Press Room
 

FROM THE OFFICE OF PUBLIC AFFAIRS

June 14, 2000
LS-697

TREASURY UNDER SECRETARY GARY GENSLER
HOUSE COMMITTEE ON BANKING AND FINANCIAL SERVICES

Mr. Chairman, Ranking Member LaFalce, and Members of the Committee, thank you for inviting me here this morning to present the Administration's views on personal financial privacy. I am pleased to have the opportunity to discuss these important issues, and to comment on H.R. 4585, the Medical Financial Privacy Protection Act introduced by Chairman Leach last week.

Protecting consumers' privacy is of the utmost importance to the President and the entire Administration. We want to work with Congress to provide Americans with the comprehensive financial privacy protections they expect and deserve. Our financial system's future growth rests in no small part on continued consumer confidence. Effective privacy protections are an important foundation for that confidence. While we made some significant progress toward this goal in the financial modernization bill signed by the President last year, we believe more work can and should be done in this area.

To that end, the President announced an important new legislative proposal in April, 2000 to provide Americans with fully effective financial privacy protections. The plan enhances consumer choice and control in several important ways. In particular, it provides special protections for especially sensitive information, including the use of medical information in financial settings.

My testimony is divided into four main parts:

  • First, I will discuss the importance of privacy protections and the changes in the financial services industry that are making this an ever-more important issue.
  • Second, I will review last year's efforts to improve personal privacy protections, including the provisions in the financial modernization bill.
  • Third, I will outline the President's comprehensive Consumer Financial Privacy Act initiative.
  • Finally, I would like to comment on medical privacy, and discuss the bill introduced last week by Chairman Leach.

I. The Importance of Privacy in America's Changing Financial Markets

Personal privacy is a fundamental and highly prized American right. From our nation's earliest days, citizens have been concerned about intrusions into their private lives, and have fought to protect themselves from unwarranted invasions of their privacy. Over time, ideas regarding what constitutes appropriate privacy protection have changed as our society and economy have evolved.

Many Americans increasingly feel their privacy threatened by those with whom they do business. These concerns are particularly acute when it comes to the privacy of financial information, because financial data can be used to paint such a detailed portrait of an individual's life. Financial institutions and other firms are able to consolidate and process information about individuals' spending and investing habits in ways that were almost inconceivable even a decade ago.

These capabilities are increasing public anxiety about just who has access to sensitive financial information, and what they will be able to do with it. A significant majority of Americans are deeply concerned about the effects that changes in technology are having on their ability to preserve, in the words of Justice Louis Brandeis, "the right to be let alone."

Americans want the ability to earn, invest, and spend their money without having to worry about that information being obtained - and perhaps used to their disadvantage - by firms unknown to them, or having that information open to inspection by the world at large. Just as we do not expect letter carriers to read our mail, we do not expect financial institutions to amass information about our transactions, consolidate and process it, and use it for purposes that we never intended. We are in the midst of three sea-changes in the financial services sector, however, that make such uses of information an increasing possibility: industry consolidation, a technological revolution, and a move away from cash towards electronic transactions.

Changes in Industry Structure. Integration and consolidation in the financial sector is changing the outlook for data privacy. Banks have moved into insurance and securities activities, insurance companies offer products that compete with bank products, and investment banks are in the lending business. Thanks to the hard work of Chairman Leach, Ranking Member LaFalce, Members of this Committee, and many others, last year the President was able to sign into law a financial modernization package that finally eliminated legal barriers to this consolidation. These changes will bring considerable benefits to consumers in the form of increased competition and greater innovation. The desire of integrated financial services firms to profit from their scale has created a powerful incentive to treat consumer data as a business asset, however, which raises concerns about how that information will be used and controlled.

Technological Advances. Changes in technology have brought the ability to generate, process, and use information in ways unimagined when most of our commercial and consumer protection laws were written. These advances have been particularly important in the financial sector, where firms are spending billions of dollars each year on computers and software to reduce costs and improve service. These increasingly sophisticated tools and larger stores of transaction and other financial information, however, have given consumers pause about the potential uses of the data held by banks, insurers, and other financial firms.

The Move to Electronic Transactions. Finally, the explosion in the use of electronic payments and receipts is also driving concerns about data handling and use. Americans' increasing use of credit cards, debit cards and (more recently) electronic bill payment in lieu of cash now allows financial services companies to collect a far greater amount of information on each individual's transactions.

Taken together, these three trends - industry consolidation, technological advances, and the movement from cash to electronic payments and receipt systems - provide financial services firms with powerful incentives to mine consumer information for profit, and the tools with which to do so. The challenge, therefore, is to protect the privacy of consumers while preserving the benefits of competition and innovation.

II. Efforts to Enhance Financial Privacy Protections

This Administration took steps to address these challenges in May of 1999, when the President announced his plan for Financial Privacy and Consumer Protection in the 21st Century. That initiative recognized that while many firms collect information about us, financial institutions have access to a unique window on the lives of most Americans. While a grocery store may learn something about the food you buy, and a department store may know what kind of clothes you prefer, banks, insurers, and brokerage firms collect a range of information that is particularly comprehensive and personal. By processing all of your transactions, a bank or credit card company can know much more about you than any individual merchant. This information can also be particularly sensitive. A list of each prescription drug you purchase or each stock you buy is more revealing - and potentially more open to misuse - than a list of the music CDs you buy.

With this in mind, the President recommended legislation to provide consumers with notice and choice before their financial information is shared or sold -- the right to say "no" to uses of information that individuals find invasive or inappropriate. Central to this policy is the idea that a consumer's financial information belongs to the consumer, not the financial institution that processes the transactions.

At the time this announcement was made, in the midst of the financial modernization debate, the President's agenda struck many as ambitious. Some suggested that the American people did not feel particularly strongly about privacy issues, and that in any case Congress was not prepared to act on legislation in this area. Clearly, the last twelve months have shown otherwise.

Although privacy was not initially part of the financial services debate, this Administration felt strongly that if the rules for industry structure were being modernized, critical protections for consumer data had to be updated as well. The final bill made progress toward that goal. We believe that the new law's requirements for clearly stated privacy policies, for effective notices to consumers, and for the right to opt-out of third-party information sharing are important advances in privacy protection for all Americans.

This Administration believes, however, that much more can and should be done on financial privacy. When the President signed the financial modernization act, he said, "I do not believe that [its] privacy protections go far enough." He continued, "Without restraining the economic potential of new business arrangements, I want to make sure that every family has meaningful choices about how their personal information will be shared within corporate conglomerates. We can't allow new opportunities to erode old and fundamental rights."

III. The Consumer Financial Privacy Act

On April 30, 2000, the President announced a new initiative to provide Americans with the additional protections he promised. That legislation is now before Congress as H.R. 4380, the Consumer Financial Privacy Act. This bill takes a balanced, comprehensive approach to financial privacy, providing important new rights and protections while addressing deficiencies in last year's legislation. I would like to take a few minutes to describe the proposal.

Opt-In Protection for Especially Sensitive Information. A central Administration principle regarding privacy is that the greater the sensitivity of the data and the possible harm from misuse, the greater should be the level of privacy protection. The Consumer Financial Privacy Act therefore calls for the strongest protections in two highly sensitive areas: the sharing of medical information by financial institutions, and the use of detailed personal spending habits information about individual consumers. In these areas we have set the bar high, requiring institutions to get affirmative ("opt-in") consent from consumers before information sharing can occur.

  • Medical Information. A consumer seeking a loan or other financial products such as investment advice or auto insurance should not have to worry that an institution is making decisions based on personal medical records received from a life insurance affiliate. Life insurance databases should not become the new source for marketing campaigns based on medical information. The Consumer Financial Privacy Act would assure that companies do not gain any special access to medical records by being part of a financial holding company. Consumers would have to give affirmative consent before any financial firm could even receive medical information from a life insurance affiliate or other company.
  • Personal Spending Information. Americans do not expect a bank processing checks or credit card payments to take their most sensitive financial information and share that information with others. Under the Administration's proposal, a financial firm would not be permitted to transfer individualized, personal spending habits - where people spend their money, where they earn their money, and what they buy - unless a customer affirmatively consents to such a use of their information.

Opt-Out Protection for Other Financial Information. For other less sensitive categories of financial information, we believe that consumers should have meaningful choice - the opportunity to opt-out -- before a financial services firm can share their financial data with any other entity for marketing purposes. Last year's legislation granted important rights to opt out of information sales to telemarketers and other unaffiliated firms. The Consumer Financial Privacy Act would extend those protections to information shared within financial conglomerates. In a world where affiliates can engage in activities ranging from data processing to travel agency, consumers deserve to have as much control over flows of information to affiliates as they do over those to third parties.

The Administration proposal would also close the exception for "joint marketing" in last year's bill. This provision would constitute an unnecessary loophole when there is opt-out choice for affiliate sharing.

Exceptions for Important Business Practices. The Consumer Financial Privacy Act would preserve financial firms' ability to share information for important business practices by providing exceptions from consumer choice for transaction processing, risk management, fraud prevention, and to aid in law enforcement. In addition, the proposal will provide a new exception to facilitate the development of innovative customer service tools such as consolidated monthly statements and call-in centers that can access information from affiliated firms at a customer's request.

These exceptions are crucial for the growth of our financial industries. They must be subject, however, to appropriate reuse limitations. We include such limitations in order to prevent abuses.

The Administration's proposal thus achieves the goal of matching the level of protection to the sensitivity of the personal information involved and the potential abuses of such information. For the most sensitive data on health and comprehensive personal spending habits, we call for opt-in consent. For other types of financial information, consumers should have the right to opt-out of sharing for marketing and other purposes. Where important business practices require information sharing, we provide exceptions to consumer choice, but make sure that consumers are protected by reuse restrictions.

Additional New Privacy Protections. Beyond notice and consumer choice requirements, the Administration proposal provides additional protections in several key areas, including:

  • The right for consumers to access and correct information held by financial institutions, to ensure that firms are not deciding whether to offer them services based on mistaken information about their financial status;
  • Additional enforcement authority for the Federal Trade Commission and State Attorneys General;
  • Stricter limits on redisclosure and reuse of customer information; and
  • Giving consumers the tools to comparison shop by requiring institutions to provide privacy policy notices up front or upon request.

The Administration strongly favors a comprehensive approach to providing additional privacy protections. We found that last year's bill, as important as it was, did not go far enough, compelling us to call for additional legislation. We feel that our proposal covers the necessary ground, filling the gaps in the financial modernization act, and including important new protections. The American people want and deserve these privacy protections now, for the full range of issues addressed in the President's proposal.

We are pleased that so many members of the House and Senate have supported this approach, and have sponsored these proposals in Congress. Improving financial privacy protections is a priority for so many members of this Committee. I would especially like to thank Ranking Member LaFalce for being the lead sponsor of H.R. 4380 in the House. I also thank the other Members of this Committee who are among the many co-sponsors of this comprehensive legislation.

IV. Medical Privacy and Financial Services

Let me turn now more specifically to the issue of medical privacy in the financial context. This Administration firmly believes that all Americans should be protected against the misuse of their highly sensitive health and medical data. We feel that there is broad agreement in the private sector and among the public that improving medical privacy is the right thing to do.

We are deeply committed to providing consumer control and rigorous statutory safeguards in the area of medical privacy. Congress and the Administration worked together in 1996 to enact the Health Insurance Portability and Accountability Act (HIPAA). HIPAA called for enactment of comprehensive privacy legislation by August 1999, and instructed the Department of Health and Human Services to issue rules if that deadline were not met. President Clinton announced the proposed rules last October. He has pledged that final medical privacy regulations will be issued this year. By its terms, HIPAA applies only to "covered entities" such as health providers, health plans (including health insurance companies), and health clearinghouses. Its protections do not apply to most financial institutions, including life, auto, workers' compensation, property and casualty, and many disability insurance companies. The Consumer Financial Privacy Act and H.R. 4585 would provide the first specific federal protections for medical information in financial institutions that are not covered by HIPAA.

As we have seen in past attempts to address medical privacy in the financial context, it can be difficult to reach solutions that do not have unintended consequences. In last year's financial modernization debate, proposals were offered that addressed some issues, but could have seriously undermined other crucial medical privacy initiatives.

For instance, measures under consideration last year would have preempted the HIPAA regulations that HHS is now in the process of making final. The provisions would have exempted the health information they did cover from the re-use restrictions of the modernization bill, providing a significant loophole for the inappropriate release of confidential health information. They also would have permitted, under the guise of "research," exceptions for the sharing of large volumes of extremely sensitive medical information that would be prohibited under the proposed HHS rules. Ultimately, these provisions were not included in the final bill so that the issues could be examined more thoroughly.

We have looked closely at these issues in the ensuing months, in consultation with HHS and others. We believe that our new proposal provides appropriately strong protections for the use of health information in the context of financial products and services. We believe it meets the central challenges I just mentioned. The proposal:

  • Addresses the use of medical information in a broad context, covering the provision of all financial products and services;
  • Avoids broad exceptions that could render the protections ineffective; and
  • Clarifies that nothing in the financial modernization laws would modify or supersede HIPAA
  • s privacy protections, preserving the effectiveness of these important rules.

H.R. 4585, The Medical Financial Privacy Protection Act

Mr. Chairman, by convening this hearing you are creating a much appreciated opportunity to discuss the important issues surrounding financial privacy. Your legislation is focused specifically on medical privacy. While we continue to believe that it is necessary to seek legislation that provides comprehensive privacy protections, your bill offers a starting point for consideration of several issues that we know will be an important part of a truly effective privacy regime. Your bill, H.R. 4585, seeks to address the privacy of medical information in four primary ways:

  • In the context of making decisions about a loan or other extension of credit, an institution may not receive or use health information about a consumer from another company unless it has provided notice and obtained affirmative consent.
  • The bill bars financial institutions from disclosing medical information to affiliates or third parties without providing notice and obtaining opt-in consent.
  • An institution must obtain affirmative opt-in consent before it can transfer detailed personal health spending information about a consumer to an affiliate or third party.
  • Institutions must provide consumers with access to, and the opportunity to correct, individually identifiable health information. The bill also provides additional protections for the reuse of health information, and for mental health information.

Mr. Chairman, we appreciate your personal involvement in this area. You have introduced legislation that furthers the debate on these critically important issues. There is common ground between your bill and the Administration's proposal regarding financial medical privacy. H.R. 4585 does differ in significant respects, however, from the Administration's proposal. While there are a number of other issues, let me highlight our two most important concerns.

Scope of the Bill. We believe that financial privacy legislation should address the full range of important consumer protections. The Administration's Consumer Financial Privacy Act addresses the full range of important financial privacy issues that now face the American people. It would, among other measures, provide opt-in protection for consumer personal spending habits; require customer choice before information is shared among corporate affiliates; provide customers with access to and the ability to correct their financial records; assure that privacy policies will be available for comparison shopping; and enhance enforcement authorities where needed.

H.R. 4585, by contrast, is a narrower bill that addresses only the medical privacy issues covered by the Consumer Financial Privacy Act. Some of the issues I just noted, such as personal spending habits, access, and reuse, are included in H.R. 4585, but solely as it relates to personal health information. Medical privacy within the financial services industry is vitally important, but is only one of the financial privacy issues that must be addressed. American consumers want and deserve a broad set of protections.

Receipt and Use Provisions. The provisions in H.R. 4585 concerning "use or receipt" of medical information apply only to "a loan or credit to a consumer." We feel that it is crucial to apply the privacy protections beyond the "loan or credit" setting. A provision that applies to disclosure and use of health information only with respect to "loans or credit" would permit uses of health information in situations involving marketing and other financial settings. It is unclear why the use of sensitive medical information should be subject to restrictions in the provision of a loan, but not in the provision of investment advice, auto insurance, travel services, or any of the many other non-credit products now permitted in financial holding companies.

An additional provision in the President's receipt and use proposals provides that a financial services firm can only receive or use medical information from an affiliate or third party that it requires of all of its customers for a particular product or service. The language in H.R. 4585 that seems to address this same topic is unclear, and may have unintended consequences.

Conclusion

Mr. Chairman, thank you for providing this forum for the discussion of these critically important issues. This hearing provides a starting point for a thorough consideration of the range of privacy issues raised by changes in technology and in our financial markets.

This is a historic opportunity to get financial privacy right - to put in place all of the protections that American citizens want and need. In addition, we all recognize the special sensitivity of personal medical information. The Administration supports having effective laws in place that match the sensitivity of such data. There is common ground between Chairman Leach's bill and the Administration approach. At the same time, we should also address the other vital issues that are included in the Consumer Financial Privacy Act. To do otherwise is to miss out on the chance to complete the work that was begun in last year's law.

We look forward to working with you, Congressman LaFalce, and other Members of Congress to provide all Americans with comprehensive financial privacy protections.