House Committee on Banking and Financial Services, Subcommittee on Financial Institutions and Consumer Credit

Privacy Issues in the Financial Services Industry Accounts

Madame Chairwoman, thank you for inviting me to appear today to discuss issues relating to privacy in the financial services industry.

Several months ago I prepared a working paper (PDF FILE) on this subject for the AEI-Brookings Joint Center for Regulatory Studies, which I attach to this testimony.

I argued in that paper, and now outline for you briefly today, several propositions:

First, policy makers—including Congress—should be cautious about legislating in an area where markets and technology are moving rapidly. This couldn't be more true with respect to matters dealing with the Internet, where time is measured in weeks, if not days.

Second, at the same time, even on the Internet there can be market failures that call for government intervention, assuming the intervention itself does not create more problems than it cures.

Privacy is one area where the market appears to have failed, at least to some extent. Every survey I have seen indicates that strong majorities are concerned about their privacy on the Net. Yet many firms sell personal information without the subject's knowledge or consent. It is true that surveys also show an increasing number of web sites providing notice and to a lesser extent an opt out. But progress remains uneven.

Third, and this is the most important point I want to make in my opening remarks, U.S. law appropriately has never made privacy an absolute right that trumps everything else in all circumstances, as is broadly the case in Europe.

Instead, we have consistently balanced the benefits of privacy protection against the costs of providing it. There are objectives which often conflict with privacy—including the needs of law enforcement, the desire to ensure a continuing flow of information, and the First Amendment's guarantee of a free press, among others.

I urge the Congress to continue this balancing approach. This means, among other things, that the more sensitive the information and the less costly it is to protect it, the more protection it should have.

For example, this explains why Congress already has prohibited the sharing of data about individual's video rental or cable TV viewing habits. It also justifies provisions in HR 10 that restrict the sharing of medical information by insurance companies belonging to financial conglomerates. Indeed, medical information is so sensitive that it ought to be covered by more generic legislation, which I understand that Congress has been considering.

Personal financial data also is sensitive. But there are also competing reasons why much of it needs to be shared under some circumstances. For example, accurate credit ratings of individuals and businesses depend on the sharing of data through credit bureaus. If government prohibited data sharing of this type, credit would be far more expensive and less available than it now is. Similarly, banks share financial data with third parties that process it and to prevent fraud. These competing objectives demonstrate why an across-the-board opt-in requirement for financial data would be a major mistake in my view.

The heart of the complaints about financial privacy—indeed privacy on the Net more generally—center instead on the use of personal data for marketing purposes. Some consumers object to having their financial institutions provide sensitive, personal information to retailers and other third parties. They ought to be given the opportunity to opt out of such information sharing, and H.R. 10 appropriately gives them that right.

As it is currently written, however, the opt out requirements of H.R. 10 do not apply to affiliates of financial institutions. Although I am aware that the financial industry strongly opposes extending those requirements to affiliates, I have come to believe that this opposition is short sighted.

One of the things that renders financial institutions—and especially banks—unique is the trust that consumers place in them. Banks that abuse that trust will be punished in the marketplace. For some, the debate over affiliate sharing of information stops there. Why not let individual institutions follow different policies and let the market decide the outcome?

The problem with that laissez-faire position is that banks that weaken customer trust in their individual institutions may weaken trust in the entire industry. Several "bad apples" can erode consumer trust in the whole barrel.

I therefore believe that a notice and opt out provision for marketing purposes ought to be extended to all affiliates of financial institutions and that such a provision is in the institutions' own self-interest. Indeed, it would even save them money. Better that they know up front who is not likely to be receptive to a solicitation than to waste a bunch of money finding out.

More broadly, I am coming around to the view that there is no reason why financial institutions ought to be singled out in this regard. Why not require all retailers conducting interstate commerce—on or off the Internet—to notify consumers of their privacy policies and offer them an opt out of having personal information transferred to third parties or affiliates for marketing purposes?

Extending such a requirement to the Internet in particular would strengthen customer confidence in the Net and encourage even faster growth in e-commerce, especially as data mining becomes ever more sophisticated (as was highlighted on the front page of yesterday's Wall Street Journal).

The analogy here is to $50 liability limit that Congress placed on credit cards in the 1970s. Once the limit was in place, credit card use took off—in large part because people then have greater confidence in using their cards. I firmly believe a common policy on privacy on the Net would do the same thing for e-commerce, which although it is growing rapidly, still remains a tiny fraction of overall retail sales. A further benefit is that an across-the-board, but reasonable, privacy statute might go a long way toward defusing the continuing tension with the EU over its privacy directive.

I want to underscore the fact that my recommendation for an opt out is limited to marketing purposes. Indeed, if I were drafting the privacy provisions of HR 10 I would simply limit the opt out to marketing purposes rather than generically impose it and then provide a laundry list of exceptions to allow for legitimate uses of customer data. The problem with the "exceptions approach" is that there is a danger that the list will miss worthy uses of information sharing that may develop tomorrow but that would be prohibited by the current law today.

Finally, I recognize there are those who believe an opt out regime is too weak and that it should be replaced with an opt in requirement. As I've noted, there are important uses of financial information—fraud detection and third party processing, among others—that would be frustrated or effectively rendered impossible to carry out in an opt in regime.

But I also believe it is premature to be legislating an opt in associated with the transfer of financial information even if it were limited to marketing purposes. Many consumers learn of new products and services—and I count myself among this group—only because information about them can be easily transferred from collectors to other parties. A significant cost of imposing an opt in is that marketers would find it much more difficult to target potential audiences for their products. The net result would be more rather than less junk mail and more mass advertising. This would aggravate some consumers and add to costs generally, which show up in higher prices of goods and services.

Many thanks again for inviting me to appear and I look forward to your questions.