VISA
July 12, 2004
Jennifer J. Johnson
Secretary
Board of Governors of the Federal
Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No. R-1199
Office of the Comptroller of the Currency 250 E Street, SW
Public Reference Room
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
55017th Street, NW
Washington, DC 20429
Attention: RIN 3064-AC77
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: No. 2004-26
Re: Proper Disposal of Consumer Information under FACT Act
Ladies and Gentlemen:
This comment letter is submitted on behalf of Visa U.S.A. Inc. in response
to the joint notice of proposed rulemaking ("Proposed Rule") and request for
public comment by the Federal Deposit Insurance Corporation, the Federal
Reserve Board, the Office of the Comptroller of the Currency and the Office
of Thrift Supervision (collectively, the "Agencies"), published in the
Federal Register on June 8, 2004. The Proposed Rule would require financial
institutions under the Agencies' jurisdiction to develop, implement and
maintain appropriate measures to properly dispose of consumer information.
Visa supports the Agencies' Proposed Rule and appreciates the opportunity to
comment on this important topic.
The Visa Payment System, of which Visa U.S.A.1 is a part, is the largest
consumer payment system, and the leading consumer e-commerce payment system,
in the world, with more volume than all other major payment cards combined.
Visa plays a pivotal role in advancing new payment products and
technologies, including technology initiatives for protecting personal
information and preventing identity theft and other fraud, for the benefit
of its member financial institutions and their hundreds of millions of
cardholders.Section 628 of the Fair Credit Reporting Act ("FCRA"), as added by section
216 of the Fair and Accurate Credit Transactions Act of 2003, "is designed
to protect a consumer against the risks associated with unauthorized access
to information about the consumer contained in a consumer report,"
such as the risk of identity theft or fraud.2 To this
end, section 628 requires the Agencies, the Federal Trade Commission, the
National Credit Union Administration and the Securities and Exchange
Commission to prescribe consistent and comparable regulations that require
"any person that maintains or otherwise possesses consumer information, or
any compilation of consumer information, derived from consumer reports" to
properly dispose of this information or compilation.3 Section 628 also
directs the agencies to ensure that these regulations are consistent with
the requirements and regulations issued under the Gramm-Leach-Bliley Act ("GLBA")
and other federal law.4
"CONSUMER INFORMATION" SHOULD IDENTIFY A PARTICULAR CONSUMERThe Proposed Rule would define "consumer information" as "any record about
an individual, whether in paper, electronic, or other form, that is a
consumer report or is derived from a consumer report and that is maintained
or otherwise possessed by or on behalf of [financial institutions] for a
business purpose.5 The Supplementary Information to the Proposed Rule
("Supplementary Information") indicates that records that are "derived from
consumer reports" would include any "information about a consumer that is
taken from a consumer report."6 The Supplementary Information also states
that "information that may be `derived from consumer reports' but does not
identify a particular consumer" would not qualify as "consumer
information."7 Visa supports the Agencies' proposed, broad definition of
"consumer information." This definition will allow financial institutions
and companies providing services to financial institutions to apply
consistent disposal procedures and, therefore, a consistent level of
protection for all consumer information nationwide.
However, Visa is concerned that the proposed definition of "consumer
information" in the rule itself does not provide guidance as to the coverage
of information that does not identify a particular consumer. Visa believes
that the text of the final rule itself should expressly state that
information that does not identify a particular consumer would not qualify
as "consumer information." This express statement in the text of the final
rule would promote clarity and would eliminate any ambiguity surrounding the
phrase "any record about an individual." Information that does not identify
a particular consumer poses little or no risk of consumer fraud or identity
theft and, as a result, the final rule should not apply to such information.
HARMONIZATION OF DISPOSAL RULE WITH INTERAGENCY GUIDELINES ESTABLISHING
STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION IS APPROPRIATE
In order to implement section 628, the Proposed Rule would amend the
Agencies' FCRA rules and the Interagency Guidelines Establishing Standards
for Safeguarding Customer Information ("Guidelines"). The Proposed Rule
would add a new section to the FCRA rules that would require fmancial
institutions to "properly dispose of any consumer information that
[financial institutions] maintain or otherwise possess in accordance with
the [Guidelines].8 The Guidelines, promulgated pursuant to sections 501
and 505 of the GLBA, provide that financial institutions must assess the risks to their customer information and
customer information systems and implement appropriate security measures to
control these risks. This `responsibility to safeguard customer information
continues through the disposal process.9 The Proposed Rule would amend the
Guidelines to require financial institutions to "[d]evelop, implement, and
maintain as part of [their] information security program[s], appropriate
measures to properly dispose of consumer information in a manner consistent
with the disposal of customer information.10
Visa supports the Agencies' determination that "consumer information" should
be disposed of in a manner consistent with the disposal of "customer
information." This disposal standard would allow financial institutions to
employ different standards based on the individual financial institution's
risk assessment and circumstances in order to ensure appropriate disposal of
consumer information. This approach would promote flexibility and would
allow financial institutions to avoid disrupting existing practices under
their information security programs, except where necessary to do so. This
approach also would respond to the statutory mandate that the regulations
issued be consistent with those issued under the GLBA by harmonizing the
disposal rule with the Guidelines. This harmonization is essential because
inconsistent requirements would be confusing and lead to uneven results. As
a result, Visa strongly supports the Agencies' determination that the
requirements for the disposal of consumer information should be part of
financial institutions' larger information security programs.
Visa appreciates the opportunity to comment on this important matter. If you
have any questions concerning these comments, or if we may otherwise be of
assistance in connection with this matter, please do not hesitate to contact
me, at (415) 932-2178.
Sincerely,
Russell W. Schrader
Senior Vice President and
Assistant General Counsel
VISA U.S.A. Inc.
P.O. Box 194607
San Francisco, CA 94119-4607
1 Visa U.S.A. is a membership organization comprised of U.S.
financial institutions licensed to use the Visa service marks in connection
with payment systems.
2 69 Fed. Reg. 31,913, 31,914 (June 8, 2004).
3 FCRA §§ 628(a)(1)-(2).
4 FCRA § 628(a)(2)(B).
5 69 Fed. Reg. at 31,918, 31,919, 31,921.
6 Id. at 31,915.
7 Id.
8 ld. at 31,918, 31,919, 31,920, 31,922.
9 66 Fed. Reg. 8616, 8618 (Feb. 1, 2001).
10 69 Fed. Reg. at 31,918, 31,919, 31,921, 31,922. In addition,
the Proposed Rule would add a new objective to the Guidelines that would
provide that a financial institution's information security program should
be designed to "[e]nsure the proper disposal of consumer information in a
manner consistent with the disposal of customer information." Id. The
addition of this objective would require "financial institution[s] to
contractually require [their] service providers to develop appropriate
measures for the proper disposal of consumer information" because the
Guidelines provide that financial institutions contractually should require
service providers to implement appropriate measures designed to meet the
Guidelines' objectives. Id. at 31,916.