MASTERCARD INTERNATIONAL May 28, 2004
Robert E. Feldman Executive Secretary Federal Deposit Insurance Corporation 550 17th Street, NW Washington, DC 20429
Public Information Room Office of the Comptroller of the Currency 250E Street, SW Mail Stop 1-5 Washington, DC 20219 Attention: Docket No. 04-09 Becky Baker Secretary of the Board National Credit Union Administration 1775 Duke Street Alexandria, VA 22314
Jennifer J. Johnson Secretary Board of Governors of the Federal Reserve System 20th Street and Constitution Avenue, NW Washington, DC 20551 Attention: Docket No, R.-1188 Regulation Comments Chief Counsel's Office Office of Thrift Supervision 1700 G Street, NW Washington, DC 20552 Attention: Docket No. 2004-16 To Whom It May Concern:
MasterCard International Incorporated ("MasterCard")1 submits this comment letter in response to the Proposed Rule ("Proposal") issued by the Board of Governors of the Federal Reserve ("Board"), the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of Thrift Supervision (collectively, "Agencies") implementing Section 411 of the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). MasterCard appreciates the opportunity to provide its comments on this important issue. Background
Section 411(a) of the FACT Act adds a new Section 604(g)(2) to the Fair Credit Reporting Act ("FCRA") to prohibit creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit. The Agencies must prescribe regulations that permit creditors to obtain or use medical information for eligibility purposes where necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs, consistent with the congressional intent to restrict the use of medical information for inappropriate purposes.
Section 411(b) of the FACT Act adds a new Section 603(d)(3) to the FCRA to restrict the sharing of medical information and related lists or descriptions with affiliates. In particular, Section 603(d)(3) states that the statutory exclusions to the definition of a "consumer report" provided in Section 603(d)(2) do not apply if medical information or certain related lists is disclosed to an affiliate. The effect of Section 603(d)(3) is that medical information that otherwise meets the statutory definition of a "consumer report" may not be shared among affiliates, unless certain exceptions apply, including for disclosures in connection with the business of annuities or disclosures for any purpose permitted without authorization under certain regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996. In Section 604(g)(3)(C) of the FCRA Congress authorized the Agencies to provide additional exceptions by regulation or order.
In General
The Proposal reflects careful consideration and thorough review by the Agencies. The Agencies have addressed a complicated issue and developed a Proposal that, for creditors within the stated scope of the Proposal, generally preserves the ability to obtain and use medical information for credit eligibility purposes where necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs, as intended by Congress. There are a number of issues raised by the Proposal, however, that merit further review. Perhaps most importantly, the Proposal creates uncertainty regarding those entities that are not within the stated scope of the Proposal. This issue as well as several others are addressed below.
Purpose and Scope ( .1)
Each of the Agencies has addressed the scope of its respective Proposal. Generally speaking, each of the Agencies asserts that the scope of its Proposal applies only to entities subject to that Agency's jurisdiction (including certain affiliated entities in some circumstances). For example, the Proposal would apply to a variety of creditors that are banks or federally chartered credit unions. The Proposal would not, however, appear to apply to a wide variety of finance companies or other creditors, such as auto dealers, loan brokers, or other arrangers of credit. We do not believe this was the congressional intent and we urge the Agencies to broaden the scope of the final rule ("Final Rule") to encompass all creditors.
Section 603(g)(2) generally states that, "[e]xcept as permitted pursuant to...regulations prescribed under paragraph (5)(A), a creditor shall not obtain or use medical information...pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit." In paragraph (5)(A) of Section 603(g), Congress then provided that "[e]ach Federal banking agency and the National Credit Union Administration shall...prescribe regulations that permit transactions under [Section 603(g)(2)] that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer and other needs...consistent with the intent...to restrict the use of medical information for inappropriate purposes." Based on this provision, each of the Agencies has set forth a Proposal that applies only to certain creditors. This appears to create the possibility that creditors that are not within the Agencies' stated scope will not be permitted to rely on the Final Rule adopted by the Agencies. This will essentially eliminate the ability of such creditors to underwrite loans without fear of violating the FCRA and subjecting themselves to private rights of action, including class action.2 We do not believe that Congress intended such a result. In this regard, the plain language of Section 603(g)(5)(A) states that the Agencies "shall prescribe regulations that permit transactions" in those circumstances where the transactions "are determined to be necessary and appropriate to protect legitimate...needs...." This language appears to direct the Agencies to adopt regulations permitting transactions in those circumstances where the "necessary and appropriate" standard has been met. This language, on its face, is not limited in any way with respect to the types of entities covered by the regulations. As a result, the regulatory directive to the Agencies appears to authorize, and perhaps even require, the Agencies to promulgate a rule covering any transaction where the "necessary and appropriate" standard is met regardless of the types of entities involved in those transactions.
We also note that the specific drafting of other provisions of the FACT Act and the FCRA strongly suggests that Congress did not intend to exclude any subset of entities from the scope of the Agencies' rules. In this regard, the language used to grant rulemaking authority to the Agencies in Section 603(g)(2) stands in stark contrast to rulemaking authority granted to federal agencies in other portions of the FACT Act and the FCRA where the scope of those rulemakings clearly was intended to be limited along jurisdictional lines. For example, in Section 604(g)(3)(C), Congress granted rulemaking authority to the Agencies and the Federal Trade Commission ("FTC") but made it clear that such authority was granted only "with respect to any financial institution subject to the jurisdiction of such agency." In Section 214(b) of the FACT Act, Congress granted rulemaking authority to the Agencies and the FTC with respect to the new affiliate marketing provisions, but limited the applicability "to entities that are subject to their respective enforcement authority under Section 621" of the FCRA. Indeed, Section 621(e) of the FCRA grants broad rulemaking authority to the Agencies, but limits the scope of the rules to certain persons subject to the Agencies' jurisdiction. In contrast, we also note that the approach taken in Section 603(g)(2) and (5)(A) appears to be quite similar to the approach Congress traditionally has taken when granting rulemaking authority in federal statutes regulating consumer credit and other consumer financial services. For example, in the Truth in Lending Act, the Electronic Fund Transfer Act, and the Equal Credit Opportunity Act (collectively, the "Acts"), Congress granted rulemaking authority to a single federal agency—the Board—and the regulations promulgated by the Board apply to all of the entities covered by the Acts, regardless of whether those entities are subject to the Board's jurisdiction. Each of the Acts then divides enforcement authority among several federal agencies based on their respective, limited jurisdictions. Thus, the approach taken in the Acts is to grant rulemaking authority to a particular agency, have that rulemaking authority apply with respect to all entities covered by each Act, and then limit enforcement authority based on the respective jurisdictions of each of the agencies assigned to enforce the statute. This appears to be essentially the same approach used by Congress in enacting Section 603(g)(2). In this regard, Section 603(g)(2) grants rulemaking authority to the Agencies and existing Section 621 of the FCRA divides enforcement responsibility among the Agencies, the FTC, and others in much the same way as accomplished under the Acts. The only difference between the approach taken in Section 603(g)(2) and the more traditional approach taken in the Acts is that Section 603(g)(2) assigns rulemaking responsibility to multiple Agencies while the Acts assign rulemaking authority to a single agency. There is no indication, however, that this difference is intended to override the plain language directive to "permit transactions" where those transactions are "determined to be necessary and appropriate to protect legitimate...." Just as importantly, we are unaware of any public policy goal that is served by not applying the Final Rule to creditors that are not within the jurisdiction of the Agencies. To the contrary, we believe public policy generally, and consumers specifically, are ill served if certain types of creditors are not permitted to use or obtain medical information as a result of the narrow scope of the Final Rule. Therefore, we urge the Agencies to broaden the scope of the Final Rule to apply to all creditors. Should this occur, enforcement against creditors outside the jurisdiction of the Agencies would be handled as provided in the relevant provisions of the FCRA. Examples (§__.2) The Proposal provides examples of certain compliant and noncompliant activities. MasterCard believes that the use of examples provides financial institutions with meaningful guidance on how to comply with the Final Rule's requirements. Therefore, we urge the Agencies to include relevant examples of permitted and prohibited uses of medical information in the Final Rule.
Section §__.2 of the Proposal states that the examples are not exclusive, and that compliance with an example, to the extent applicable, constitutes compliance with the Proposal. We urge the Agencies to retain this provision in the Final Rule. The examples provided by the Agencies should serve as a safe harbor to financial institutions seeking to comply with the Final Rule. Indeed, it would be inappropriate to find an institution in violation of the Final Rule if the institution were simply adhering to the Agencies' examples of permitted activities. Definitions (§__.3) The Proposal establishes several definitions which appear to have a general applicability, not only to the Final Rule, but also to other provisions of the FCRA. It is important that any such definition be reviewed and analyzed to ensure that it is appropriate not only in the context of the Proposal, but other applicable provisions of the FCRA as well. Affiliate/Control The Proposal defines the term "affiliate" as "any company that controls, is controlled by, or is under common control with another company." The proposed definition is identical to the definition of "affiliate" in the regulations implementing Title V, Subtitle A of the Gramm-Leach-Bliley Act ("GLBA"). "Control" is defined to mean: (i) direct or indirect ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security; (ii) control over the election of a majority of the directors, trustees, or general partners; or (iii) the power to exercise, directly or indirectly, a controlling influence over the management or policies of the company. MasterCard believes these definitions are appropriate and should be retained in the Final Rule. Medical Information The Proposal provides a definition of "medical information" that is consistent with the statutory language provided in Section 411 of the FACT Act and should be included in the Final Rule. We request, however, that the Final Rule also clarify that information coded in a manner consistent with Section 604(g)(1)(C) of the FCRA is not "medical information" for purposes of the Final Rule. In this regard, Congress provided specific consumer protections with respect to coded tradeline data in consumer reports that may relate to a "medical information furnisher." Such information does not meet the definition of "medical information" included in the FCRA or in the Proposal. Specifically, the coded information provides no insight as to the consumer's physical, mental, or behavioral health or condition, and therefore falls within a specific exception to the definition of "medical information." Furthermore, in light of the protections provided by Congress with respect to the coding of certain information, we do not believe that any additional meaningful consumer protections would be provided if such information were deemed to be "medical information." MasterCard also believes it would be appropriate for the Agencies to provide clarification that "medical information" must "relate to" or "pertain to" a specific consumer. For example, a database of information relating to the repayment behavior of thousands of consumers, none of whom is personally identifiable, should not be deemed to be "medical information." If such information were "medical information," creditors may have difficulty in utilizing such data even for basic analytical purposes that have no bearing or impact on any individual. We do not believe this was the intent of Congress or the Agencies, and we urge the Agencies to provide a clarification on this issue. General Prohibition on Obtaining or Using Medical Information (§__.30(a)) The Proposal states that a "creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit except as provided in" the Proposal.3 This language tracks the statutory language in Section 604(g)(2) of the FCRA. We commend the Agencies for using their discretionary authority to recognize that there are circumstances where it is appropriate to obtain and/or use medical information in connection with a determination of a consumer's eligibility, or continued eligibility, for credit. We strongly urge the Agencies to retain this approach in the Final Rule. Eligibility, or Continued Eligibility, For Credit The Proposal provides for definitions of certain terms which apply only in the Proposal. One such term is "eligibility, or continued eligibility, for credit," which is defined as applying to credit "offered, primarily for personal, family, or household purposes." This is consistent with longstanding interpretations of the FCRA4 and should be retained in the Final Rule. The Agencies correctly note in the Supplementary Information that "[n]othing in the statute prohibits a creditor from obtaining medical information if the information is not obtained in connection with a determination of the consumer's eligibility, or continued eligibility, for credit." MasterCard agrees, and requests that the Agencies include similar language in the Supplementary Information to the Final Rule. In light of the exclusion from coverage by the statute (and therefore by the Final Rule), the Agencies included in the Proposal activities that are not included in the term "eligibility, or continued eligibility, for credit." Specifically, the term does not include: (i) the consumer's qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (ii) any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or programs are triggered; (iii) authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit; or (iv) maintaining or servicing the consumer's account in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit. MasterCard appreciates the Agencies' clarification with respect to certain items that are not related to credit eligibility. However, MasterCard urges the Agencies to note that these exclusions are non-exclusive examples of items that are not deemed to be "eligibility, or continued eligibility, for credit." We also urge the Agencies to clarify that a creditor's determination of a consumer's legal competency is not related to eligibility for credit, but that it pertains to a determination of the consumer's legal capacity. MasterCard also notes that the example with respect to debt cancellation contracts, debt suspension agreements, credit insurance products, or similar forbearance practices or programs should be expanded beyond what is provided in the Proposal. Specifically, the Proposal excludes these items from the definition of "eligibility, or continued eligibility, for credit" only with respect to whether such practices or programs are "triggered." We believe that the more appropriate approach would be to recognize that all issues related to debt cancellation contracts and similar programs are not part of the consumer's "eligibility, or continued eligibility, for credit." Indeed, not only are such programs not related to a consumer's eligibility for credit, but the Office of the Comptroller of the Currency has prohibited a national bank from extending credit or altering the terms or conditions of an extension of credit conditioned on the customer entering into a debt cancellation contract or debt suspension agreement with the bank.5 Therefore, MasterCard believes that issues related to debt cancellation contracts and similar agreements or practices fall outside the scope of the prohibition on obtaining or using medical information. Rule of Construction: Unsolicited Medical Information (§__.30(b)) The Proposal acknowledges that creditors, in many instances, cannot control the information they obtain with respect to a determination of a consumer's eligibility for credit. For example, a consumer may volunteer on an application, or in conversation with a loan officer, that he or she has recently been ill. We commend the Agencies for recognizing that creditors may receive medical information on an unsolicited basis. In particular, the Proposal states that a creditor does not obtain medical information for purposes of the general prohibition on obtaining or using medical information if the creditor: (i) receives medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. We believe the Agencies should retain this provision in the Final Rule, with one modification. In this regard, we believe consumers would benefit if a creditor were permitted to use unsolicited medical information in a manner no less favorable than it would use comparable information that is not medical information. For example, this exception could be useful in granting a consumer's emergency request that may involve medical information. Financial Information Exception for Obtaining and Using Medical Information (§__.30(c)) In addition to receiving medical information on an unsolicited basis, creditors may receive information that reflects on the consumer's credit history or ability to repay a loan, but that is also medical information. For example, a creditor may learn that a consumer owes a debt to a hospital. The creditor may need to use the fact that the consumer owes a debt without regard to whether it is to a hospital or another type of creditor. The Proposal addresses this type of situation. In particular, a creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit so long as: (i) the information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan; (ii) the creditor uses the medical information in a manner and to an extent "that is no less favorable" than it would use comparable information that is not medical information; and (iii) the creditor does not take the consumer's physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. We believe the Agencies have taken the correct approach with respect to how creditors may use medical information in certain circumstances, and urge that it be retained in the Final Rule. However, we believe that the Agencies may be restricting the scope of the exception unnecessarily. In particular, the Agencies limit the applicability of the exception to those circumstances where the information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan. As a result, the exception would not appear to apply if the information related to other factors routinely used in credit underwriting, such as the debtor's assets. In order to address this issue, we urge that the exception included in the Final Rule be expanded to include information that relates to "any other factor regularly used in credit eligibility determinations." This would ensure that the exception covers the full range of appropriate uses while also ensuring that consumers are adequately protected. In particular, it is important to note that the exception would only apply to the extent the creditor uses the information in a manner and to an extent "that is no less favorable" than it would use comparable non-medical information. If the Agencies determine that coded information reported by consumer reporting agencies should not be excluded from the definition of "medical information," then the Agencies should clarify that coded information about a medical debt received by a creditor from a consumer reporting agency would be subject to the exceptions provided in Section .30(c). Under this approach, the information would be "medical" but the creditor should be permitted to take into account that the consumer owes the debt so long as the creditor provides it no less favorable treatment than other debts and the creditor does not take the consumer's health, condition, history, treatment, or prognosis into account. Specific Exceptions for Obtaining, and Using Medical Information (§__.30(d)) There will be instances in which a creditor must obtain and use medical information pertaining to a consumer in connection with a determination of that consumer's eligibility for credit. For example, if the creditor is financing a medical procedure, the creditor may legitimately need information with respect to the procedure in order to underwrite the loan. We applaud the Agencies for recognizing that there are legitimate circumstances in which creditors must be permitted to obtain and use medical information. These circumstances include when the creditor is financing medical products or services, to prevent and detect fraud, and if the consumer (or the consumer's legal representative) requests in writing, on a separate form signed by the consumer (or the consumer's legal representative) that the creditor use specific medical information for a specific purpose. We believe the Agencies should retain this provision in the Final Rule. If the Agencies do not exclude a determination of a consumer's legal competency from the definition of "eligibility, or continued eligibility, for credit," then we urge the Agencies to provide an additional exception to allow a creditor to use medical information for this purpose. We urge, however, that the Agencies consider a modification to the Supplementary Information regarding consumer consent. In particular, the Supplementary Information states that the consent exception "is designed to accommodate the particular medical condition or circumstances of the individual consumer and is not intended to allow creditors to obtain consent on a routine basis or as a part of loan applications or documentation. This exception would not be met by a form that contains a preprinted description of various types of medical information and the uses to which it might be put." We do not believe this interpretation is necessary and it may interfere with acceptable practices. For example, a creditor that finances vision correction procedures may wish to use pre-printed application forms, including forms for obtaining consent. This type of practice appears to be within the scope of those activities intended to be permitted by the Agencies. The Supplementary Information, however, clouds the issue. We therefore respectfully request the Agencies to delete this statement from the Supplementary Information that is included with the Final Rule or rewrite it to more precisely describe the practices the Agencies intend to prohibit. Limits on Redisclosure of Information (§__.30(e)) The Proposal would restrict a person's ability to disclose to any other person medical information it receives from a consumer reporting agency or from the person's affiliate, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. We urge the Agencies to consider allowing a person to redisclose medical information it receives in additional limited circumstances. For example, a person should be able to redisclose medical information it receives from a consumer reporting agency or an affiliate for any purpose described in section 502(e) of the GLBA, such as for fraud prevention or to a federal regulator, even if fraud prevention or regulatory compliance were not among the specific reasons the person obtained the medical information. Sharing Medical Information with Affiliates (§__.31) Section 603(d) of the FCRA sets forth the definition of a "consumer report" and Section 603(d)(2) provides specific exceptions to that definition. Under Section 603(d)(2), information that would otherwise meet the definition of a consumer report is excluded from the definition if such information is: (i) transaction and experience information; (ii) a communication of transaction and experience information among affiliates; or (iii) a communication of other information among affiliates if the consumer is provided a notice and an opportunity to opt out. The FACT Act amended the definition of "consumer report" by adding paragraph 603(d)(3) to provide that the exclusions from the definition of "consumer report" do not apply with respect to information disclosed to any affiliate if the information is: (i) medical information; (ii) an individualized list or description based on the payment transactions of the consumer for medical products or services; or (iii) an aggregate list of identified consumers based on payment transactions for medical products or services. Section 603(d)(3) does not apply to disclosures: (i) in connection with the business of annuities; (ii) for any purpose permitted without authorization under certain regulations under the Health Insurance Portability and Accountability Act; and (iii) as otherwise determined to be necessary and appropriate by the FTC and the Agencies with respect to any financial institution subject to the jurisdiction of such agencies, or applicable state insurance authority with respect to persons engaged in providing insurance or annuities. In the Proposal, the Agencies make it clear that Section 603(d)(3) also does not apply to disclosures that are made for any purpose described in Section 502(e) of the GLBA, or in connection with a determination of a consumer's eligibility, or continued eligibility, for credit consistent with the Proposal. We believe these exclusions are appropriate and we urge the Agencies to retain them in the Final Rule. Once again, we appreciate the opportunity to comment on the Proposal and we commend the Agencies for their thorough and thoughtful treatment of this issue. If you have any questions concerning our comments, or if we may otherwise be of assistance in connection with this issue, please do not hesitate to call me, at the number indicated above, or Michael F. McEneney at Sidley Austin Brown & Wood LLP, at (202) 736-8368, our counsel in connection with this matter. Sincerely, Jodi Golinsky Vice President and Senior Regulatory Counsel
_______________________
1 MasterCard is a SEC-registered private share corporation that licenses financial institutions to use the MasterCard service marks in connection with a variety of payments systems.
2 For example, litigants could allege that a creditor that falls outside the Agencies' scope violates the FCRA when it: (i) receives medical information on an unsolicited basis; (ii) relies on scoring models that take payment history, including payment history to hospitals and similar creditors, into account; (iii) uses medical information to comply with law. 3 These comments will use the term "creditor" to also mean "bank" as provided in the Proposal issued by the Office of the Comptroller of the Currency.
4 See, e.g., ¶ 3 F.R.R.S. 6-1630 ("[A] business transaction...is generally beyond the scope of the [FCRA]."), and Statement of General Policy or Interpretation; Commentary on the Fair Credit Reporting Act, 55 Federal Register 18,804 at 18,810 and 18,811 (1990).
5 See 12 C.F.R. § 37.3(a). |