EPIC logo

June 24, 2003

Senator Richard Shelby
Chairman, Senate Committee on Banking,
 Housing, and Urban Affairs
110 Hart Senate Office Building
Washington, DC 20510

Senator Paul Sarbanes
Ranking Member, Senate Committee on Banking,
 Housing, and Urban Affairs
 309 Hart Senate Office Building
Washington, DC, 20510

RE: Senate Banking Committee Hearing on Affiliate Sharing Practices and Their Relationship to the Fair Credit Reporting Act

Dear Chairman Shelby and Ranking Member Sarbanes:

The Electronic Privacy Information Center (EPIC) submits this letter for inclusion in the June 26, 2003 hearing record for the Senate Committee on Banking hearing on "Affiliate Sharing Practices and Their Relationship to the Fair Credit Reporting Act." EPIC is a not-for-profit research center based in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. We appreciate the Committee's attention to affiliate sharing and its civil liberties implications.

We write to call your attention to loopholes in the Federal Credit Reporting Act (FCRA) that allow financial institutions to side-step privacy protections. In particular, financial institutions are allowed to share the personal information of their customers with third-parties and affiliates, placing the burden upon the customer to opt-out of such sharing. Even if the individual opts-out, the institution can nevertheless share an individual's personal information with affiliates. Given the large number of affiliates some holding companies have, the practice of affiliate sharing effectively neutralizes the privacy protections built-in to the FCRA. As a solution, we propose that the individual control the dissemination of their information through an opt-in requirement for the sharing of all information, even in situations where companies wish to share information with affiliates and joint marketers.

I. Weak protections against affiliate sharing place heavy burdens on individuals and law enforcement.

Financial institutions operate under the assumption that they may share an individual's personal information with third-parties unless the customer specifically opts-out of such sharing.[1] Furthermore, a financial institution may share an individual's "experience information" with their affiliates even if the individual specifically chooses to opt-out of the arrangement.[2] This exemption effectively allows financial institutions to side-step the protections of the FCRA, allowing them to share information among affiliates without restrictions.

Weak protections against affiliate sharing have a number of serious negative consequences. First, lax protections against affiliate sharing enable financial institutions to participate in fraud. As we explain in detail below, financial institutions have used their customer lists to target individuals for fraudulent telemarketing schemes. They have also sold personal information acquired from third-parties to fraudulent companies. Moreover, the unrestricted sharing of consumers' information facilitates criminal activity, such as theft of financial identity. To make matters worse, the impact upon society is uneven, as the unfettered sharing of individuals' financial information exposes the elderly and other at-risk individuals to increased likelihood of fraud. Finally, the risks and consequences of affiliate sharing extend beyond fraud. The collection and sharing of individuals' information allows for profiling based on race, age, and educational background. While some protections have been placed upon affiliate sharing, financial institutions have failed to effectively meet the most basic privacy protection—to provide individuals with accurate and meaningful information about affiliate sharing. The following expounds upon each of these points.

A. Financial institutions have used their customer lists to target individuals for fraudulent telemarketing schemes.

Capital One[3], Chase Manhattan[4], Citibank[5], First U.S.A.[6], Fleet Mortgage[7], GE Capital[8], MBNA America[9], and U.S. Bancorp[10] have all provided their customers' personal and confidential information to fraudulent telemarketers. The financial institutions provided the telemarketers with the names, telephone numbers, and other information about their customers. These institutions also gave the telemarketers the ability to charge customers' accounts without having to ask consumers to provide an account number. This practice, called "preacquired account telemarketing," has subjected thousands of individuals to unauthorized charges for products and services they never wanted or ordered. In one case, during a thirteen-month period, a national bank processed 95,573 cancellations of membership clubs and other products that were billed by preacquired account telemarketers without customers' authorization.[11]

B. Banks have sold personal information acquired from third-parties to fraudulent companies.

Charter Pacific Bank sold its database containing 3.6 million valid credit card account numbers to a convicted felon who then fraudulently billed the accounts for access to Internet pornography sites that victims had never visited.[12] In fact, approximately forty-five percent of the victims did not even own a computer. Charter Pacific did not develop the database from its own customers' information. Instead, it compiled the information from credit card holders who had purchased goods and services from merchants that had accounts at Charter Pacific. The information included the date of sale, account number, and dollar amount of every credit card transaction processed by the bank's merchant customers. The unrestricted sharing of this information resulted in over $44 million of unauthorized charges.

C. The unrestricted sharing of consumers' information facilitates criminal activity, such as theft of financial identity.

Identity theft is one of the nation's fastest growing white-collar crimes. Many of these identity theft cases are "insider jobs," committed by employees who obtain access and misuse individuals' personal information stored in their employers' databanks. Researchers at Michigan State University recently studied over 1000 identity theft cases and found that victims in fifty percent of the cases specifically reported that the theft was committed by an employee of a company compiling personal information on individuals.[13] Additional cases implied employee theft. Other reports note that many identity fraud cases stem from the perpetrator's purchase of consumers' personal information from commercial data brokers. Financial institutions information sharing practices contribute to the risk of identity theft by greatly expanding the opportunity for thieves to obtain access to sensitive personal information.

D. The unfettered sharing of consumers' financial information exposes the elderly and other at risk consumers to increased likelihood of fraud.

NationsBank shared with its affiliated securities company data on bank customers with maturing federally insured CDs.[14] The affiliate, NationsSecurity, then aggressively marketed high-risk investments to these conservative investors, misleading many customers to believe that the investments were as safe and reliable as federally insured CDs. Many customers, including retired elderly, lost significant portions of their life savings. After an investigation, the Securities and Exchange Commission found that the companies intentionally blurred the distinction between the bank and the brokerage, and between the insured CDs and riskier investment products. Affiliate sharing of customers' information made this possible. NationsBank provided the investment representatives with maturing CD customer lists, as well as customers' financial statements and account balances. As a result, when these investment representatives called NationsBanks' customers and indicated that they were with the "investment division" of the bank, many customers reasonably believed that they were bank employees, not brokers. NationsBank is not the only bank to have engaged in such a practice. First Union settled a private lawsuit alleging a similar scheme.[15]

E. The collection and sharing of consumers' information allows for profiling based on race, age, and educational background.

Financial institutions conduct computerized analysis of the information they collect about their consumers and use that information to target select consumers for the purchase of products and services. Often, companies enhance their own collected information by combining it with information from other databases. These may include demographic data, such as age, gender, and family dwelling size, as well as lifestyle data, including predicted attributes based on buying habits and organization affiliations.

The natural outgrowth of this unlimited collection and sharing of personal data is individual profiling. Profiles can be used to determine the amount one pays for financial services and related products. For example, according to a sworn declaration of a former CitiFinancial employee, branch managers would target deceptive loan solicitations to borrowers in certain zip codes, eliminating zip codes in more affluent areas.[16] The employee also stated that she and other staff would attempt to sell extra insurance by identifying vulnerable borrowers based on their occupation, race, age, and education level. She stated, "If someone appeared uneducated, inarticulate, or was a minority, or was particularly old or young, I would try to include all the coverages CitiFinancial offered. The more gullible the consumer appeared, the more coverages I would try to include in the loan."[17]

In a separate case, a Minnesota Attorney General investigation found that the elderly and consumers who speak English as a second language were particularly vulnerable to preacquired account telemarketing fraud. The Office's review of randomly selected sales of one preacquired account telemarketer, for instance, revealed that fifty eight percent of customers whose accounts were charged were over sixty years old.[18] 

II. The FCRA does little to protect individuals from the pervasive practice of sharing personal information without individuals' consent.

The American legal system has a long history of protecting privacy rights through laws that arise in response to challenges posed by new technologies and business practices. In the past, Congress enacted laws to address privacy risks of the postal system and the telephone, and more recently video rentals and cable television. Today, we face new challenges. Computers allow the unprecedented storage of individuals' purchasing and financial histories, and new technological programs, like "data mining," facilitate the discovery of unanticipated patterns in this stored data. In addition, the recent creation of new corporate structures—such as the financial holding company that may own a vast array of banks, insurance companies, investment firms, and other institutions—provides for the unprecedented sharing of individuals' personal information among affiliated companies. The law must adapt and respond to these developments.

A. Because financial holding companies may consist of a large number of affiliates that engage in a variety of activities, FCRA affiliate sharing exemptions effectively allow financial institutions to sidestep the purpose of the FCRA.

The FCRA sets standards for credit reporting agencies for their activities of collecting and distributing an individual's personal information. The Act limits access to reports, and provides consumers with the right to review, dispute, and correct information maintained by credit reporting agencies. Information shared among corporate affiliates, however, is not included within the Act's definition of a credit report. As a result, a corporation can generate a comprehensive profile about an individual solely from data shared among their vast network of corporate affiliates, thus undermining the effectiveness of the consumer protections afforded by the FCRA. In essence, affiliate information sharing can come to serve like a de facto credit bureau, making credit bureaus obsolete. As affiliate information sharing takes on the functions of the traditional credit bureaus, it should take on the FCRA obligations as well.

The GLBA allows a broad range of institutions to affiliate and operate under a single corporate umbrella, called a financial holding company. As such, a financial holding company can engage in a wide variety of activities. Citigroup, Inc., for example, consists of the following affiliates listed on their website: Citibank, Citi Cards, Citi Financial, CitiMortgage, Diner's Club International, Banamex, Traveler's Life and Annuity, Smith Barney, Primerica, Citigroup Asset Management, CitiInsurance, Citigroup private bank, and others.

In total, CitiGroup has over 2700 corporate affiliates.[19] Similarly, Bank of America has almost 1500.[20] As financial holding companies can have thousands of affiliates, individuals have little understanding regarding the extent to which companies have access to their sensitive information. The law allows affiliate companies to merge their customers' data into one comprehensive database, thereby compiling a comprehensive profile about their customers. This database may include financial, medical, and other sensitive information. Financial institutions tell their customers that their information is only shared within the "corporate family," a phrase with warm and friendly connotations suggest that their information is in good hands. Yet, given the vast scope of corporate affiliates, in reality an individuals information can spread to over a thousand institutions, all the while remaining within this illusory family. Besides the affiliate sharing loophole, under GLBA, financial institutions can share personal information, despite an individual's express opt-out, with third-party financial institutions that are not affiliates but are "joint marketing" partners.[21]

With both the affiliate sharing and the joint marketing loopholes, a single exchange between an individual and a financial institution can transform into a relationship between that individual and thousands of other companies, all the while the individual has no say in the matter and is unaware of the magnitude of the financial institution's vast affiliate and marketing network.

III. To protect individuals and help law enforcement, EPIC encourages the Senate Banking Committee to adopt an opt-in requirement for affiliate sharing.

A. Opt-out does not meet the needs of individuals.

With opt-out, the law assumes that banks can distribute customers' personal information freely, unless the customer specifies otherwise. An opt-out system at its heart carries the assumption that there will be little response to the notices because the notices will be overlooked, or will be too complicated to understand. Like other negative choice systems, permission though silence will invariably get a large percentage of "yes" responses because no response is necessary.

Companies often assert that the low percentage of opt-out rates indicate that customers do not in fact value the privacy of their personal information. Expert studies illustrate that, in fact, few consumers recall seeing notices even when the notices are required to be clear and conspicuous, which suggests that when businesses do not want consumers to see a notice, consumers will not.[22] Furthermore, the notices are difficult to understand. A readability expert determined that, of sixty privacy notices examined, most were written at a third or fourth year college reading level, rather than the eighth grade level standard typically used for notices to the general public.[23]  

Evidence regarding opt-out notices provided in other contexts suggests that companies may purposely be drafting unintelligible notices to mislead customers. In Ting v. AT&T, a district court found that AT&T conducted research to develop a notice regarding new contract terms that consumers would be likely to consider as a "non-event."[24]

Furthermore, financial institutions may make it difficult for individuals to opt-out through various burdensome procedural barriers. Recently, EPIC obtained documents through a FOIA request to the FTC, asking for their complaints regarding GLBA violations. Almost all of these complaints were from individuals who faced serious burdens when they tried to opt-out, or whose opt-out request was ignored altogether. A majority of these complaints concerned Citibank.

Companies do not identify with adequate specificity what information they share, or the possible recipients of personal information. Consequently, if information is misused by one of the thousands of an institution's affiliates and marketing partners, individuals will continue to have trouble identifying the offender.

B. Individuals want opt-in protections.

In a 2003 Harris Poll, seventy-nine percent of surveyed adults reported that it is extremely important to be in control of who can obtain their personal information. The survey also revealed a growing distrust of businesses' information handling practices. A majority (fifty-four percent) disagreed with the statement that "most businesses handle the personal information they collect about consumers in a proper and confidential way," an increase of nineteen points from only thirty-five percent who felt this way in 1999. Other public opinion polls consistently find that Americans want strong privacy protection laws.

Most notably, last year, individuals for the first time had the opportunity to vote directly on opt-in privacy protections, and on June 11, seventy-two percent of North Dakota residents chose opt-in over opt-out privacy protections. Also, in California, a number of jurisdictions have passed opt-in laws, including San Francisco, San Mateo, Contra Costa, Alameda, Santa Cruz and Solano counties, and Daly City.

C. Opt-in is more efficient than opt-out.

Proponents of an opt-out approach argue that such a system is economically preferable, as it increases the amount of information available to both producers and consumers, allows telecommunications carriers to improve services offered by tailoring these services to specific customers, and reduces prices. This assertion erroneously assumes that the only costs at issue are those of production, without accounting for increased transaction costs incurred by the consumer in seeking to exercise privacy rights created by statute.[25]

Opt-out regimes create an economic incentive for businesses to make it difficult for consumers to exercise their preference not to disclose personal information to others. Because opt-out systems do not require businesses to create inducements for consumers to choose affirmatively to disclose personal information, these systems encourage firms to engage in strategic behavior and thus inflate consumer transaction costs.[26] In contrast, an opt-in system would permit consumers who wish to protect their privacy to do so, while encouraging telecommunications carriers to eliminate consumer transaction costs.[27] Because carriers profit from the use of consumer information, and thus want as much information as possible, carriers would have an incentive to make it as easy as possible for consumers to consent to the use of their personal information. Such a system might include a comprehensible list of the benefits to opting-in, contained within a clearly marked mailing, with a pre-paid stamped envelope. This would preclude the transaction costs involved with attempting to contact via phone customers with the authority to opt-in. It also reduces the strategic behavior costs associated with opt-out—the costs associated with providing consumers a message that they do not want consumers to receive—because the telecommunications carriers would have an incentive to lower costs associated with providing customers a message that they are very eager to have the customer receive.[28] Finally, opt-in may decrease the amount of information in the marketplace, but it permits telecommunications carriers to target products at those who have specified an interest in such information: thereby decreasing the wasted costs associated with targeting uninterested customers.[29]

D. Conclusion

Affiliate sharing and joint marketing loopholes allow financial institutions to exploit individuals' information despite the individual's wishes to the contrary. Financial institutions should obtain opt-in consent before disseminating personal information to third-parties, affiliates, and joint-marketers.

Financial institutions argue that it is in the best interest of the customer to allow the institution to share personal information because it allows greater customer service. Their assumption is paternalistic, and it assumes that individuals cannot decide for themselves what is in their own best interest. As surveys show, individuals prefer to have the decision-making authority through opt-in requirements. Moreover, requiring financial institutions to get informed opt-in consent from individuals before sharing their information will go far to protect individuals from fraud, crime, discrimination, and privacy violations.

EPIC respectfully urges the Committee to promulgate the proposed opt-in standard for the disclosure of customer information. Although EPIC believes that these comments provide support for a regulation implementing an opt-in approach towards all customer information—including affiliate sharing—EPIC applauds the Committee's efforts to restrict use of more sensitive forms of customer information.

Respectfully Submitted,


Chris Jay Hoofnagle
Deputy Counsel

John Baggaley
IPIOP Law Clerk

Waseem Karim
IPIOP Law Clerk

[1] 15 U.S.C. § 6802(b).

[2] 15 U.S.C. § 1681a(d)(2)(A)(2000). Experience information is information generated from the institution's direct dealing with an individual.

[3] Office of the Washington State Attorney General, "Settlement with Discount Buying Club Highlights Privacy Concerns," Aug. 4, 2000, available at http://www.wa.gov/ago/releases/rel_branddirect_080400.html.

[4] Id.

[5] National Association of Attorneys Generals, "Multistate Actions: 27 States and Puerto Rico Settle with Citibank," Feb. 27, 2002, http://www.naag.org/issues/20020301-multi-citibank.php; Settlement document available at http://www.oag.state.ny.us/press/2002/feb/feb27b_02_attach.pdf.

[6] Office of the New York Attorney General, "First USA to Halt Vendor's Deceptive Solicitations," Dec. 31, 2002, available at http://www.oag.state.ny.us/press/2002/dec/dec31a_02.html.

[7] Minnesota v. Fleet Mortgage Corp., 158 F. Supp. 2d 962 (D. Minn. 2001), available at http://www.ag.state.mn.us/consumer/PR/Fleet_Opinion_61901.html.

[8] Supra, note 1.

[9] Id.

[10] Office of the Minnesota Attorney General, "Minnesota AG and U.S. Bancorp Settle Customer Privacy Suit," Jul. 11, 1999, available at http://www.ag.state.mn.us/consumer/Privacy/PR/pr_usbank_07011999.html.

[11] Supplemental Comments of the Minnesota Attorney General Office, FTC Telemarketing Sales Rule, FTC File No. R411001, available at http://www.ftc.gov/os/comments/dncpapercomments/supplement/minnag.pdf.

[12] Federal Trade Commission, "FTC Wins $37.5 Million Judgment from X-Rate Website Operator; Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers," Sept. 7, 2000, available at http://www.ftc.gov/opa/2000/09/netfill.htm.

[13] Study forthcoming; results provided in email from Judith M. Collins, Ph.D., Associate Professor, Leadership and Management Program in Security School of Criminal Justice, Michigan State University to EPIC (Apr. 22, 2003, 18:13:35 EST) (on file with EPIC).

[14] Nationssecurities and Nationsbank, N.A., SEC Release No. 33-7532, May 4, 1998, available at http://www.sec.gov/litigation/admin/337532.txt.

[15] Risky Business in the Operating Subsidiary: How the OCC Dropped the Ball, Hearing Before the Subcommittee on Oversight and Investigations of the House Committee on Commerce., 106th Cong. (Jun. 25, 1999) (statement of Jonathan Alpert, Sr. Partner, Baker and Rodems).

[16] FTC v. Citigroup, Inc. No. 1:01-CV-00606, Decl. of Gail Kubiniec, ¶ 10 (N.D. Ga. May 2001), available at http://www.ftc.gov/foia/citigroup.pdf.

[17] Id. at ¶ 14.

[18] Financial Privacy and Consumer Protection Hearing Before the Senate Comm. on Banking, Housing and Urban Affairs, 107th Cong., Sept. 19, 2002 (statement of Mike Hatch, Attorney General, State of Minnesota).

[19] Financial Privacy and Consumer Protection Hearing Before the Senate Comm. on Banking, Housing and Urban Affairs, 107th Cong., Sept. 19, 2002 (statement of William H. Sorrell, Attorney General, State of Vermont).

[20] Id.

[21] 15 U.S.C. § 6802(b)(2).

[22] Jeff Sovern, "Opting in, Opting Out, or No Options at All: The Fight For Control of Personal Information," 74 Wash. L. Rev. 1033, 1099 (1999).

[23] Mark Hochhauser, Lost in the Fine Print: Readability of Financial Privacy Notices, July 2001, available at http://www.privacyrights.org/ar/GLB-Reading.htm.

[24] "Another part of AT&T's research, the Qualitative Study, concluded that after reading the bolded text in the cover letter which states 'please be assured that your AT&T service or billing will not change under the AT&T Consumer Services Agreement; there's nothing you need to do,' 'at this point most would stop reading and discard the letter.' (J. Ex. 9-9.) One of the authors of the study did not find this conclusion to be a cause of concern, and no one on the detariffing team ever expressed concern to her about this conclusion." Ting v. AT&T, 182 F. Supp. 2d 902 (N.D. Cal. 2002).

"…AT&T was concerned that if its customers focused on the Legal Remedies Provisions, they might become concerned, less likely to perceive detariffing as a non-event and possibly defect. As a high ranking member on the detariffing team stated: 'I don't want them to tell customers that now individual contracts need to be established with customers and pay attention to the details [sic].' (Pls.' Ex. 132-1.) While presenting the CSA as a non-event may have helped AT&T retain its customers, it also made customers less alert to the fact that they were being asked to give up important legal rights and remedies." Id.

[25] See Sovern, supra note 22, at 1082-83.

[26] See id. at 1099-1100.

[27] See id.

[28] See id. at 1101-02.

[29] See id. at 1103.