FINANCIAL SERVICES ROUNDTABLE
July 23, 2004
Office of the Comptroller of the Currency
250 E Street, S.W., Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Docket No. R-1199
Robert E. Feldman, Executive Secretary
Attention: Comments
FDIC
550 17th Street, N.W.
Washington, D.C. 20429
RIN No. 3064-AC77
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26
Re: Proper Disposal of Consumer Report Information under the Fair
and Accurate
Credit Transactions Act of 2003 (69 FR 31913 (June 8, 2004))
Dear Sir or Madam:
The Financial Services Roundtable1 (the Roundtable)
appreciates the opportunity to provide comments to the Board of
Governors of the Federal Reserve System, the Office of the Comptroller
of the Currency, the Federal Deposit Insurance Corporation, and the
Office of Thrift Supervision (collectively, the Agencies) on
proposed rule relating to the proper disposal of consumer reporting
information under the Fair and Accurate Credit Transactions Act of
2003 (FACTA).
I. Background
Section 216 of FACTA requires the Federal Trade Commission (FTC),
the National Credit Union Administration (NCUA), the Securities and
Exchange Commission (SEC) and the Agencies to adopt comparable and
consistent rules in relation to the disposal of sensitive consumer
report information and records in order to prevent unauthorized
disclosure of this information and to reduce the risk of consumer
fraud.
This rule amends guidelines on information security previously
implemented in Section 501(b) of Gramm Leach-Bliley (GLBA). The
Agencies have proposed expanding the scope of the GLBA information
security program requirements to include coverage to a broader set of
information relating to information derived directly or indirectly
through consumer reports regardless of whether the individual is a
consumer or customer.
The Agencies proposed rule would require institutions to
incorporate the disposal of consumer report information into their
information security programs. The rule applies to any person who
maintains or possesses consumer information, which is defined as any
record about an individual, whether in paper, or electronic form, that
is a consumer report or is derived from a consumer report. Generally
speaking, possessors of consumer information must take reasonable
measures to protect against unauthorized access or use of the
information.
Roundtable member companies are committed to protecting the
confidentiality of consumers financial information. The Roundtable
supports the proposed rule to the extent it gives institutions
flexibility to adopt programs to handle and properly dispose of
consumer information; however, we offer the following recommendations
on how the proposed rule may be improved.
II. The Definition of Consumer Information
The proposed rule would define "consumer information" as "any
record about an individual, whether in paper, electronic, or other
form, that is a consumer report or is derived from a consumer report
and that is maintained or otherwise possessed by or on behalf of
[financial institutions] for a business purpose. In the Supplementary
Information, the agencies explain that the term consumer information
would cover all of the information about a consumer that is taken
from a consumer report, including information that results in whole or
in part from manipulation of information from a consumer report or
information from a consumer report that has been combined with other
types of information. 2 The Supplemental Information also
provides several illustrative examples of consumer information that
include information an institution obtains about an individual who
guarantees a loan for a business entity and in connection with a
loan to the individuals sole proprietorship.
The Roundtable is concerned that the proposed definition of
consumer information may include business information not covered by
the FCRA. Such a broad definition could expose institutions to legal
risks when handling consumer reports relating to business
transactions. The definition of a consumer report in the statute is
limited to information to be used in consideration of the
establishment of eligibility for credit or insurance to be used
primarily for personal, family, or household purposes. The Roundtable
recommends that the Agencies remove references to business-related
transactions to be consistent with this definition and with the
definition of consumer under GLBA privacy regulations.
The Roundtable also is concerned that the proposed definition of
"consumer information" does not provide guidance as to the coverage of
information that does not identify a particular consumer. Although the
Supplementary Information states that information derived from a
consumer report that does not identify any particular consumer is not
subject to the disposal rule, we believe that this exclusion should be
explicitly stated in the rule itself in order to eliminate any
uncertainty as to whether such information must be monitored by
consumer report users for disposal purposes. We strongly recommend an
express statement in the final rule indicating that information not
identifying a particular consumer does not qualify as "consumer
information". This would promote clarity and eliminate any ambiguity
surrounding the phrase "any record about an individual." We believe
that information that does not identify a particular consumer poses
little or no risk of consumer fraud or identity theft.
Similarly, under this proposed definition, it appears that
non-sensitive information such as names and addresses of consumers
derived from consumer reports could be considered consumer
information. We do not believe this broad scope was intended; we
believe it goes beyond previous interpretations of FCRA which exclude
from the definition of consumer report contact information (e.g.,
name, address, phone numbers, etc.) with no further classification of
the consumers. We believe that the proposed rule should be modified to
explicitly state that "consumer information" includes information
related to a individuals specific financial characteristics (e.g.,
eligibility for credit, bank account numbers, employment history,
insurance) or personal characteristics (e.g., driver's license
information, social security number), and not general public record
information such as names and addresses. We believe that the only
information that needs protection is that which would be harmful to
the consumer if it fell into the wrong hands.
III. Proper Disposal of Consumer Information
The proposed rule requires any person who maintains consumer
information for a business purpose to dispose of such information
properly by taking appropriate measures to protect against
unauthorized access to or use of the information in connection with
its disposal.
The Roundtable supports the flexible standard allowing institutions
to create programs based on their business models and the sensitivity
of the consumer information in their possession. We also support the
determination that "consumer information" should be disposed of in a
manner consistent with the disposal of "customer information".This
allows financial institutions to apply consistent disposal procedures
and, therefore, a consistent level of protection for all consumer
information nationwide.
IV. Effective Date Should Be Extended
The proposed rule indicates that the final rule will become
effective ninety days after it is published in the Federal Register.
Institutions are allowed an additional nine months (one year after
final issuance) to incorporate consumer information disposal
requirements into service provider agreements.
We believe that ninety days is an insufficient amount of time to
implement a compliant disposal program. Many financial Institutions
will have to adopt appropriate policies and procedures and assign
personnel to oversee compliance. In addition, the one-year effective
date to address service provider agreement issues would be difficult
to comply with as institutions would have to amend and re-negotiate
agreements.
The Roundtable recommends that the Agencies use an implementation
schedule similar to the GLBA information security program requirements
that this proposal would amend. The GLBA information security program
final rule provided institutions with effectively a six-month
implementation period and a two-year grandfathering provision for
service provider agreements to allow institutions ample time to amend
existing contracts and allow contracts to expire.
V. Conclusion
The Roundtable supports the Agencies efforts to protect consumer
information, and recommend some improvements. We support the
flexibility given to financial institutions under the proposal which
allows them to create their programs that safeguard consumer
information. We recommend that the Agencies reexamine the definition
of consumer information to ensure that the disposal requirements
only apply to sensitive consumer information and do not include
handling consumer reports relating to business related transactions.
In addition, we respectfully request that the Agencies extend the
effective date to 180 days so as to allow institutions adequate time
to establish policies and procedures that comply with the final rule.
If you have any further questions or comments on this matter,
please do not hesitate to contact me or John Beccia at (202) 289-4322.
Sincerely,
Richard M. Whiting
Executive Director and General Counsel
Financial Services Roundtable
1001 Pennsylvania Avenue, NW, Suite 500
Washington, DC 20004
1 The Financial Services Roundtable represents 100 of
the largest integrated financial services companies providing banking,
insurance, and investment products and services to the American
consumer. Roundtable member companies provide fuel for America's
economic engine accounting directly for $18.3 trillion in managed
assets, $678 billion in revenue, and 2.1 million jobs.
2 69 Fed. Reg. 31915 (June 8, 2004)