protect legitimate
operational, transactional, risk, consumer and other needs...consistent
with the intent...to restrict the use of medical information for
inappropriate purposes." Based on this provision, each of the
Agencies has set forth a Proposal that applies only to certain creditors.
This appears to create the possibility that creditors that are not
within the Agencies' stated scope will not be permitted to rely on
the Final Rule adopted by the Agencies. This will essentially eliminate
the ability of such creditors to underwrite loans without fear of
violating the FCRA and subjecting themselves to private rights of
action, including class action.2 We do not believe
that Congress intended such a result. In this regard, the plain language
of Section
603(g)(5)(A)
states that the Agencies "shall prescribe regulations that permit
transactions" in those circumstances where the transactions "are
determined to be necessary and appropriate to protect legitimate...needs...." This
language appears to direct the Agencies to adopt regulations permitting
transactions in those circumstances where the "necessary and
appropriate" standard has been met. This language, on its face,
is not limited in any way with respect to the types of entities covered
by the regulations. As a result, the regulatory directive to the
Agencies appears to authorize, and perhaps even require, the Agencies
to promulgate a rule covering any transaction where the "necessary
and appropriate" standard is met regardless of the types of
entities involved in those transactions.
We
also note that the specific drafting of other provisions of the FACT
Act
and the FCRA
strongly suggests that Congress did not intend
to exclude any subset of entities from the scope of the Agencies'
rules. In this regard, the language used to grant rulemaking authority
to the Agencies in Section 603(g)(2) stands in stark contrast to
rulemaking authority granted to federal agencies in other portions
of the FACT Act and the FCRA where the scope of those rulemakings
clearly was intended to be limited along jurisdictional lines. For
example, in Section 604(g)(3)(C), Congress granted rulemaking authority
to the Agencies and the Federal Trade Commission ("FTC")
but made it clear that such authority was granted only "with
respect to
any financial institution subject to the jurisdiction of such
agency." In Section 214(b) of the FACT Act, Congress granted
rulemaking authority to the Agencies and the FTC with respect to
the new affiliate marketing provisions, but limited the applicability "to
entities that are subject to their respective enforcement authority
under Section 621" of the FCRA. Indeed, Section 621(e) of
the FCRA grants broad rulemaking authority to the Agencies, but
limits the scope of the rules to certain persons subject to the
Agencies' jurisdiction.
In contrast,
we also note that the approach taken in Section 603(g)(2) and (5)(A)
appears
to be quite similar to the approach Congress traditionally
has taken when granting rulemaking authority in federal statutes
regulating consumer credit and other consumer financial services.
For example, in the Truth in Lending Act, the Electronic Fund Transfer
Act, and the Equal Credit Opportunity Act (collectively, the "Acts"),
Congress granted rulemaking authority to a single federal agency—the
Board—and the regulations promulgated by the Board apply to
all of the entities covered by the Acts, regardless of whether those
entities are subject to the Board's jurisdiction. Each of the Acts
then divides enforcement authority among several federal agencies
based on their respective, limited jurisdictions. Thus, the approach
taken in the Acts is to grant rulemaking authority to a particular
agency, have that rulemaking authority apply with respect to all
entities covered by each Act, and then limit enforcement authority
based on the respective jurisdictions of each of the agencies assigned
to enforce the statute. This appears to be essentially the same approach
used by Congress in enacting Section 603(g)(2). In this regard, Section
603(g)(2) grants rulemaking authority to the Agencies and existing
Section 621 of the FCRA divides enforcement responsibility among
the Agencies, the FTC, and others in much the same way as accomplished
under the Acts. The only difference between the approach taken in
Section 603(g)(2) and the more traditional approach taken in the
Acts is that Section 603(g)(2) assigns rulemaking responsibility
to multiple Agencies while the Acts assign rulemaking authority to
a single agency. There is no indication, however, that this difference
is intended to override the plain language directive to "permit
transactions" where those transactions are "determined
to be necessary and appropriate to protect legitimate...."
Just as importantly, we are unaware of any public policy goal that
is served by not applying the Final Rule to creditors that are not
within the jurisdiction of the Agencies. To the contrary, we believe
public policy generally, and consumers specifically, are ill served
if certain types of creditors are not permitted to use or obtain
medical information as a result of the narrow scope of the Final
Rule. Therefore, we urge the Agencies to broaden the scope of the
Final Rule to apply to all creditors. Should this occur, enforcement
against creditors outside the jurisdiction of the Agencies would
be handled as provided in the relevant provisions of the FCRA.
Examples
(§__.2)
The Proposal provides examples of certain compliant and noncompliant
activities. MasterCard believes that the use of examples provides
financial institutions with meaningful guidance on how to comply
with the Final Rule's requirements. Therefore, we urge the Agencies
to include relevant examples of permitted and prohibited uses of
medical information in the Final Rule.
Section §__.2
of the Proposal states that the examples are not exclusive, and that
compliance with an example, to the extent applicable,
constitutes compliance with the Proposal. We urge the Agencies to
retain this provision in the Final Rule. The examples provided by
the Agencies should serve as a safe harbor to financial institutions
seeking to comply with the Final Rule. Indeed, it would be inappropriate
to find an institution in violation of the Final Rule if the institution
were simply adhering to the Agencies' examples of permitted activities.
Definitions
(§__.3)
The Proposal establishes several definitions which appear to have
a general applicability, not only to the Final Rule, but also to
other provisions of the FCRA. It is important that any such definition
be reviewed and analyzed to ensure that it is appropriate not only
in the context of the Proposal, but other applicable provisions of
the FCRA as well.
Affiliate/Control
The Proposal
defines the term "affiliate" as "any
company that controls, is controlled by, or is under common control
with another company." The proposed definition is identical
to the definition of "affiliate" in the regulations implementing
Title V, Subtitle A of the Gramm-Leach-Bliley Act ("GLBA"). "Control" is
defined to mean: (i) direct or indirect ownership, control, or power
to vote 25 percent or more of the outstanding shares of any class
of voting security; (ii) control over the election of a majority
of the directors, trustees, or general partners; or (iii) the power
to exercise, directly or indirectly, a controlling influence over
the management or policies of the company. MasterCard believes these
definitions are appropriate and should be retained in the Final Rule.
Medical Information
The Proposal
provides a definition of "medical information" that
is consistent with the statutory language provided in Section 411
of the FACT Act and should be included in the Final Rule. We request,
however, that the Final Rule also clarify that information coded
in a manner consistent with Section 604(g)(1)(C) of the FCRA is not "medical
information" for purposes of the Final Rule. In this regard,
Congress provided specific consumer protections with respect to coded
tradeline data in consumer reports that may relate to a "medical
information furnisher." Such information does not meet the definition
of "medical information" included in the FCRA or in the
Proposal. Specifically, the coded information provides no insight
as to the consumer's physical, mental, or behavioral health or condition,
and therefore falls within a specific exception to the definition
of "medical information." Furthermore, in light of the
protections provided by Congress with respect to the coding of certain
information, we do not believe that any additional meaningful consumer
protections would be provided if such information were deemed to
be "medical information."
MasterCard also
believes it would be appropriate for the Agencies to provide clarification
that "medical information" must "relate
to" or "pertain to" a specific consumer. For example,
a database of information relating to the repayment behavior of thousands
of consumers, none of whom is personally identifiable, should not
be deemed to be "medical information." If such
information
were "medical information," creditors may have
difficulty in utilizing such data even for basic analytical purposes
that have no bearing or impact on any individual. We do not believe
this was the intent of Congress or the Agencies, and we urge the
Agencies to provide a clarification on this issue.
General
Prohibition on Obtaining or Using Medical Information (§__.30(a))
The Proposal
states that a "creditor may not obtain or use
medical information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit except as provided in" the Proposal.3 This language
tracks the statutory language in Section 604(g)(2) of the FCRA. We
commend the Agencies for using their discretionary authority to recognize
that there are circumstances where it is appropriate to obtain and/or
use medical information in connection with a determination of a consumer's
eligibility, or continued eligibility, for credit. We strongly urge
the Agencies to retain this approach in the Final Rule.
Eligibility, or Continued Eligibility, For Credit
The Proposal
provides for definitions of certain terms which apply only in the
Proposal.
One such term is "eligibility, or continued
eligibility, for credit," which is defined as applying to credit "offered,
primarily for personal, family, or household purposes." This
is consistent with longstanding interpretations of the FCRA4 and
should be retained in the Final Rule.
The Agencies
correctly note in the Supplementary Information that "[n]othing
in the statute prohibits a creditor from obtaining medical information
if the information is not obtained in connection with a determination
of the consumer's eligibility, or continued eligibility, for credit." MasterCard
agrees, and requests that the Agencies include similar language in
the Supplementary Information to the Final Rule. In light of the
exclusion from coverage by the statute (and therefore by the Final
Rule), the Agencies included in the Proposal activities that are
not included in the term "eligibility, or continued eligibility,
for credit." Specifically, the term does not include: (i) the
consumer's qualification or fitness to be offered employment, insurance
products, or other non-credit products or services; (ii) any determination
of whether the provisions of a debt cancellation contract, debt suspension
agreement, credit insurance product, or similar forbearance practice
or programs are triggered; (iii) authorizing, processing, or documenting
a payment or transaction on behalf of the consumer in a manner that
does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit; or (iv) maintaining or servicing
the consumer's account in a manner that does not involve a determination
of the consumer's eligibility, or continued eligibility, for credit.
MasterCard appreciates the Agencies' clarification with respect to
certain items that are not related to credit eligibility. However,
MasterCard urges the Agencies to note that these exclusions are non-exclusive
examples of items that are not deemed to be "eligibility, or
continued eligibility, for
credit." We
also urge the Agencies to clarify that a creditor's determination
of a consumer's legal competency is not related to
eligibility for credit, but that it pertains to a determination of
the consumer's legal capacity.
MasterCard also
notes that the example with respect to debt cancellation contracts,
debt
suspension agreements, credit insurance products,
or similar forbearance practices or programs should be expanded beyond
what is provided in the Proposal. Specifically, the Proposal excludes
these items from the definition of "eligibility, or continued
eligibility, for credit" only with respect to whether such practices
or programs are "triggered." We believe that the more appropriate
approach would be to recognize that all issues related to debt cancellation
contracts and similar programs are not part of the consumer's "eligibility,
or continued eligibility, for credit." Indeed, not only are
such programs not related to a consumer's eligibility for credit,
but the Office of the Comptroller of the Currency has prohibited
a national bank from extending credit or altering the terms or conditions
of an extension of credit conditioned on the customer entering into
a debt cancellation contract or debt suspension agreement with the
bank.5 Therefore, MasterCard believes that issues related
to debt cancellation contracts and similar agreements or practices
fall outside
the scope of the prohibition on obtaining or using medical information.
Rule
of Construction: Unsolicited Medical Information (§__.30(b))
The Proposal acknowledges that creditors, in many instances, cannot
control the information they obtain with respect to a determination
of a consumer's eligibility for credit. For example, a consumer may
volunteer on an application, or in conversation with a loan officer,
that he or she has recently been ill.
We commend the Agencies for recognizing that creditors may receive
medical information on an unsolicited basis. In particular, the Proposal
states that a creditor does not obtain medical information for purposes
of the general prohibition on obtaining or using medical information
if the creditor: (i) receives medical information pertaining to a
consumer in connection with any determination of the consumer's eligibility,
or continued eligibility, for credit without specifically requesting
medical information; and (ii) does not use that information in determining
whether to extend or continue to extend credit to the consumer and
the terms on which credit is offered or continued. We believe the
Agencies should retain this provision in the Final Rule, with one
modification. In this regard, we believe consumers would benefit
if a creditor were permitted to use unsolicited medical information
in a manner no less favorable than it would use comparable information
that is not medical information. For example, this exception could
be useful in granting a consumer's emergency request that may involve
medical information.
Financial
Information Exception for Obtaining and Using Medical Information
(§__.30(c))
In addition to
receiving medical information on an unsolicited basis, creditors
may receive information that reflects on the consumer's
credit history or ability to repay a loan, but that is also medical
information. For example, a creditor may learn that a consumer owes
a debt
to a hospital. The creditor may need to use the fact that the consumer
owes a debt without regard to whether it is to a hospital or another
type of creditor.
The Proposal
addresses this type of situation. In particular, a creditor may
obtain and
use medical information pertaining to a consumer
in connection with any determination of the consumer's eligibility,
or continued eligibility, for credit so long as: (i) the information
relates to debts, expenses, income, benefits, collateral, or the
purpose of the loan; (ii) the creditor uses the medical information
in a manner and to an extent "that is no less favorable" than
it would use comparable information that is not medical information;
and (iii) the creditor does not take the consumer's physical, mental,
or behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
We believe the
Agencies have taken the correct approach with respect to how creditors
may
use medical information in certain circumstances,
and urge that it be retained in the Final Rule. However, we believe
that the Agencies may be restricting the scope of the exception unnecessarily.
In particular, the Agencies limit the applicability of the exception
to those circumstances where the information relates to debts, expenses,
income, benefits, collateral, or the purpose of the loan. As a result,
the exception would not appear to apply if the information related
to other factors routinely used in credit underwriting, such as the
debtor's assets. In order to address this issue, we urge that the
exception included in the Final Rule be expanded to include information
that relates to "any other factor regularly used in credit eligibility
determinations." This would ensure that the exception covers
the full range of appropriate uses while also ensuring that consumers
are adequately protected. In particular, it is important to note
that the exception would only apply to the extent the creditor uses
the information in a manner and to an extent "that is no less
favorable" than it would use comparable non-medical information.
If the Agencies
determine that coded information reported by consumer reporting
agencies
should not be excluded from the definition of "medical
information," then the Agencies should clarify that coded information
about a medical debt received by a creditor from a consumer reporting
agency would be subject to the exceptions provided in Section .30(c).
Under this approach, the information would be "medical" but
the creditor should be permitted to take into account that the consumer
owes the debt so long as the creditor provides it no less favorable
treatment than other debts and the creditor does not take the consumer's
health, condition, history, treatment, or prognosis into account.
Specific
Exceptions for Obtaining, and Using Medical Information (§__.30(d))
There will be instances in which a creditor must obtain and use
medical information pertaining to a consumer in connection with a
determination of that consumer's eligibility for credit. For example,
if the creditor is financing a medical procedure, the creditor may
legitimately need information with respect to the procedure in order
to underwrite the loan. We applaud the Agencies for recognizing that
there are legitimate circumstances in which creditors must be permitted
to obtain and use medical information. These circumstances include
when the creditor is financing medical products or services, to prevent
and detect fraud, and if the consumer (or the consumer's legal representative)
requests in writing, on a separate form signed
by the
consumer (or the consumer's legal representative) that the creditor
use specific medical information for a specific purpose.
We believe the Agencies should retain this provision in the Final
Rule. If the Agencies do not exclude a determination of a consumer's
legal competency from the definition of "eligibility, or continued
eligibility, for credit," then we urge the Agencies to provide
an additional exception to allow a creditor to use medical information
for this purpose.
We urge, however,
that the Agencies consider a modification to the Supplementary
Information
regarding consumer consent. In particular,
the Supplementary Information states that the consent exception "is
designed to accommodate the particular medical condition or circumstances
of the individual consumer and is not intended to allow creditors
to obtain consent on a routine basis or as a part of loan applications
or documentation. This exception would not be met by a form that
contains a preprinted description of various types of medical information
and the uses to which it might be put." We do not believe this
interpretation is necessary and it may interfere with acceptable
practices. For example, a creditor that finances vision correction
procedures may wish to use pre-printed application forms, including
forms for obtaining consent. This type of practice appears to be
within the scope of those activities intended to be permitted by
the Agencies. The Supplementary Information, however, clouds the
issue. We therefore respectfully request the Agencies to delete this
statement from the Supplementary Information that is included with
the Final Rule or rewrite it to more precisely describe the practices
the Agencies intend to prohibit.
Limits
on Redisclosure of Information (§__.30(e))
The Proposal would restrict a person's ability to disclose to any
other person medical information it receives from a consumer reporting
agency or from the person's affiliate, except as necessary to carry
out the purpose for which the information was initially disclosed,
or as otherwise permitted by statute, regulation, or order. We urge
the Agencies to consider allowing a person to redisclose medical
information it receives in additional limited circumstances. For
example, a person should be able to redisclose medical information
it receives from a consumer reporting agency or an affiliate for
any purpose described in section 502(e) of the GLBA, such as for
fraud prevention or to a federal regulator, even if fraud prevention
or regulatory compliance were not among the specific reasons the
person obtained the medical information.
Sharing
Medical Information with Affiliates (§__.31)
Section 603(d)
of the FCRA sets forth the definition of a "consumer
report" and Section 603(d)(2) provides specific exceptions to
that definition. Under Section 603(d)(2), information that would
otherwise meet the definition of a consumer report is excluded from
the definition if such information is: (i) transaction and experience
information; (ii) a communication of transaction
and experience information among affiliates; or (iii) a communication
of other
information among affiliates if the consumer
is provided a notice and an opportunity to opt out. The FACT Act
amended the definition of "consumer report" by adding paragraph
603(d)(3) to provide that the exclusions from the definition of "consumer
report" do not apply with respect to information disclosed to
any affiliate if the information is: (i) medical information; (ii)
an individualized list or description based on the payment transactions
of the consumer for medical products or services; or (iii) an aggregate
list of identified consumers based on payment
transactions for medical products or services. Section 603(d)(3)
does not apply to disclosures: (i) in connection with the business
of annuities; (ii) for any purpose permitted without authorization
under certain regulations under the Health Insurance Portability
and Accountability Act; and (iii) as otherwise determined to be
necessary and appropriate by the FTC and the Agencies with respect to any financial institution subject to the jurisdiction
of such agencies, or applicable state insurance authority with respect
to persons engaged in providing insurance or annuities. In the Proposal,
the Agencies make it clear that Section 603(d)(3) also does not apply
to disclosures that are made for any purpose described in Section
502(e) of the GLBA, or in connection with a determination of a consumer's
eligibility, or continued eligibility, for credit consistent with
the Proposal. We believe these exclusions are appropriate and we
urge the Agencies to retain them in the Final Rule.
Once again, we
appreciate the opportunity to comment on the Proposal and we commend
the Agencies
for their thorough and thoughtful treatment
of this issue. If you have any questions concerning our comments,
or if we may otherwise be of assistance in connection with this issue,
please do not hesitate to call me, at the number indicated above,
or Michael F. McEneney at Sidley Austin Brown & Wood LLP, at
(202) 736-8368, our counsel in connection with this matter.
Sincerely,
Jodi Golinsky
Vice President and Senior Regulatory Counsel
_______________________
1 MasterCard is a SEC-registered private share corporation
that licenses financial institutions to use the MasterCard service marks in connection
with a variety
of payments systems.
2 For example, litigants could allege that a creditor that falls
outside the Agencies' scope violates the FCRA when it: (i) receives
medical information on an unsolicited basis; (ii) relies on scoring
models that take payment history, including payment history to hospitals
and similar creditors, into account; (iii) uses medical information
to comply with law.
3 These comments will use the term "creditor" to also mean "bank" as
provided in the Proposal issued by the Office of the Comptroller of the Currency.
4 See,
e.g., ¶ 3
F.R.R.S. 6-1630 ("[A] business transaction...is generally
beyond the scope of the [FCRA]."), and Statement of General
Policy or Interpretation; Commentary on the Fair Credit Reporting
Act, 55 Federal Register 18,804 at 18,810 and 18,811 (1990).
5 See 12 C.F.R. § 37.3(a).
|