Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations

VISA



May 28, 2004


Robert E. Feldman 
Executive Secretary 
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429

Public Information Room
Office of the Comptroller of the Currency 
250E Street, SW 
Mail Stop 1-5 
Washington, DC 20219 
Attention: Docket No. 04-09

Becky Baker 
Secretary of the Board 
National Credit Union Administration 
1775 Duke Street 
Alexandria, VA 22314 

Jennifer J. Johnson Secretary 
Board of Governors of the Federal Reserve System 
20th Street and Constitution Avenue, NW 
Washington, DC 20551 
Attention: Docket No, R.-1188

Regulation Comments
Chief Counsel's Office 
Office of Thrift Supervision 
1700 G Street, NW 
Washington, DC 20552 
Attention: Docket No. 2004-16

Re: Proposed Fair Credit Reporting Medical Information Regulations 

Ladies and Gentlemen:

This comment letter is submitted on behalf of Visa U.S.A. Inc. ("Visa") in response to the notice and request for comment issued by the Federal Deposit Insurance Corporation ("FDIC"), Federal Reserve Board ("Board"), Office of the Comptroller of the Currency ("OCC"), Office of Thrift Supervision ("OTS") and the National Credit Union Administration ("NCUA") (collectively, the "Agencies") regarding the Notice of Proposed Rulemaking for the medical privacy regulations under the Fair and Accurate Credit Transactions Act of 2003 ("Proposed Rule"). Visa appreciates the opportunity to comment on this very important matter.

The Visa Payment System, of which Visa U.S.A.1 is a part, is the largest consumer payment system, and the leading consumer e-commerce payment system, in the world, with more volume than all other major payment cards combined. Visa plays a pivotal role in advancing new payment products and technologies, including technology initiatives for protecting personal information and preventing identity theft and other fraud, for the benefit of its member financial institutions and their hundreds of millions of cardholders worldwide.

Visa supports the Agencies in their effort to create regulations containing exemptions for obtaining, using and sharing medical information, as required by the Fair and Accurate Credit Transactions Act ("FACT Act"). However, Visa is concerned that key aspects of the Proposed Rule do not effectively recognize the day-to-day realities of the uses of medical information in the provision of financial services, including credit.

Scope

Section 604(g)(2) of the Fair Credit Reporting Act ("FCRA") provides that "[e]xcept as permitted pursuant to paragraph (3)(C) or regulations prescribed under paragraph (5)(A), a creditor shall not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit." Under section 603(r)(5) of the FCRA, the terms credit and creditor have the same meaning as in section 702 of the Equal Credit Opportunity Act ("ECOA"). The ECOA defines the term creditor to mean "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.2 Section 604(g)(5)(A) of the FCRA, as added by section 411(a) of the FACT Act ("Credit Granting Exceptions"), provides that "[e]ach Federal banking agency and the National Credit Union Administration shall ... prescribe regulations that permit transactions under paragraph (2) that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs."

Section 604(g)(3)(C) of the FCRA, as added by the FACT Act ("Affiliate Sharing Exceptions"), provides for exceptions to the limitations on affiliate sharing of medical information, including if the information is disclosed "as otherwise determined to be necessary and appropriate, by regulation or order . . . by the Commission, any Federal banking agency or the National Credit Union Administration (with respect to any financial institution subject to the jurisdiction of such agency or Administration under paragraph (1), (2), or (3) of section 621(b))." Thus, unlike the Credit Granting Exceptions, the Affiliate Sharing Exceptions are limited to entities subject to the jurisdiction of the respective rule writing agencies.

Notwithstanding the plain language of the FCRA, the Agencies proposed that their rules and, therefore, the Credit Granting Exceptions, would only apply to certain banking institutions, their affiliates and certain other persons. In particular, section _.1 of the Proposed Rule identifies the financial institutions that would be covered by the Proposed Rule if adopted by each of the respective Agencies. 

OCC

Section 41.1(b)(2) of the OCC's Proposed Rule states that, except as otherwise provided, the regulations would apply to national banks, federal branches and agencies of foreign banks, and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act (12 U.S.C. § 1844(c)(5)).3 These are the same entities for which the OCC is the "appropriate Federal banking agency" under the Federal Deposit Insurance Act ("FDIA").

Board

Section 222.1(b)(2) of the Board's Proposed Rule states that, except as otherwise provided, the regulations would apply to banks that are members of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than federal branches, federal agencies, and insured state branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under sections 25 or 25A of the Federal Reserve Act, and bank holding companies and affiliates of such holding companies. These are the same entities for which the Board is the "appropriate Federal banking agency" under the FDIA.

FDIC

Section 334.1(b)(2)(i) of the FDIC's Proposed Rule states that the regulations would apply to banks insured by the FDIC (other than district banks and members of the Federal Reserve System) and insured state branches of foreign banks and subsidiaries and affiliates of such entities; and other entities or persons with respect to which the FDIC may exercise its enforcement authority. A subsidiary of a covered bank would not include a broker, dealer, person providing insurance, investment company, or an investment adviser. This list of entities goes significantly beyond the entities for which the FDIC is the "appropriate Federal banking agency" under the FDIA. Accordingly, the basis for this jurisdictional statement is not clear. 

OTS

Section 571.1(b)(2) of the OTS' Proposed Rule states that the regulations would apply to savings associations or their subsidiaries, savings and loan holding companies, or affiliates of savings associations or savings and loan holding companies other than bank holding companies, banks, or subsidiaries of bank holding companies or banks.

NCUA

Section 717.7(b)(2) of the NCUA's Proposed Rule states that the regulations would apply to federal credit unions.

Discussion

The prohibition on creditors obtaining or using medical information contained in the FCRA has broader application than those institutions that appear to be covered by the Proposed Rule. More specifically, the FCRA requires the Agencies to promulgate exceptions to the prohibition on creditors obtaining and using medical information, except where "necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (and which shall include permitting actions necessary for administrative verification purposes)."4 Creditors that are not subject to the jurisdiction of the Agencies as described in the Proposed Rule would not be able to avail themselves of the exceptions to the restrictions on obtaining and using medical information established by the Proposed Rule. For example, as noted above, the ECOA definition of creditor that is used in the FCRA, includes persons arranging credit, and certain assignees of a loan, as well as the actual lender. These arrangers of credit often are neither banks nor affiliates of banks and, therefore, are outside of the scope of the coverage of the Proposed Rule.

Creation of credit-related exceptions that only apply to banking institutions and their affiliates, and in one case to related entities, is not mandated by, or even consistent with, the express language of the Credit Granting Exceptions of the FCRA and would lead to the result that entities that are not subject to the Proposed Rule could never obtain or use medical information in connection with granting credit. In this regard, it is important to note that Congress, in drafting the FACT Act, limited the application of the Affiliate Sharing Exceptions to the creditors "subject to the jurisdiction of such agency;" however, the Credit Granting Exceptions contain no such limitation.

Visa believes that any exceptions set forth in the final rule should be sufficiently broad in scope to reflect the Congressional intent that the Agencies promulgate regulations that create exceptions for all creditors that are subject to the prohibition. Visa also believes this clarification in scope is necessary in order to continue to provide consumers with the same opportunities for credit as are available through current legitimate market practices. Otherwise, consumers likely will incur greater costs in obtaining credit or will be unable to obtain credit that previously was available to them. Visa believes that it is particularly important that the final rule cover persons that arrange credit with banks and bank affiliates. Visa also believes that if the Agencies do not apply their rules to all creditors as defined in the ECOA, the Agencies should issue a clarifying statutory interpretation of the language in section 604(g)(2) that this prohibition does not apply to creditors that do not actually determine the creditworthiness of the individual consumer so that persons that arrange credit for banks and other creditors and do not participate in the credit underwriting decisions, but that are not covered by the Agencies' rules, can benefit from the interpretation.

Exceptions to the Limitations on Obtaining or Using Medical Information

The FCRA, as amended by section 411 of the FACT Act, provides a broad prohibition against creditors obtaining or using medical information in connection with credit eligibility determinations, except as provided by Agency regulations. Proposed section .30 reiterates the general prohibition against creditors obtaining or using medical information in connection with any determination of a consumer's eligibility for credit, subject to the exclusions set forth in the Proposed Rule.

Section .30(a)(2)(i)(B) of the Proposed Rule would provide that the term "eligibility, or continued eligibility, for credit" does not include, among other things, "[a]ny determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered." As drafted, we believe this provision is too narrow. The provision should be modified in the final rule to cover any information related to the eligibility or fulfillment of obligations in a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program. To limit the provision only to "triggering" events would fail to adequately protect the use of medical information in connection with other aspects of debt cancellation contracts or debt suspension agreements that may affect the credit available to the consumer. For example, once a debt cancellation clause has been triggered, a creditor would need ongoing medical information in order to ascertain when the coverage should expire. In failing to consider all scenarios where debt cancellation or similar forbearance practices may require the use of medical information, the Proposed Rule creates uncertainty regarding which functions of debt cancellation products or similar forbearance practices or programs would be covered and which would not. Visa also recommends that this provision be restructured as a specific exception to the prohibition on the use of medical information, rather than an interpretation of what constitutes "eligibility, or continued eligibility, for credit."

In addition, Visa believes that the Agencies should clarify in the final rule that "similar forbearance practice or program" includes informal forbearance practices by creditors. For example, consumers often request that a creditor defer collecting on a loan because of a health condition. Consumers would be disadvantaged if creditors could not take this information into account in exercising discretion on whether to provide additional credit or defer debt collection, absent formal procedures with respect to these requests.

Section _.30(a)(2)(i)(C) of the Proposed Rule excludes from the definition of "eligibility, or continued eligibility, for credit" "[a]uthorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit." Visa understands this exception to include all aspects of the authorization and approval process for individual credit card transactions regardless of whether such authorization or approval would involve over-limit transactions. In over-limit transactions, a credit card issuer often cannot tell when the transaction is approved, or whether the transaction will actually result in exceeding the consumer's credit limit. In addition, Visa also understands that this exclusion would apply to transaction codes (which may indicate that the payment is for a merchant whose goods or services are medical in nature) that accompany any authorization request. Visa believes that the final rule should clarify that over-limit transactions and the use of transaction codes would fall within the purview of this exclusion.

Section _.30(c) provides an exception from the prohibition on obtaining or using medical information by banks so long as certain criteria are met. In particular, the first criteria requires that the "information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of loan proceeds." Visa believes the scope of this exception does not adequately encompass credit underwriting practices. Visa believes that the Agencies should delete the first criteria set forth in section _.30(c)(1)(i).

Section .30(d)(1)(vi) provides an exception from the prohibition on obtaining or using medical information by a bank "[i]f the consumer or the consumer's legal representative requests in writing, on a separate form signed by the consumer or the consumer's legal representative that the bank use specific medical information for a specific purpose in determining the consumer's

eligibility, or continued eligibility, for credit, to accommodate the consumer's particular circumstances." Section .30(d)(1)(vi) also requires the signed written request to "describe the specific medical information that the consumer requests the bank to used and the specific purpose for which the information will be used." The supplementary information to the Proposed Rule which relates to this provision indicates that the consumer's consent should not be used on a "routine basis" and that the consent may not be a preprinted form for the consumer to sign. Visa believes that this exception should not be limited to unusual circumstances nor require a separate writing. Visa believes that requiring a separate, highly individualized writing would place an unrealistic burden on consumers, which may discourage consumers from seeking credit that may be necessary for the consumers to obtain medical treatment. In addition, this consent process would raise significant compliance issues including: (1) determination of the adequacy of the description of the information to be used or the purpose for which it is to be used; (2) retention of the separate written consents, particularly if the consents are in hard copy; and (3) determination of what constitutes a separate form, particularly when consent is contained in electronic format. Visa believes the final rule should permit a creditor to obtain consumer consent for the use of medical information in any manner that reasonably demonstrates the consumer's consent.

Unsolicited Medical Information

Section _.30(b) of the Proposed Rule would provide that a creditor does not "obtain" medical information if it: (1) receives medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit without specifically requesting the medical information; and (2) does not use that information in making the credit decision. As proposed, a creditor does not obtain medical information for purposes of the prohibition on using and obtaining medical information if the receipt of such information was unsolicited and the creditor "[d]oes not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued." For practical purposes, it may be difficult for a creditor to demonstrate that it did not use the unsolicited medical information. Visa believes that this section should be clarified to place the burden of proof on the person who claims his or her information was used in a determination to extend or continue to extend credit. Visa believes the final rule should include a presumption that unsolicited information is not used unless the complainant can provide specific evidence that the medical information was used to determine the consumer's eligibility, or continued eligibility, for credit.

Medical Information

Visa believes that the final rule should clarify that "medical information" must "relate to" or "pertain to" a specific, identifiable consumer. For example, a database of information relating to the repayment behavior of consumers, none of whom is personally identifiable because the information has been coded or otherwise, should not be deemed to be "medical information." If this information were "medical information," creditors may have difficulty in utilizing data even for analytical purposes that have no bearing or impact on any individual.

Credit and Creditor

Sections _.30(a)(2)(ii) and (iii) incorporate into the Proposed Rule the meanings of "creditor" and "credit" under the ECOA. It is unclear from sections _.30(a)(2)(ii) and (iii) whether these definitions would be limited to the text of the relevant sections of the ECOA or also would include its implementing regulation (Regulation B). Visa believes that the final rule should clarify that the meanings of "creditor" and "credit" also would include the regulatory interpretation of these terms set forth in Regulation B, and the commentary to Regulation B.

Redisclosure of Medical Information

Section _.30(e) prohibits a creditor that receives medical information about a consumer from a consumer reporting agency or from an affiliate from redisclosing that information except as necessary to carry out the purpose for which the information was initially disclosed. We believe the creditor should be able to redisclose medical information to regulators, attorneys, accountants and others for limited purposes, such as fraud prevention. Visa believes the final rule should clarify that a redisclosure made for any purpose described in section 502(e) of the Gramm-Leach-Bliley Act is a disclosure necessary to carry out the purpose for which the information was initially disclosed.

Flexible Spending Accounts/Healthcare Reimbursement Accounts

Some credit card issuers offer credit card products that work seamlessly with employer-sponsored healthcare reimbursement plans or flexible spending accounts. Employees who participate in card-accessed healthcare reimbursement plans or flexible spending accounts can use their card to pay for eligible (reimbursable) medical expenses. Typically, either the plan administrator or the employer must review each expense to confirm that it is appropriately reimbursable. Even though appropriate use of the card is dependent on a determination that the charges are covered medical expenses, Visa is concerned that section 604(g)(2) could be interpreted to prohibit the plan administrator or the employer from obtaining the information necessary to make coverage determinations if there is a credit feature associated with the card. Visa believes that the final rule should exclude from the prohibition on using or obtaining medical information employers, plan administrators and card issuers who participate in medical flexible spending account or healthcare reimbursement account programs that utilize cards with credit features.

Use of Examples

The Proposed Rule contains several examples to illustrate activities that would be consistent with the Proposed Rule, as well as those that would be deemed to violate the Proposed Rule. Furthermore, the Proposed Rule states that examples provided are not exclusive and that compliance with an example, to the extent applicable, constitutes compliance with the Proposed Rule. We urge the Agencies to retain these provisions in the final rule. Visa believes that these examples can be useful to creditors in assessing compliance with the final rule. Furthermore, for purposes of compliance, Visa believes a creditor should be permitted to rely on an example as a safe harbor.

Effective Date

The Agencies specifically requested comment on whether an effective date of 90 days after the publication of the final rules is appropriate, or whether a different effective date should be established. Visa believes that the proposed effective date should remain the same or provide for a longer implementation period in order to permit covered entities to adequately assess their practices. The FACT Act provides that the prohibition on obtaining and using medical information shall not take effect until the implementing regulations become effective, or as otherwise provided by regulation. Visa strongly urges the Agencies to synchronize the effective date for the prohibition on the using and obtaining of medical information with the effective date of the regulatory exceptions thereto.

In conclusion, Visa appreciates the opportunity to comment on this very important topic. If you have any questions concerning these comments, or if we may otherwise be of assistance in connection with this matter, please do not hesitate to contact me, at (415) 932-2178.

 

Sincerely, 
Russell W. Schrader 
Senior Vice President and Assistant General Counsel

________________________

1 Visa U.S.A. is a membership organization comprised of U.S. financial institutions licensed to use the Visa service marks in connection with payment systems. 

2 15 U.S.C. § 1691a(e) 

3 12 U.S.C. § 1844(c)(5) defines "functionally regulated subsidiary" to mean a company: 
(A) that is not a bank holding company or a depository institution; and 
(B) that is —

(i) a broker or dealer that is registered under the Securities Exchange Act of 1934 (15 U.S.C. § 78a et seq.);

(ii) a registered investment adviser, properly registered by or on behalf of either the Securities and Exchange Commission or any State, with respect to the investment advisory activities of such investment adviser and activities incidental to such investment advisory activities;

(iii) an investment company that is registered under the Investment Company Act of 1940 (15 U.S.C. § 80a-1 et seq.);

(iv) an insurance company, with respect to insurance activities of the insurance company and activities incidental to such insurance activities, that is subject to supervision by a State insurance regulator; or

(v) an entity that is subject to regulation by the Commodity Futures Trading Commission, with respect to the commodities activities of such entity and activities incidental to such commodities activities.

415 U.S.C. § 1681(g)(5)(A).

Last Updated 06/03/2004regs@fdic.gov

Last Updated: August 23, 2024