VISA
May 28, 2004
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Public Information
Room
Office of the Comptroller of the Currency
250E Street, SW
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-09
Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314
Jennifer J. Johnson Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No, R.-1188
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2004-16
Re: Proposed Fair Credit Reporting Medical Information Regulations
Ladies and Gentlemen:
This comment
letter is submitted on behalf of Visa U.S.A. Inc. ("Visa")
in response to the notice and request for comment issued by the Federal
Deposit Insurance Corporation ("FDIC"), Federal Reserve
Board ("Board"), Office of the Comptroller of the Currency
("OCC"), Office of Thrift Supervision ("OTS")
and the National Credit Union Administration ("NCUA") (collectively,
the "Agencies") regarding the Notice of Proposed Rulemaking
for the medical privacy regulations under the Fair and Accurate Credit
Transactions Act of 2003 ("Proposed Rule"). Visa appreciates
the opportunity to comment on this very important matter.
The Visa Payment
System, of which Visa U.S.A.1 is a part, is the largest
consumer payment system, and the leading consumer e-commerce
payment system, in the world, with more volume than all other major
payment cards combined. Visa plays a pivotal role in advancing new payment products and technologies, including technology
initiatives for protecting personal information and preventing identity
theft and other fraud, for the benefit of its member financial institutions
and their hundreds of millions of cardholders worldwide.
Visa supports
the Agencies in their effort to create regulations containing exemptions
for
obtaining, using and sharing medical information,
as required by the Fair and Accurate Credit Transactions Act ("FACT
Act"). However, Visa is concerned that key aspects of the Proposed
Rule do not effectively recognize the day-to-day realities of the
uses of medical information in the provision of financial services,
including credit.
Scope
Section 604(g)(2)
of the Fair Credit Reporting Act ("FCRA")
provides that "[e]xcept as permitted pursuant to paragraph (3)(C)
or regulations prescribed under paragraph (5)(A), a creditor shall
not obtain or use medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility,
or continued eligibility, for credit." Under section 603(r)(5)
of the FCRA, the terms credit and creditor have the same meaning
as in section 702 of the Equal Credit Opportunity Act ("ECOA").
The ECOA defines the term creditor to mean "any person who regularly
extends, renews, or continues credit; any person who regularly arranges
for the extension, renewal, or continuation of credit; or any assignee
of an original creditor who participates in the decision to extend,
renew, or continue credit.2 Section 604(g)(5)(A) of the FCRA, as
added by section 411(a) of the FACT Act ("Credit Granting Exceptions"),
provides that "[e]ach Federal banking agency and the National
Credit Union Administration shall ... prescribe regulations that
permit transactions under paragraph (2) that are determined to be
necessary and appropriate to protect legitimate operational, transactional,
risk, consumer, and other needs."
Section 604(g)(3)(C)
of the FCRA, as added by the FACT Act ("Affiliate
Sharing Exceptions"), provides for exceptions to the limitations
on affiliate sharing of medical information, including if the information
is disclosed "as otherwise determined to be necessary and appropriate,
by regulation or order . . . by the Commission, any Federal banking
agency or the National Credit Union Administration (with respect
to any financial institution subject to the jurisdiction of such
agency or Administration under paragraph (1), (2), or (3) of section
621(b))." Thus, unlike the Credit Granting Exceptions, the Affiliate
Sharing Exceptions are limited to entities subject to the jurisdiction
of the respective rule writing agencies.
Notwithstanding the plain language of the FCRA, the Agencies proposed
that their rules and, therefore, the Credit Granting Exceptions,
would only apply to certain banking institutions, their affiliates
and certain other persons. In particular, section _.1 of the Proposed
Rule identifies the financial institutions that would be covered
by the Proposed Rule if adopted by each of the respective Agencies.
OCC
Section
41.1(b)(2) of the OCC's Proposed Rule states that, except as otherwise
provided,
the regulations would apply to national banks,
federal branches and agencies of foreign banks, and their respective
operating subsidiaries that are not functionally regulated within
the meaning of section 5(c)(5) of the Bank Holding Company Act (12
U.S.C. § 1844(c)(5)).3 These are the same entities for which
the OCC is the "appropriate Federal banking agency" under
the Federal Deposit Insurance Act ("FDIA").
Board
Section 222.1(b)(2)
of the Board's Proposed Rule states that, except as otherwise provided,
the regulations would apply to banks that
are members of the Federal Reserve System (other than national banks),
branches and agencies of foreign banks (other than federal branches,
federal agencies, and insured state branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, organizations
operating under sections 25 or 25A of the Federal Reserve Act, and
bank holding companies and affiliates of such holding companies.
These are the same entities for which the Board is the "appropriate
Federal banking agency" under the FDIA.
FDIC
Section 334.1(b)(2)(i)
of the FDIC's Proposed Rule states that the regulations would apply
to banks insured by the FDIC (other than
district banks and members of the Federal Reserve System) and insured
state branches of foreign banks and subsidiaries and affiliates of
such entities; and other entities or persons with respect to which
the FDIC may exercise its enforcement authority. A subsidiary of
a covered bank would not include a broker, dealer, person providing
insurance, investment company, or an investment adviser. This list
of entities goes significantly beyond the entities for which the
FDIC is the "appropriate Federal banking agency" under
the FDIA. Accordingly, the basis for this jurisdictional statement
is not clear.
OTS
Section 571.1(b)(2) of the OTS' Proposed Rule states that the regulations
would apply to savings associations or their subsidiaries, savings
and loan holding companies, or affiliates of savings associations
or savings and loan holding companies other than bank holding companies,
banks, or subsidiaries of bank holding companies or banks.
NCUA
Section 717.7(b)(2) of the NCUA's Proposed Rule states that the
regulations would apply to federal credit unions.
Discussion
The prohibition
on creditors obtaining or using medical information contained in
the FCRA has
broader application than those institutions
that appear to be covered by the Proposed Rule. More specifically,
the FCRA requires the Agencies to promulgate exceptions to the prohibition
on creditors obtaining and using medical information, except where "necessary
and appropriate to protect legitimate operational, transactional,
risk, consumer, and other needs (and which shall include permitting
actions necessary for administrative verification purposes)."4
Creditors that are not subject to the jurisdiction of the Agencies
as described in the Proposed Rule would not be able to avail themselves
of the exceptions to the restrictions on obtaining and using medical
information established by the Proposed Rule. For example, as noted
above, the ECOA definition of creditor that is used in the FCRA,
includes persons arranging credit, and certain assignees of a loan,
as well as the actual lender. These arrangers of credit often are
neither banks nor affiliates of banks and, therefore, are outside
of the scope of the coverage of the Proposed Rule.
Creation of credit-related
exceptions that only apply to banking institutions and their affiliates,
and in one case to related entities,
is not mandated by, or even consistent with, the express language
of the Credit Granting Exceptions of the FCRA and would lead to the
result that entities that are not subject to the Proposed Rule could
never obtain or use medical information in connection with granting
credit. In this regard, it is important to note that Congress, in
drafting the FACT Act, limited the application of the Affiliate Sharing
Exceptions to the creditors "subject to the jurisdiction of
such agency;" however, the Credit Granting Exceptions contain
no such limitation.
Visa believes
that any exceptions set forth in the final rule should be sufficiently
broad in scope to reflect the Congressional intent
that the Agencies promulgate regulations that create exceptions for
all creditors that are subject to the prohibition. Visa also believes
this clarification in scope is necessary in order to continue to
provide consumers with the same opportunities for credit as are available
through current legitimate market practices. Otherwise, consumers
likely will incur greater costs in obtaining credit or will be unable
to obtain credit that previously was available to them. Visa believes
that it is particularly important that the final rule cover persons that arrange credit with banks and bank affiliates. Visa also believes
that if the Agencies do not apply their rules to all creditors as
defined in the ECOA, the Agencies should issue a clarifying statutory
interpretation of the language in section 604(g)(2) that this prohibition
does not apply to creditors that do not actually determine the creditworthiness
of the individual consumer so that persons that arrange credit for
banks and other creditors and do not participate in the credit underwriting
decisions, but that are not covered by the Agencies' rules, can benefit
from the interpretation.
Exceptions to the Limitations on Obtaining or Using Medical Information
The FCRA, as amended by section 411 of the FACT Act, provides a
broad prohibition against creditors obtaining or using medical information
in connection with credit eligibility determinations, except as provided
by Agency regulations. Proposed section .30 reiterates the general
prohibition against creditors obtaining or using medical information
in connection with any determination of a consumer's eligibility
for credit, subject to the exclusions set forth in the Proposed Rule.
Section .30(a)(2)(i)(B)
of the Proposed Rule would provide that the term "eligibility, or continued eligibility, for credit" does
not include, among other things, "[a]ny determination of whether
the provisions of a debt cancellation contract, debt suspension agreement,
credit insurance product, or similar forbearance practice or program
are triggered." As drafted, we believe this provision is too
narrow. The provision should be modified in the final rule to cover
any information related to the eligibility or fulfillment of obligations
in a debt cancellation contract, debt suspension agreement, credit
insurance product, or similar forbearance practice or program. To
limit the provision only to "triggering" events would fail
to adequately protect the use of medical information in connection
with other aspects of debt cancellation contracts or debt suspension
agreements that may affect the credit available to the consumer.
For example, once a debt cancellation clause has been triggered,
a creditor would need ongoing medical information in order to ascertain
when the coverage should expire. In failing to consider all scenarios
where debt cancellation or similar forbearance practices may require
the use of medical information, the Proposed Rule creates uncertainty
regarding which functions of debt cancellation products or similar
forbearance practices or programs would be covered and which would
not. Visa also recommends that this provision be restructured as
a specific exception to the prohibition on the use of medical information,
rather than an interpretation of what constitutes "eligibility,
or continued eligibility, for credit."
In addition,
Visa believes that the Agencies should clarify in the final rule
that "similar forbearance practice or program" includes
informal forbearance practices by creditors. For example, consumers
often request that a creditor defer collecting on a loan because
of a health condition. Consumers would be disadvantaged if creditors
could not take this information into account in exercising discretion
on whether to provide additional credit or defer debt collection,
absent formal procedures with respect to these requests.
Section _.30(a)(2)(i)(C)
of the Proposed Rule excludes from the definition of "eligibility, or continued eligibility, for credit" "[a]uthorizing,
processing, or documenting a payment or transaction on behalf of
the consumer in a manner that does not involve a determination
of the consumer's eligibility, or continued eligibility, for credit." Visa
understands this exception to include all aspects of the authorization
and
approval process for individual
credit card transactions regardless of whether such authorization
or approval would involve over-limit transactions. In over-limit
transactions, a credit card issuer often cannot tell when the transaction
is approved, or whether the transaction will actually result in exceeding
the consumer's credit limit. In addition, Visa also understands that
this exclusion would apply to transaction codes (which may indicate
that the payment is for a merchant whose goods or services are medical
in nature) that accompany any authorization request. Visa believes
that the final rule should clarify that over-limit transactions and
the use of transaction codes would fall within the purview of this
exclusion.
Section _.30(c)
provides an exception from the prohibition on obtaining or using
medical
information by banks so long as certain criteria
are met. In particular, the first criteria requires that the "information
relates to debts, expenses, income, benefits, collateral, or the
purpose of the loan, including the use of loan proceeds." Visa
believes the scope of this exception does not adequately encompass
credit underwriting practices. Visa believes that the Agencies should
delete the first criteria set forth in section _.30(c)(1)(i).
Section .30(d)(1)(vi)
provides an exception from the prohibition on obtaining or using
medical information by a bank "[i]f the
consumer or the consumer's legal representative requests in writing,
on a separate form signed by the consumer or the consumer's legal
representative that the bank use specific medical information for
a specific purpose in determining the consumer's
eligibility,
or continued eligibility, for credit, to accommodate the consumer's
particular
circumstances." Section .30(d)(1)(vi)
also requires the signed written request to "describe the specific
medical information that the consumer requests the bank to used and
the specific purpose for which the information will be used." The
supplementary information to the Proposed Rule which relates to this
provision indicates that the consumer's consent should not be used
on a "routine basis" and that the consent may not be a
preprinted form for the consumer to sign. Visa believes that this
exception should not be limited to unusual circumstances nor require
a separate writing. Visa believes that requiring a separate, highly
individualized writing would place an unrealistic burden on consumers,
which may discourage consumers from seeking credit that may be necessary
for the consumers to obtain medical treatment. In addition, this
consent process would raise significant compliance issues including:
(1) determination of the adequacy of the description of the information
to be used or the purpose for which it is to be used; (2) retention
of the separate written consents, particularly if the consents are
in hard copy; and (3) determination of what constitutes a separate
form, particularly when consent is contained in electronic format.
Visa believes the final rule should permit a creditor to obtain consumer
consent for the use of medical information in any manner that reasonably
demonstrates the consumer's consent.
Unsolicited Medical Information
Section _.30(b)
of the Proposed Rule would provide that a creditor does not "obtain" medical
information if it: (1) receives medical information pertaining
to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit without specifically requesting the medical information;
and (2) does not use that information
in making the credit decision. As proposed, a creditor does not obtain
medical
information for purposes of the prohibition
on using and obtaining medical information if the receipt of such
information was unsolicited and the creditor "[d]oes not use
that information in determining whether to extend or continue to
extend credit to the consumer and the terms on which credit is offered
or continued." For practical purposes, it may be difficult for
a creditor to demonstrate that it did not use the unsolicited medical
information. Visa believes that this section should be clarified
to place the burden of proof on the person who claims his or her
information was used in a determination to extend or continue to
extend credit. Visa believes the final rule should include a presumption
that unsolicited information is not used unless the complainant can
provide specific evidence that the medical information was used to
determine the consumer's eligibility, or continued eligibility, for
credit.
Medical Information
Visa believes
that the final rule should clarify that "medical
information" must "relate to" or "pertain to" a
specific, identifiable consumer. For example, a database of information
relating to the repayment behavior of consumers, none of whom is
personally identifiable because the information has been coded or
otherwise, should not be deemed to be "medical information." If
this information were "medical information," creditors
may have difficulty in utilizing data even for analytical purposes
that have no bearing or impact on any individual.
Credit and Creditor
Sections _.30(a)(2)(ii)
and (iii) incorporate into the Proposed Rule the meanings of "creditor" and "credit" under
the ECOA. It is unclear from sections _.30(a)(2)(ii) and (iii) whether
these definitions would be limited to the text of the relevant sections
of the ECOA or also would include its implementing regulation (Regulation
B). Visa believes that the final rule should clarify that the meanings
of "creditor" and "credit" also would include
the regulatory interpretation of these terms set forth in Regulation
B, and the commentary to Regulation B.
Redisclosure of Medical Information
Section _.30(e) prohibits a creditor that receives medical information
about a consumer from a consumer reporting agency or from an affiliate
from redisclosing that information except as necessary to carry out
the purpose for which the information was initially disclosed. We
believe the creditor should be able to redisclose medical information
to regulators, attorneys, accountants and others for limited purposes,
such as fraud prevention. Visa believes the final rule should clarify
that a redisclosure made for any purpose described in section 502(e)
of the Gramm-Leach-Bliley Act is a disclosure necessary to carry
out the purpose for which the information was initially disclosed.
Flexible Spending Accounts/Healthcare Reimbursement Accounts
Some credit card issuers offer credit card products that work seamlessly
with employer-sponsored healthcare reimbursement plans or flexible
spending accounts. Employees who participate in card-accessed healthcare
reimbursement plans or flexible spending accounts can use their card to pay for eligible (reimbursable) medical expenses.
Typically, either the plan administrator or the employer must review
each expense to confirm that it is appropriately reimbursable. Even
though appropriate use of the card is dependent on a determination
that the charges are covered medical expenses, Visa is concerned
that section 604(g)(2) could be interpreted to prohibit the plan
administrator or the employer from obtaining the information necessary
to make coverage determinations if there is a credit feature associated
with the card. Visa believes that the final rule should exclude from
the prohibition on using or obtaining medical information employers,
plan administrators and card issuers who participate in medical flexible
spending account or healthcare reimbursement account programs that
utilize cards with credit features.
Use of Examples
The Proposed Rule contains several examples to illustrate activities
that would be consistent with the Proposed Rule, as well as those
that would be deemed to violate the Proposed Rule. Furthermore, the
Proposed Rule states that examples provided are not exclusive and
that compliance with an example, to the extent applicable, constitutes
compliance with the Proposed Rule. We urge the Agencies to retain
these provisions in the final rule. Visa believes that these examples
can be useful to creditors in assessing compliance with the final
rule. Furthermore, for purposes of compliance, Visa believes a creditor
should be permitted to rely on an example as a safe harbor.
Effective Date
The Agencies specifically requested comment on whether an effective
date of 90 days after the publication of the final rules is appropriate,
or whether a different effective date should be established. Visa
believes that the proposed effective date should remain the same
or provide for a longer implementation period in order to permit
covered entities to adequately assess their practices. The FACT Act
provides that the prohibition on obtaining and using medical information
shall not take effect until the implementing regulations become effective,
or as otherwise provided by regulation. Visa strongly urges the Agencies
to synchronize the effective date for the prohibition on the using
and obtaining of medical information with the effective date of the
regulatory exceptions thereto.
In conclusion,
Visa appreciates the opportunity to comment on this very important
topic. If you have any questions concerning these
comments, or if we may otherwise be of assistance in connection with
this matter, please do not hesitate to contact me, at (415) 932-2178.
Sincerely,
Russell W. Schrader
Senior Vice President and
Assistant General Counsel
________________________
1 Visa
U.S.A. is a membership organization comprised of U.S. financial institutions
licensed to use the Visa service marks in connection with payment systems.
2 15
U.S.C. § 1691a(e)
3 12
U.S.C. § 1844(c)(5)
defines "functionally regulated subsidiary" to mean a company:
(A)
that is not
a bank holding company or a depository institution; and
(B) that
is —
(i) a broker or
dealer that is registered under the Securities Exchange Act of 1934
(15
U.S.C. § 78a et seq.);
(ii) a registered
investment adviser, properly registered by or on behalf of either
the Securities
and Exchange Commission or any State, with respect to the investment
advisory activities of such investment adviser and activities incidental
to such investment advisory activities;
(iii) an investment
company that is registered under the Investment Company Act of 1940
(15 U.S.C. § 80a-1
et seq.);
(iv) an insurance
company, with respect to insurance activities of the insurance company
and
activities incidental to such insurance activities, that is subject
to supervision by a State insurance regulator; or
(v) an entity that
is subject to regulation by the Commodity Futures Trading Commission,
with respect to the commodities activities of such entity and activities
incidental to such commodities activities.
415
U.S.C. § 1681(g)(5)(A). |