July 6, 1998VIA HAND Jane Coffin Office of International Affairs National Telecommunications and Information Administration Room 4898 14th Street and Constitution Avenue, N.W.
Washington, DC 20230
Re: Comment Letter on Elements of Effective Self Regulation for the
Protection of Privacy and Questions Related to Online Privacy,
Dear Ms. Coffin:
Visa U.S.A. Inc. ("Visa") is pleased to file this comment letter with the National Telecommunications and Information Administration ("NTIA") of the Department of Commerce in response to its request for public comment (the "Proposal") on the draft paper, "Elements of Effective Self Regulation for the Protection of Privacy" (the "Discussion Paper"). Visa is proud of its vanguard efforts, as well as those of its member financial institutions, in appreciating and addressing consumer privacy issues. Visa hopes that its experiences and views as set forth in this comment letter will be useful to the Department of Commerce as it considers consumer privacy issues in the context of the Internet and electronic commerce.
Visa is a joint venture comprised of over 21,000 financial institution members from around the world that have issued over 618 million Visa payment cards. These cards are accepted at more than 14 million merchant locations and 380,000 automated teller machines worldwide. Visa Ė which provides transaction authorization, clearing and settlement, risk management and related services to member financial institutions Ė supports more than $1 trillion in Visa-related payment transactions annually throughout the world. Visaís transactions volume in the United States is approximately $470 billion per year. At peak volume, Visa systems process over 2,400 card-related transactions per second.
As discussed in greater detail below, Visa believes strongly that, at least in the financial services industry, privacy issues are best resolved by individual financial institutions responding to market forces in the context of their unique products and services and their customers privacy-related concerns. The Administration in general and the Department of Commerce in particular can and should play an important role in educating both Internet industries and consumers on privacy issues. However, the Department of Commerce should not impose -- and the Discussion Paper should not be a prelude to or a means of imposing -- rigid privacy requirements across the diverse range of providers within the financial services industry. As discussed below, government-mandated privacy requirements will inevitably be detrimental to consumers by denying them new products and services and significantly raising the costs of existing products and services.
Visa has set forth below a number of general comments on information privacy, the role of industry self-regulation, and the Discussion Paper. These general comments are followed by specific responses to many of the specific questions raised in the Proposal.
A. General Comments
1. Information Technologies Provide Unparalleled Opportunities for Consumers.
In considering privacy issues as they relate to financial institutions, it is important to stress at the outset that modern electronic information technologies provide a number of extraordinary benefits to consumers. The increased availability of information enables the efficient development of a broad array of new financial products and services, which help financial institutions to better serve their customers. Moreover, these data technologies allow consumers to have ready access to, and more information about, this multitude of new product offerings. Simply put, today consumers have immediate access to a wealth of information about a new world of financial products and services that were not even imaginable a decade ago.
These technologies also allow financial institutions to better direct information about and offers of products and services to consumers who are most likely to be interested. As a result, consumer access to information about products and services is heightened while the amount of information about offers or opportunities in which the consumer is unlikely to be interested is simultaneously diminished. For example, a financial institution may develop a credit card product that has unique features for frequent personal or business travelers, such as free hotel upgrades. It is in everyoneís interest -- issuer and consumer alike -- for the issuer to access its customer information and marketing data to identify those of its existing or potential customers that would most likely be interested in this new credit card. Thus, at least in the context of financial institutions and their products and services, the interests of consumers and financial institutions with regard to the use of consumer data in the information age are not opposed, but rather are consistent.
2. Financial Institutions, Including Credit Card Issuers, Have a Long and Successful History of Privacy Protection.
Privacy is not a new issue for financial institutions. In fact, financial institutions have a long history of successfully balancing their use of customer information to service customers with the privacy concerns of those customers.
Financial institutions have long operated on the principle that personal information about customers should be vigorously protected. This has resulted in the development of numerous, strong safeguards to ensure the confidentiality and proper use of customer information. These safeguards include, among others, secure data base and communications facilities, internal policies and procedures, employee training and written agreements with merchants, third party processors and others that prevent unauthorized disclosure of customer information.
As a result, financial institutions are particularly well-suited to protect consumer privacy in the information age. Although the form and quantity of information may have changed, it is a change in degree, not in kind.
In fact, protecting customer privacy is not only the right thing to do, but it also is critical to the very business success of the financial institution. For example, it is in the self-interest of each card issuer to avoid misuse of personal information, because few consumers would patronize a financial institution that failed to provide a market-acceptable level of privacy for its customer information.
An example of all of this in the context of the Visa payments system is the Secure Electronic Transaction, or SET, protocol. Due in part to concerns about the interception of consumer card information transmitted over the Internet to effect payment for Internet transactions, Visa along with MasterCard (and leading technology vendors like VeriSign, IBM, Microsoft and Netscape) developed the SET protocol to ensure security for these Internet payment transactions. The SET protocol uses digital signature technology and encryption to shield the transmission over the Internet of confidential payment information from access by unauthorized parties. Indeed, the SET protocol even allows a merchant to accept Visa card payments without the need to know a cardholderís account number -- an additional level of security not even provided in todayís physical card environment. The SET protocol has been endorsed by the financial industry and the payment card industry as the standard for payment transactions on the Internet. SET is currently being implemented in more than twenty-five countries around the world to enable electronic commerce.
Moreover, the protection of privacy is increasingly becoming a product feature on which card issuers and other financial institutions compete. Voluntary practices that address customer privacy concerns -- such as the establishment of privacy policies by many individual card issuers -- have burgeoned in recent years. When financial institutions make these privacy policies available to their customers and the public in general, individuals can evaluate these policies when considering whether to do business with the particular financial institution.
In fact, the credit card industry in particular, and the financial services industry in general, have been leaders among all industries in adopting privacy principles and codes. Visa was one of the first to develop and provide to its financial institution members for their consideration exemplar privacy principles. Visa provided these exemplar privacy principles to its members in 1995, in order to assist them in developing their own privacy policies as they determined appropriate in view of their specific circumstances. In addition, a number of other financial services industry associations have since established privacy principles, including the American Bankers Association and the Consumer Bankers Association. Many card issuers have established privacy policies for themselves, based in whole or in part on these industry exemplar principles.
The creation of these consumer privacy protections, such as the SET protocol and financial institution privacy policies, have arisen out of market-driven business principles that compel credit card issuers to value and protect consumer privacy -- not from government action. Of course, as discussed below, the confidentiality of financial institution customer information is also underscored through a variety of federal and state laws and regulations, enforced by federal and state banking regulators.
3. Existing Legal and Regulatory Regimes Protect Consumer Privacy.
Financial institutions, including credit card issuers, are among the most heavily regulated companies in the entire country. They already are governed by a comprehensive legal and regulatory regime, which includes federal and state statutes, federal and state regulatory agency rules, and constitutional and common law requirements. A detailed discussion of this legal and regulatory regime as it relates to consumer privacy is provided below.
This extensive regime has successfully protected consumer privacy for many years. There simply is no issue as to the adequacy or enforceability of existing consumer privacy protections for cardholders and other financial institution customers. Financial institution regulatory agencies already have the broadest possible enforcement powers, and they are directed by statute to use these enforcement powers with regard to privacy matters as well as the full range of financial institution activities. For example, these regulatory agencies have the statutory authority to sanction a financial institution for consumer privacy violations with a cease and desist order, civil money penalties, and the removal of the responsible officers or directors.
Thus, Visa supports the Administration and the Department of Commerce for the intention expressed in the Supplementary Information issued along with the Proposal that the Discussion Paper is designed to apply only with regard to "Internet industries and commercial activities not covered by statute or regulation." Where there are applicable other statutes and regulations, there is no need for the additional guidance provided in the Discussion Paper. Indeed, the Discussion Paper could well have unintended adverse consequences to the extent it is inconsistent with this other law. In this event, entities could be put in the untenable situation of violating either the Department of Commerce requirements or the requirements of the other law.
To avoid possible misunderstanding, we hereby request explicit confirmation from the Department of Commerce that the Discussion Paper does not apply to industries, such as the financial services industry, that already are abundantly "covered by statute or regulation." With respect to industries that are already so regulated, such as the financial services industry, privacy issues are best addressed through the existing legal and regulatory frameworks. The creation of redundant and potentially inconsistent privacy requirements or initiatives -- including mandated self regulatory mechanisms -- beyond the existing financial services regulatory regime could for the reasons discussed above stifle the flow of information, impose unnecessary costs on businesses and consumers, and impede the development of new products and services that benefit consumers.
B. Comments to Selected Specific Questions
1. Proposal Question 1: The Discussion Paper sets out nine specific characteristics of effective self regulation for privacy. Which of the individual elements set out in the discussion draft are necessary for self regulation to protect privacy?
The experience of a heavily regulated sector like the financial services industry may be instructive with respect to the Department of Commerceís consideration of the necessary characteristics of self regulation.
As discussed above, the principal driver behind the protection of consumer privacy in the financial services industry is the intense competition among industry members in the burgeoning electronic marketplace and elsewhere, although adequate privacy protection also is underscored by the existing legal framework governing the industry. This competition has spurred the development of vibrant and growing industry self-regulatory efforts, such as the widespread promulgation of privacy policies by individual credit card issuers and other financial institutions.
Thus, with respect to the establishment of successful self regulatory mechanisms, the experience of the financial services industry illustrates the importance of guiding, without impeding, the extraordinary power of market self-regulation in any self regulatory regime. This means, consequently, that self regulatory regimes must provide the utmost flexibility for individual companies, and industries, to respond to rapidly changing market forces.
Furthermore, this means that any set of exemplary self-regulatory characteristics, such as those set forth in the Discussion Paper, should be promulgated only as guidelines, not as requirements that are applied to an entire industry or sector. The complex nature of privacy issues, and the unyielding demands of the marketplace for constant innovation, dictate that rigid requirements of general application to entities conducting business on the Internet or elsewhere will only impede the flow of information and stifle the creative development of products and services.
Moreover, the promulgation of the characteristics in the Discussion Paper as formal legal requirements would lead to unnecessary litigation about whether, for instance, a companyís information sharing opt-out opportunity was sufficiently "simple, readily visible, available, and affordable" to consumers, as suggested by the Choice Principle. Similarly, disputes would arise about whether a company provided consumers with sufficiently "reasonable, appropriate" access to information about the consumer, as indicated in the Consumer Access Principle.
Thus, while each of the nine specific characteristics set forth in the Discussion Paper has a role to play in many self-regulatory regimes, the relevance and appropriate application of each of these characteristics will vary widely by, and within, each industry. Imposing rigid requirements on or across industries will only impede the development of electronic commerce and impose unnecessary costs on industry and consumers.
2. Proposal Question 3: Examples of existing privacy policies.
3. Proposal Question 5: Should consumer limitations on how a company uses data be imposed on any other company to which the consumerís information is transferred or sold? How should such limitations be imposed and enforced?
In general, financial institutions are not in the business of selling information to third parties. Most transmissions of information about financial institution customers are to consumer reporting agencies and government agencies, and both practices are thoroughly addressed under existing law. In addition, existing federal and state laws and regulations already thoroughly address issues associated with the transmission and use of consumer information among affiliated companies, including banks and their related companies.
Reporting of information to government agencies is governed by the federal Right to Financial Privacy Act. In summary, the Right to Financial Privacy Act requires a government agency to obtain the written authorization of the customer, or a subpoena or search warrant from a court, prior to seeking the customerís information from a financial institution. The Right to Financial Privacy Act also requires, subject to certain exemptions, that the customer receive notice prior to the release of the customerís information to the government agency.
Other financial institution transmissions of information, whether between affiliated or unaffiliated persons or other entities, is governed by the recently-revised federal Fair Credit Reporting Act ("FCRA"). In particular, the FCRA mandates that, before non-experience consumer information is shared among affiliated companies, consumers must be clearly and conspicuously informed of the possibility that such sharing will occur and be provided an opportunity to opt out of the sharing arrangement altogether.
Moreover, if non-experience consumer information is shared with an unaffiliated third party, absent a specific FCRA exemption, the provider of that information would become a consumer reporting agency subject to the many burdensome, complex and onerous requirements of the FCRA. For instance, under the FCRA a person or other entity that becomes a consumer reporting agency must, among other things: (i) adopt reasonable procedures to ensure the "maximum possible accuracy" of the information furnished; (ii) disclose to a consumer upon request and proper identification all information contained in the consumerís file (except information concerning credit scores or any other risk scores or predictors relating to the consumer), the sources of that information, what persons or entities have received that information within the last year (or two years if the request pertained to employment), and the dates and amounts of any checks upon which an adverse characterization is based; (iii) ensure that obsolete information (i.e., older than seven years, or ten years for bankruptcy information) is not reported to third parties; (iv) develop specific procedures to resolve accuracy disputes with consumers; (v) provide reports only for permissible purposes as delineated under the FCRA; and (vi) train personnel sufficiently to explain information that is furnished to subscribers and consumers.
The FCRA, however, is not the only federal law mandating that disclosures be made to consumers in connection with information sharing activities. Since 1978, financial institutions also have been required by the Electronic Fund Transfer Act and its implementing Regulation E to inform consumers about the institutionís information sharing practices with regard to any deposit accounts that are subject to electronic fund transfers ("EFTs"), which today includes virtually all deposit accounts at all financial institutions.
More specifically, as part of the initial disclosures required at the inception of the consumerís EFT relationship with the institution, Regulation E requires disclosure of the circumstances under which a financial institution in the ordinary course of business will disclose information concerning a consumerís deposit account with third parties if the deposit account can have any EFTs. It is important to recognize that this disclosure rule applies to all deposit account information, not just information about EFTs.
In addition, a number of state laws govern the disclosure of consumer information by financial institutions to third parties, including information relating to EFTs, credit card holders and their credit card accounts, and other personal financial information.
Furthermore, existing federal and state laws address and penalize financial fraud, including the unauthorized use of personal information maintained by financial institutions. These laws include statutes prohibiting mail fraud, wire fraud and the making of false statements to financial institutions to obtain credit. In fact, information maintained by financial institutions and government agencies is subject to special recognition and protection under the federal Computer Fraud and Abuse Act.
Finally, when transferring customer information to third parties for legitimate business reasons (e.g., storage) in accordance with the applicable law described above, the financial institution typically enters into a written agreement with that third party to ensure the confidentiality of that customer information. These written agreements generally impose confidentiality requirements on the third partyís use, disclosure or transfer of the customer data. The financial institution has a number of incentives outside of any law or regulation to ensure that the third party does not misuse this customer data. These incentives include a concern for the privacy of its customers and a desire to ensure customer information is not obtained by a competing financial institution. In any event, the federal banking regulators require third party agreements of this nature, and examine the financial institution and often the third party to ensure that these agreements are in place and are being complied with. In the unlikely event that the third party violates the confidentiality agreement, the financial institution can bring an action in the courts to enforce the confidentiality provisions and/or to obtain appropriate damages from the third party.
Thus, there is absolutely no need for additional requirements or limitations on the communication or use of consumer information by credit card issuers and other financial institutions, whether among affiliated entities or between unaffiliated third parties. A complex web of federal and state laws, as well as required contractual agreements, already adequately regulate the credit card issuers and other financial institutions in this regard. Any additional requirements would be both costly and entirely unnecessary, and run the risk of inconsistency with the already applicable legal requirements.
4. Proposal Question 6: Please comment specifically on the elements set out in the draft Discussion Paper that deal with enforcement (verification, recourse, and consequences). How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary?
There has been a good deal of discussion about the possible establishment of third party entities that would verify and audit the adequacy and/or enforceability of business privacy policies. Such verification might, for instance, take the form of a "seal of approval" or other means of certification. It is possible that such third party verification mechanisms might be useful for certain industries; however, it is totally unnecessary for the financial services industry. Financial institutions have long been subject to third party verification of their compliance with all applicable laws by federal and state banking agencies.
Federal and state financial institution regulators already perform comprehensive and regular examinations of financial institutions and their practices. Indeed, for larger financial institutions, examiners are located permanently on-site at the financial institution. Not only are credit card issuers and other financial institutions subject to regular examinations of their overall activities, but they also are subject to special examinations of their compliance with all applicable consumer protection laws. No other companies in the United States are subject to such regular, comprehensive consumer law compliance examinations.
Financial institution regulators also have the broadest possible enforcement powers and are directed by existing statutes to use these enforcement powers to address unfair and deceptive or unsafe and unsound practices by financial institutions and their affiliates, including credit card issuers. As discussed above, these enforcement powers include cease and desist orders, civil money penalties and removal of officers and directors.
Consequently, requiring financial institutions to participate in third party verification schemes would only impose unnecessary costs on industry without providing any meaningful benefits to customers. It simply is not possible to have third party verification more complete or effective than bank regulators already provide for financial institutions, including their consumer protection efforts.
5. Proposal Question 14: The Administrationís A Framework for Global Electronic Commerce cites the need to strike a balance between freedom of information values and individual privacy concerns. Please comment on the appropriate point at which that balance might be struck.
As previously discussed, while modern information technology enables financial institutions to provide consumers with unparalleled product and service opportunities, the use of such information is necessarily balanced with the fundamental commitment of financial institutions to maintaining the privacy of personal customer information.
Thus, the electronic payments systems provide an excellent example of how credit card issuers and other financial institutions have balanced their use of personal customer information with the protection of personal privacy. Todayís electronic payments systems are highly secure and limit access to personal information to those parties that are actually involved in effecting an electronic payment. Through advances such as the SET protocol discussed above, this will continue to be true as payments are made in new ways such as over the Internet.
Further, not only is personal customer information tightly controlled within electronic payments systems, it ordinarily is not disclosed to unaffiliated third parties, other than to credit bureaus or law enforcement agencies, in accordance with the applicable law discussed above. While a credit card issuer or other financial institution may use customer information to protect itself against fraud and economic loss, as well as to help determine the additional products or services in which a customer may be interested, personal customer information is carefully guarded to ensure that it is not accessed by unaffiliated third parties.
As discussed above, this protection of consumer privacy has not resulted from government or other regulatory intervention. Instead, it emanates from the intense competition that characterizes the financial services industry, although this protection is underscored by the existing comprehensive legal framework that governs the industry, bank regulator enforcement, and by the willingness of courts across the country to recognize and protect the reasonable expectations of privacy of financial institution customers.
Thus, with respect to the establishment of successful self regulatory mechanisms, the experience of the financial services industry, and the credit card industry in particular, illustrates the importance of guiding, and not impeding, the power of market self-regulation. These self regulatory regimes must provide the utmost flexibility for individual companies, and industries, to respond to rapidly changing market forces.
* * * * *
Visa appreciates this opportunity to comment on the Proposal generally and the Discussion Paper specifically. If the Department of Commerce has any questions concerning this letter, please do not hesitate to contact me, at (650) 432-3111.
Russell W. Schrader
Senior Vice President
Enclosures: Visa exemplar privacy principles
Three Copies of Original Letter
Computer Diskette w/Copy of Letter in MSWord Version 6.0