July 6, 1998
Office of International Affairs
National Telecommunications and Information Administration
14th Street and Constitution Avenue, N.W.
Washington, DC 20230
Re: Department of Commerce Request for Comment Regarding Online Privacy Issues: Docket No. 980422102-8102-01
Dear Ms. Coffin:
This comment letter is submitted on behalf of MasterCard International Incorporated ("MasterCard") in response to the request for comment from the Department of Commerce regarding various aspects of privacy, including the effectiveness of self-regulation for privacy ("Commerce Request"). The comments set forth in this letter address various issues raised by the Commerce Request, in the context of the financial services industry. MasterCard appreciates this opportunity to comment on the Commerce Request.
Financial Institutions, Including Credit Card Issuers, Have a Lengthy History of Privacy Protection
In considering privacy issues as they relate to financial institutions, it is important to note that privacy is not a new issue for financial institutions. In fact, financial institutions have a long history of successfully balancing their use of customer information to service customers with the privacy concerns of those same customers. Financial institutions have long operated on the principle that personal information about customers should be avidly protected. This has resulted in the development of numerous, strong safeguards to ensure the confidentiality and proper use of customer information. As a result, financial institutions are particularly well suited to protect consumer privacy in the information age. Although the form and quantity of information may have changed, it is a change in degree, not in kind. In fact, protecting customer privacy is not only the right thing to do, but it also is important to the very success of a financial institution. For example, it is in the self-interest of each card issuer to avoid misuse of personal information, because few consumers would patronize a bank that failed to provide an adequate level of privacy for customer information. Moreover, the protection of privacy is increasingly becoming a product feature on which card issuers and other financial institutions compete. Voluntary practices that address customer privacy concerns -- such as the establishment of privacy policies by many individual card issuers -- have burgeoned in recent years.
The credit card industry in particular, and the financial services industry as a whole, have been leaders among all industries in adopting industry-wide privacy codes and principles. MasterCard has been a leader in the development and publication of privacy policies; see answer to Question 3 for more information about MasterCardís Privacy Position, attached to this letter. Many individual card issuers have established privacy policies as well. In addition, a number of financial services industry associations have established privacy policies, including the American Bankers Association and the Consumer Bankers Association. The creation of these privacy policies and the resulting consumer privacy protections have arisen out of market-driven business principles that compel credit card issuers to value and protect consumer privacy -- not from government intervention. Of course, the confidentiality of customer information is underscored through a variety of federal and state laws and regulations, as well as through the internal policies and procedures of individual card issuers.
Existing Legal and Regulatory Regimes Protect Consumer Privacy
Financial institutions, including credit card issuers, are among the most heavily regulated companies in the entire country. They already are governed by a comprehensive legal and regulatory regime, which includes federal and state statutes, federal and state regulatory agency rules, and constitutional and common law principles. This extensive regime has successfully protected consumer privacy for many years. As a result, there simply is no issue as to the adequacy or enforceability of existing consumer privacy protections for cardholders and other financial institution customers. Financial institutions regulatory agencies already have the broadest possible enforcement powers, and they are directed by statute to use these enforcement powers with regard to privacy matters as well as the full range of financial institution activities, which are extensively regulated by law.
Thus, MasterCard applauds the Clinton Administration and the Department of Commerce for the intention expressed in the Supplementary Information to the Commerce Request, that the discussion paper, entitled Elements of Effective Self-Regulation for Protection of Privacy ("Discussion Paper") is designed to apply only with regard to "Internet industries and commercial activities not covered by statute or regulation." However, to avoid possible misunderstanding, we respectfully request explicit confirmation from the Department of Commerce that the Discussion Paper does not apply to industries, such as the financial services industry, that already are abundantly "covered by statute or regulation." With respect to industries that are already regulated, such as the financial services industry, privacy issues are best addressed through the existing legal and regulatory frameworks. The creation of redundant privacy requirements or initiatives -- including mandated self-regulatory mechanisms -- beyond the existing financial services regulatory regime could stifle the flow of information, impose unnecessary costs on businesses and consumers, and impede the development of new products and services that benefit consumers.
Responses to Specific Questions
1. The Discussion Paper sets out nine specific characteristics of effective self-regulation for privacy. Which of the individual elements set out in the discussion draft are necessary for self-regulation to protect privacy?
The experience of a heavily regulated sector like the financial services industry may be informative with respect to the Commerce Departmentís efforts in this regard. As discussed above, the principal driver behind the protection of consumer privacy in the financial services industry is the intense competition among industry members in the burgeoning electronic marketplace and elsewhere, although adequate privacy protection also is underscored by the existing legal framework that governs the industry. This competition has spurred the development of vibrant and growing industry self-regulatory efforts, such as the widespread promulgation of privacy policies by individual financial institutions, credit card issuers and industry associations.
Thus, with respect to the establishment of successful self-regulatory mechanisms, the experience of the financial services industry illustrates the importance of guiding, without impeding, the extraordinary power of market self-regulation in any self-regulatory regime. This means, consequently, that self-regulatory regimes must provide the utmost flexibility for individual companies, and industries, to respond to rapidly changing market forces. Furthermore, this means that any set of exemplary self-regulatory characteristics, such as those set forth in the Discussion Paper, should be promulgated only as guidelines, not as requirements that are applied to an entire industry or sector. The complex nature of privacy issues, and the unyielding demands of the marketplace for constant innovation, dictate that rigid requirements of general application to entities conducting business on the Internet or elsewhere will only impede the flow of information and stifle the creative development of products and services.
Therefore, while each of the nine specific characteristics set forth in the Discussion Paper has a role to play in many self-regulatory regimes, the relevance and appropriate application of each of these characteristics will vary widely by, and within, each industry, and are most appropriate for industries which presently are not subject to the type of comprehensive regulation currently applicable to financial institutions and other financial services companies. Nevertheless, the promulgation of the characteristics in the Discussion Paper as formal legal requirements would lead to unnecessary litigation about whether, for instance, a companyís information sharing opt-out opportunity was sufficiently "simple, readily visible, available, and affordable" to consumers, as suggested by the Choice Principle. Similarly, numerous disputes would arise about whether a company provided consumers with sufficiently "reasonable, appropriate" access to information about the consumer, as indicated in the Consumer Access Principle. Thus, MasterCard strongly recommends that any self-regulatory principles or characteristics be set forth as guidelines only. Imposing rigid requirements will only impede the development of electronic commerce and impose unnecessary costs on industry and consumers.
3. Please submit examples of existing privacy policies.
The foundation for all of MasterCardís efforts in the area of consumer privacy is MasterCardís Privacy Position, adopted in 1995. The Privacy Position is attached to this letter and may be found online at http://www.mastercard.com/about/privacy.html. The purpose of MasterCardís Privacy Position is to provide flexible guidelines that can be adapted to meet the demands of changing technology and varying consumer expectations regarding privacy.
5. Should consumer limitations on how a company uses data be imposed on any other company to which the consumerís information is transferred or sold? How should such limitations be imposed and enforced?
In general, financial institutions are not in the business of selling information to third parties. Most transmissions of information about financial institution customers are to consumer reporting agencies and government agencies, and both practices are thoroughly addressed under existing law. In addition, existing federal and state laws and regulations already adequately address issues associated with the transmission and use of consumer information among affiliated companies, including banks and their related companies. There is absolutely no need for additional limitations on the transmission or use of information between affiliated entities, and little need for new rules regarding transmission of information between unaffiliated entities. Thus, any additional requirements would be both costly and unnecessary. For instance, the transmission of information, whether between affiliated or unaffiliated persons or other entities, is governed by the recently-revised federal Fair Credit Reporting Act ("FCRA"). In particular, the FCRA mandates that, before non-experience consumer information is shared among affiliated companies, consumers must be clearly and conspicuously informed of the possibility that such sharing will occur and be provided an opportunity to opt out of the sharing arrangement altogether.
It is important to emphasize that the FCRA can apply to any person or other entity transmitting information to third parties, not just to credit bureaus, financial institutions and other creditors. It also is important to note that the FCRA allows only affiliated companies to share such consumer information, and then only after provision to the consumer of notice and an opportunity to opt out. If any person or other entity -- such as a hospital, an Internet service provider, a so-called "data warehouse," or an individual computer "hacker" -- were to share consumer information with unaffiliated third parties for most eligibility purposes, the person or entity would become a consumer reporting agency subject to the many burdensome, complex and onerous requirements of the FCRA.
The FCRA, however, is not the only federal law mandating that disclosures be made to consumers in connection with information sharing activities. For instance, since 1978 financial institutions have been required by the Electronic Funds Transfer Act and its implementing Regulation E to inform consumers about the institutionís information sharing practices with regard to any deposit accounts that are subject to electronic fund transfers ("EFTs"), which today includes virtually all deposit accounts at all financial institutions. More specifically, as part of the initial disclosures required at the inception of the consumerís EFT relationship with the institution, Regulation E requires disclosure of the circumstances under which a financial institution in the ordinary course of business will disclose information concerning a consumerís deposit account with third parties if the deposit account can have any EFTs. And it is important to recognize that this disclosure rule applies to all deposit account information, not just information about EFTs.
In addition, a number of state laws govern the disclosure of consumer information by financial institutions to third parties, including information relating to EFTs, credit card holders and their credit card accounts, and other personal financial information. Furthermore, existing federal and state laws address and penalize financial fraud, including the unauthorized use of personal information maintained by financial institutions. These laws include statutes prohibiting mail fraud, wire fraud and the making of false statements to financial institutions to obtain credit. In fact, information maintained by financial institutions and government agencies is subject to special recognition and protection under the federal Computer Fraud and Abuse Act.
Thus, there simply is no need for additional requirements or limitations on the communication or use of consumer information by credit card issuers and other financial institutions, whether among affiliated entities or between unaffiliated third parties. A complex web of federal and state laws already adequately regulates the transmission of such information.
6. Please comment specifically on the elements set out in the draft Discussion Paper that deal with enforcement (verification, recourse, and consequences). How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary?
There has been a good deal of discussion about the possible establishment of third-party entities that would verify and audit the adequacy and/or enforceability of a businessís privacy policies. Such verification might, for instance, take the form of a "seal of approval" or other means of certification. It is possible that such third-party verification mechanisms might be useful with regard to certain industries that are currently unregulated by federal or state regimes. However, there is absolutely no role for such third-party verification schemes in the context of industries that already are subject to comprehensive regulation.
Consequently, requiring financial institutions to participate in third-party verification schemes would only impose unnecessary costs on industry without providing any meaningful benefits to customers. It simply is not possible to have third-party verification more complete or effective than bank regulators already provide for financial institutions, including their consumer protection efforts.
14. The Administrationís A Framework for Global Electronic Commerce cites the need to strike a balance between freedom of information values and individual privacy concerns. Please comment on the appropriate point at which that balance might be struck.
While modern information technology enables financial institutions to provide consumers with unparalleled product and service opportunities, the use of such information is necessarily balanced with the fundamental commitment of financial institutions to maintaining the privacy of a customerís personal information. Thus, the electronic payments systems provide an excellent example of how credit card issuers and other financial institutions have balanced their use of personal customer information with the protection of personal privacy. Todayís electronic payments systems are highly secure and limit access to personal information to those parties that are actually involved in effectuating an electronic payment. Further, not only is personal customer information tightly controlled within electronic payments systems, it ordinarily is not disclosed to unaffiliated third parties (other than to credit bureaus or law enforcement agencies as required by law). While a credit card issuer or other financial institution may use customer information to protect itself against fraud and economic loss, as well as to help determine the additional products or services in which a customer may be interested, personal customer information is carefully guarded to ensure that it is not accessed by unaffiliated third parties.
In this way, card issuers and other financial institutions achieve a balance between consumer privacy protection and the use of consumer information. In fact, their commitment to consumer privacy means that such customer information actually is less available than would otherwise be the case. It is important to note that this protection of consumer privacy has not resulted from government or other regulatory intervention. Instead, it emanates from the intense competition that characterizes the financial services industry, although this protection is underscored by the existing comprehensive legal framework that governs the industry, and by the willingness of courts across the country to recognize and protect the reasonable expectations of privacy of financial institution customers. Thus, with respect to the establishment of successful self-regulatory mechanisms, the experience of the financial services industry, and the credit card industry in particular, illustrates the importance of guiding, and not impeding, the tremendous power of market self-regulation in any such regime. Again, this means that self-regulatory regimes must provide utmost flexibility for individual companies, and industries, to respond to rapidly changing market forces.
* * * *
Once again, MasterCard appreciates this opportunity to comment on the important issues raised by the Commerce Request. If you have any questions concerning these comments, or if we can otherwise be of assistance, please do not hesitate to contact me at (914) 249-5595.
Noah J. Hanft