July 2, 1998

 

 

 

Ms. Jane Coffin

Office of International Affairs

National Telecommunications and Information Administration

Room 4898

14th Street and Constitution Avenue, NW

Washington, DC 20230

 

Re: Docket No. 980422102-8102-01

Dear Ms. Coffin:

The American Bankers Association welcomes this opportunity to comment on the critical issue of self-regulation in the area of on-line privacy. The financial services industry believes strongly that our history of protecting customer data is unmatched in the private sector and is, in fact, better than most of the United States government. The National Telecommunications and Information Administration (NTIA) is seeking comment on the Department of Commerce staff discussion paper "Elements of Effective Self Regulation for Protection of Privacy" as well as on a series of questions concerning online privacy protection.

The American Bankers Association ("ABA") brings together all categories of banking institutions to best represent the interests of this rapidly changing industry. Its membership - which includes community, regional, and money center banks and holding companies, as well as savings associations, trust companies, and savings banks - makes ABA the largest banking trade association in the country.

It is important to note that the Administration has stated, time and time again, its support for private sector leadership in the area of privacy protection. This position has always been couched with the warning that government action will take place if self-regulation is considered insufficient. We maintain that there can be no imposition of regulation without careful analysis of all sectors of the United States economy. ABA believes that any objective analysis of the financial services sector will lead the government to conclude that the industry fulfills the "elements" of self-regulation.

The request for comment contains a series of questions related to the Staff Discussion paper. The following are brief responses to those questions as posed in the June 8 Federal Register notice:

  1. The characteristics of effective self-regulation in the Commerce Department "elements paper" are useful guides for the private sector to consider when crafting their own policies and procedures. ABA and the other banking trade groups developed joint industry privacy guidelines based on similar themes. It is important to note that there must not be a "one-size-fits-all" response to privacy oversight. Instead, each institution should be free to develop its own policies and procedures.

    2. As a heavily regulated industry, the banking industry already knows the major costs of implementing privacy tools for data security such as encryption. While the expense is great, it also proves the extent to which the industry will go to protect data. Data authentication is a necessary element for effective privacy and banking companies match up favorably with other industries in this critical area.

  2. As the attached white paper so clearly points out, the banking industry is a model of privacy protection and this is due to the myriad of federal and state laws, along with case law, that cover customer data in the financial sector. Our industry has supplemented those laws and regulations with an aggressive array of privacy and security policies designed by each institution to fit its needs. This system works and the lack of measurable consumer complaints attests to this fact.

  3. Attached for your information are several examples of institution policies as well as a list of bank website addresses dedicated to security and privacy. The ABA continues to offer this resource to both consumers and bankers.

  4. While the area of enforcement has received due attention from the government, it must be reemphasized that the banking industry already has ample checks on their privacy requirements. In addition to the obvious government enforcement spelled out in the attached paper, the "market" is one of the truest enforcement mechanisms that will protect consumer privacy. Consumers will lose confidence in companies that fail to disclose or uphold their stated privacy policies. If we are sincere about the private sector leading the way to strong privacy protection then consumers must be allowed to decide where they will go.

  5. The banking industry is required to give customers the opportunity to opt-out of sales of information to third parties. In addition, the joint industry privacy guidelines, released in September 1997, anticipate this issue by suggesting that third parties be held to similar privacy standards as the institution. This can be accomplished by contract and by specific reference to the privacy guidelines on this point.

  6. In addition to what is mentioned above and in the white paper, the banking industry supports the passage of federal identity theft legislation that would give consumers the recourse needed to punish individuals that violate one’s personal privacy. For example, anyone who gains access to someone’s identity with the purpose of defrauding that individual would face criminal sanctions and be required to provide restitution under several pending legislative initiatives.

    7. As far as reasonable access to personal information, it also be noted that financial institutions are required to report possible violations of law including various types of fraud and money laundering. This is not a requirement faced by many other private sector members but has long been part of the banking environment As such, the industry would be placed in a legal quandary if forced to choose between total access to financial information and fulfilling the reporting mandate. Therefore, the industry does provide opportunity for customers to correct mistakes but cannot allow unfettered access to all information because some may be necessary to the reporting of a possible crime.

  7. The sanctions for privacy violations in the financial sector are many and are included in the attached paper. The government must assist the private sector in explaining this fact to consumers and global critics.

  8. One of the ways to make self-regulation effective is to recognize that the consumer needs information about the company he or she plans to do business with. For example, rather than focus on auditing requirements and the use of seals --- a better approach would be a public/private sector privacy education program. This "partnership" should include the education of all parts of the business community and simply offer examples of privacy policies, whom to contact in the company with problems, and what recourse exists for problem solving. Use of a seal or some other self-certifying measure fails to give the consumer credit for their ability to decide if an institution’s privacy policy measures up to public scrutiny. With regulatory sanctions in place and an aggressive media, the consumer is well protected. A seal is a placebo of protection that is no substitute for an institution’s own, individually crafted privacy policy.

  9. Financial institutions participate in many forums which can be termed self-regulatory. The processing of checks, use of automated teller machine networks and rules regarding merchants are all examples where banks band together to assure the free flow of commerce.

  10. On-line privacy can be adequately protected in a self-regulatory environment if government leaders monitor developments and the private sector does not abuse the trust of its customers. Good faith dialogue on problems and solutions and the ability of everyone concerned to recognize the necessary balance of information gathering with mandates such as fraud prevention, will prevent overreaction and damage to the emerging electronic commerce market.

  11. Posting privacy policies, disclosing those procedures and establishing an internal clearinghouse for problems is best handled by each institution. Flexibility will insure appropriate cost controls and an industry approach to privacy. A legislative approach that does not consider the uniqueness of banking will, by definition, be harmful and cost prohibitive.

  12. On-line banking still requires that the institution knows its customer in the same fashion as in face to face transactions. Financial institutions must be able to protect customer data and provide convenient banking services. These challenges are being met today by our industry but could be hampered by laws and regulations that, in the name of privacy protection, prevent banking institutions from gaining necessary access to personal information concerning its customers.

  13. As long as banks and other financial service providers are able to provide strong encryption and other data security tools, we can protect customer data. In addition, as stated above, the passage of identity theft legislation will act as a deterrence to individuals that attempt to steal personal information by trick or artifice. Our ability to ask questions of our customers and to adequately screen new employees will also help us protect privacy and the safety and soundness of our institutions.

  14. There has been little discussion concerning the value of information to produce tailored products for the consumer. The Department of Commerce is in a position to make this case with our trading partners as well as with consumers in the United States. ABA calls for a forum to address this valuable economic tool in the context of the privacy balance so all can see that this balance can and is being achieved.

The American Bankers Association and our financial services colleagues stand ready to continue this important privacy debate. The white paper makes a clear case for concluding that self-regulation works in our sector. We commit to working together with the public sector in the coming months and years so that electronic commerce will be a valuable mechanism for all consumers.

 

Sincerely,

 

 

John J. Byrne

 

Attachments