WISCONSIN BANKERS ASSOCIATION
July 23, 2004
Jennifer J. Johnson,
Secretary
Board of Governors of the Federal
Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No. R-1199
Office of the Comptroller of the Currency
250 E Street, SW
Public Reference Room
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Attention: RIN No. 3064-AC77
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2004-26
Re: Docket No. R-1199; Docket No. 04-13; RIN # 3064-AC77; No. 2004-26
Dear Sir or Madam:
The Wisconsin Bankers Association (WBA) is the largest financial
institution trade association in Wisconsin, representing over 300 state
and nationally chartered banks, savings and loans associations, and
savings banks located in communities throughout the State.
The WBA appreciates the opportunity to comment on the proposed rule
issued by the Office of the Comptroller of the Currency (OCC), the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS)
(hereinafter, the Agencies), concerning the implementation of section
216 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act),
which amends the Fair Credit Reporting Act (FCRA) by creating a new
section 628. The proposed rule would require financial institutions to
develop, implement, and maintain appropriate measures to properly
dispose of "consumer information." The FACT Act mandates that the
Agencies' regulations be consistent with the Gramm-Leach-Bliley Act (GLB
Act), as well as other federal laws.
The WBA recognizes the importance of creating and implementing
reasonable measures to protect consumers in general, as well as
customers, from the unauthorized access and use of personal private
financial information. Therefore, to this end, the WBA supports the
proposed amendments to the Interagency Guidelines Establishing Standards
for Safeguarding Customer Information (Guidelines). The WBA,
nevertheless, would like to direct the Agencies' attention to the
following issues created by the Guidelines as currently written.
The Definition Of "Consumer Information" Is Exceedingly Broad And
The Agencies Should Further Clarify The Interpretation Of The Statutory
Phrase "Derived From Consumer Reports."
First, the proposed language defines "consumer information" as "any
record about an individual, whether in paper, electronic, or other form,
that is a consumer report or is derived from a consumer report and that
is maintained or otherwise possessed by or on behalf of the bank for a
business purpose." The definition also encompasses a compilation of such
records. The WBA believes that the use of the word "any," without more,
and in conjunction with the statutory phrases "derived from a consumer
report" and "compilation of such records" is exceedingly broad. Thus,
literally any record a financial institution has which is derived from a
compilation of consumer report data, but which contains no nonpublic
personally identifiable information would end up
being disposed of pursuant to guidelines intended to protect the
security, confidentiality, and integrity of sensitive nonpublic
information. Mandating that "consumer information" must have personally
identifiable information would eliminate ambiguities associated with the
phrase "any record about an individual."
Second, the WBA believes that the current attempt to distinguish
between "customer" and "consumer" information does not espouse the
interests of consistency and clarity. The WBA appreciates the Agencies'
attempt to explain the difference between these two terms; however, the
Agencies noted that the definitions "will sometimes overlap, but will
not always coincide." Operationally this has the potential to become
confusing and problematic for the employees of the affected
institutions, as they are the individuals that ultimately put theory
into practice.
The WBA believes consistency and clarity require that the same
definition be used for both, "customer" and "consumer," the common
element between these two being the sensitive issue of nonpublic
personally identifiable information. In defining "customer information",
part I, section C.2.c. of the current Interagency Guidelines
Establishing Standards for Safeguarding Customer Information relies on
Regulation P, 12 CFR 216.3(n), to define "nonpublic personal
information." The definition, incorporated herein as Appendix A*, centers
around "personally identifiable information." The definition for
"consumer information" should also have this very important phrase.
Using this phrase in the definition would promote clarity and
consistency, and would build upon the practical and legal knowledge
institutions have already acquired with respect to "personally
identifiable information."
Third, the actual language of the proposed rule does not define
"derived from a consumer report." The supplementary information,
however, does provide a very useful description of the scope and meaning
of the statutory phrase. The WBA believes the Agencies were heading in
the right direction in anticipating this issue and in specifically
requesting comments about this statutory phrase. The Agencies should
incorporate examples or substantive language suitable for the
Guidelines' current format. The WBA believes that the use of Regulation
P's "nonpublic personal information" in the definition of "consumer
information" would bring into sharper focus the scope of the statutory
phrase in question.
The Proposed Rule's Current Language May Impose More Requirements
In Wisconsin Than Under Current State Law
Absent explicit language about personally identifiable information,
the WBA believes that the proposed rule would impose stricter
requirements than the current requirements of Wisconsin law. Our State
law is very specific, whereas the language of the proposed rule is more
general in substance. Section 895.505 of the Wisconsin Statutes, in
relevant part, incorporated herein as Appendix B*, enumerates four
different procedures financial institutions must follow in order to
dispose of records containing personal information. These requirements
more or less follow the requirements of the Guidelines. The only point
of contention results from our statute defining "personal information"
and the proposed rule not limiting the scope of the information to
records containing sensitive information. As the WBA pointed out above,
the scope of the proposed rule, as drafted, would reach records that do
not contain sensitive format. Since the proposed rule, without
modification, will likely impose unnecessary additional obligations not
required under Wisconsin law, the WBA urges the Agencies to amend the
definition of "consumer information" to include personally identifiable
information. If that were done, the definition of "consumer information"
would be consistent with the definition of "customer information" and
Wisconsin State law.
The Proposed Rule Should State That "Dispose" Or "Disposal"
Excludes The Sale Or Transfer Of Records For Value.
Current Wisconsin law, Wis. Stat. § 895.505, defines "dispose" as
"not includ[ing] a sale of record or the transfer of a record for
value." The Federal Trade Commission's (FTC) version of the proposed
rules addresses this point by defining "dispose" and "disposal." The FTC
was urged to clarify that "dispose" or "disposal" does not include the
sale, donation, or transfer for value of consumer information. Absent
that clarification, current information sharing arrangements would be
disrupted.
The Agencies' version does not address this point. The WBA,
therefore, encourages the Agencies to define the word "dispose" and
"disposal" to exclude the sale or transfer for value of records or media
containing personally identifiable information. The current version of
the Interagency Guidelines Establishing Standards for Safeguarding
Customer Information does not explicitly define this term. Without
clarification, it would be possible to argue that "disposal" or
"dispose" includes the sale, donation, or transfer of consumer
information pursuant to sharing arrangements. The WBA is concerned that
such an interpretation may disrupt current information sharing
arrangements.
Finally, interagency coordination should result in assuring that any
financial institution subject to examination under the Guidelines by one
of the Agencies is not mandated to comply with the obligations under the
FTC's disposal rule even if there is joint jurisdiction.
Conclusion
The WBA directs the Agencies' attention to a number of issues. First,
the proposed "consumer information" definition, without referring to
personally identifiable information, is exceedingly broad. Second, the
Agencies' attempt to distinguish between "consumer" and "customer"
information is confusing and problematic. The definition of "consumer
information," just as in the definition of "customer information,"
should refer to personally identifiable information. These changes, if
made by the Agencies, would facilitate the operations of Wisconsin
financial institutions because the Guidelines would be consistent with
our State law. Third, the Guidelines should include language or examples
that elaborate on the "derived from consumer report" statutory phrase.
The use of personally identifiable information in the language or
examples would bring the scope of the phrase into sharper focus.
Finally, the Agencies should define the word "disposal" to exclude the
transfer for value or sale of records or media containing such records.
The WBA appreciates the opportunity to comment on the proposed rule
issued by the Agencies and generally supports the proposed amendments to
the Guidelines, subject to the noted changes.
Sincerely
Kurt R. Bauer
Executive Vice President/CEO
Wisconsin Bankers Association
4721 South Biltmore Lane
Madison, WI 53718
* Attachments not posted here. For copies of the Attachments
contact the FDIC Public Information Center at
http://www.fdic.gov/news/publications/PIChardcopies.html