NYS Assembly Joint Public Hearing "Privacy in the Financial Services Industry"
TESTIMONY presented by Former Superintendent Neil D. Levin, New York State Insurance Department
Good morning. My name is Neil Levin and I am the Superintendent of the New York State Insurance Department. I would like to thank Assembly members Pete Grannis, Aurelia Greene, Joseph Lentol, Audrey Pheffer and the members of their committees for the invitation to address this hearing today and speak to the important issues surrounding privacy in the financial services industry.
Governor Pataki and I welcome the long anticipated arrival of comprehensive modernization for the financial services industry and the great opportunities it promises for consumers and providers of financial services. What is now known as the Gramm-Leach-Bliley Act (GLBA) was literally twenty years in the making, beginning with Treasury Secretary Donald Regans first comprehensive proposal in 1981. The passage of the GLBA will help to rationalize the financial services marketplace and enable New York to retain its status as the worlds financial services capital in the 21st Century.
Market forces are driving inexorably towards the creation of national and even global markets for many financial service products. This new federal legislation provides a much-needed road map by which to chart a course for the future development of these markets in the United States. Until now, the domestic industry has operated within a regulatory landscape which was a patchwork of jurisdictional overlaps, duplicative and conflicting regulation and judicial policymaking. This hampered industrys ability to compete effectively in national and global markets. It also meant that products and services available to consumers often had to reflect the sometimes confusing and inconsistent requirements that resulted from the ad hoc nature of these rules. It is also clear that consumers absorbed part of the cost resulting from the regulatory inefficiencies.
From a regulators perspective, let me say that on the whole I am pleased with the final outcome of the legislation and its adherence to functional regulation across all financial services product lines. Congress has articulated clearly and unambiguously its preference that insurance be regulated by the states under a system of strong functional regulation. I have long been an advocate of functional regulation and continue to believe that it serves the best interests of consumers, companies and regulators alike.
At the same time, fundamental changes in the way financial services are delivered in this country also pose inevitable regulatory challenges. Certainly this is the case with the implementation of the GLBA generally, and todays hearing topic, privacy in the financial services industry, in particular.
Before considering where we should be going with respect to privacy of financial information, it is important first to consider the issue in the context of the existing statutory protections. Privacy protections are contained in the Federal Fair Credit Reporting Act, the Electronic Fund Transfer Act, the Truth-in-Lending Act and the Fair Credit Billing Act, and already govern many aspects of financial services transactions. The New York Insurance Law prohibits unfair methods of competition and deceptive acts and practices and the New York General Business Law places limits on the use of credit card and social security numbers.
The GLBA builds upon this existing body of law, providing consumers with new and important protections concerning the transfer and use of nonpublic personal information by financial institutions. This will be especially important as new national and international markets for financial services continue to evolve. I believe strongly that the financial services markets, whatever their reach or scope, cannot lose sight of consumer protections, which must evolve along with the marketplace. GLBA helps achieve that goal by establishing strong benchmarks that apply nationwide.
Under GLBA, each financial institution is charged with an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of their nonpublic personal information. Each financial institution must clearly communicate its policies and practices with respect to the disclosure of such information to affiliates and nonaffiliated third parties, including categories of information that may be disclosed, and their policies and practices to protect the nonpublic personal information of consumers. Nonpublic personal information can be disclosed to non-affiliated third parties, but not until the consumer has been given a chance to "opt-out" of having that information disclosed. Further, no specific account number information can be given under any circumstances, to telemarketing or direct marketing firms.
Federal regulators, in consultation with state insurance authorities, are directed by the Act to establish comprehensive standards for ensuring the security and confidentiality of consumers personal information maintained by financial institutions. Federal agencies are required to consult and coordinate with one another in order to assure that the regulations each prescribes are consistent and comparable with those prescribed by the other agencies.
As you know, federal regulators have prepared draft regulations. The Act requires that the federal privacy standards be adopted in final form by May 12, 2000.
In addition, the GLBA Conference Report states that "[i]t is the hope of the Conferees that State insurance authorities would implement regulations necessary to carry out the purposes of this title [concerning privacy] and enforce such regulations as provided in this title." The Department is pleased that "the applicable State insurance authority of the State in which the person is domiciled" has been designated as the agency to establish and enforce the appropriate standards covering any person engaged in providing insurance under state law. This reflects the Acts commitment to functional regulation, which I have already mentioned.
It is important that the Insurance Department adopt implementing regulations because the GLBA penalizes states that fail to adopt such regulations. We will lose the right to retain New York Law and override insurance-related consumer protection regulations that are to be prescribed by the federal banking regulators.
The Department has been working steadily to implement the GLBA privacy requirements. First, we are, like you, studying the federal agencies draft regulations. The drafts evidence a concerted effort to provide consistent rules to govern the use of nonpublic financial information. I should note that while the federal regulations must be adopted by May 12, 2000, GLBA imposes no similar deadline for state action. The Insurance Department does intend, however, to proceed expeditiously, recognizing that both consumers and the insurance industry need to know the "rules of the road." At the same time, it would be precipitous to act in a vacuum. The final federal regulations, therefore, will prove useful as the Insurance Department develops its own regulations.
The next thing we are doing is working closely with the National Association of Insurance Commissioners, not only in examining how best to address this important issue of consumer privacy, but also how to do so effectively and efficiently within a fifty state regulatory framework.
In February, I attended a special meeting of state insurance commissioners where I stressed to my colleagues the need for the states to consider the value of coordinating their privacy efforts. In that regard, the Department is active in a NAIC task force examining this issue and participated in a public meeting the NAIC held in Chicago on March 11 to solicit views from the industry and consumer groups. This process continues and I believe it will prove very helpful in shaping fair and balanced regulations.
Here in New York, I have participated in several meetings with a broad spectrum of the insurance industry and representatives from the Banking Department to conduct an overview of existing insurer privacy policies and to understand how they are preparing to implement the requirements of the GLBA.
In conjunction with this effort, on February 3, the Insurance Department issued Circular Letter No. 7(copy attached). The Circular Letter directs insurers to advise the Department concerning their existing privacy policies and safeguards, along with information on any agreements they may have with any third party regarding the sharing of access to customer records and information.
The Department remains deeply committed to its outreach efforts and intends to continue meeting with all interested stakeholders, insurers, producers and consumers alike, as part of our continuing efforts to gather information that will help inform our development of regulations. In the course of this process, there are a number of issues the Department is reviewing, such as:
- The need for uniform standards vs. the potential benefit of stronger state standards;
- Establishing minimum required privacy standards;
- The sharing of information with affiliates;
- The sharing of information with non-affiliated companies;
- Consumer response requirements;
- The definition of non-public personal information; and
- The required disclosure of privacy policies by institutions;
While I must emphasize that the Insurance Departments due diligence continues, it is possible to share a number of preliminary observations as a result of our efforts to date. With respect to the issue of uniform consumer privacy standards vs. stronger state standards, GLBA allows individual states to impose greater privacy protections than those in the Act. The Department undoubtedly will be looking at areas where additional consumer privacy protections may be warranted. On the other hand, while the Act does not require identical or uniform rules in every state, New York and other states must recognize the value for both consumers and companies to be derived from a system of consistent state standards. Likewise, we believe it is essential for all functional regulators, at both the state and federal level, to attempt to adopt consistent regulations. This is in line with the statutory intent of the Act reflected in its directive to federal regulators to closely coordinate among themselves and to consult with state insurance regulators. As we enter the era of a true national marketplace, post Riegle-Neal and post Gramm-Leach Bliley, we must recognize that a national marketplace will demand, in certain instances, national standards.
Significant differences between federal privacy regulations and state privacy requirements also may prove costly for insurers, and ultimately for consumers. These costs inevitably are reflected in the pricing of financial service products and thus may mitigate potential benefits the consumer might derive from additional safeguards, assuming they actually offer incremental protection.
If state regulation of financial information privacy issues results in the creation of a new patchwork of cumbersome and inconsistent rules, it will undercut the support for functional regulation expressed in the Act and could also lead to federal preemption of state regulation of insurance, privacy and consumer protection. In the last ten years, Congress has shown an increasing willingness to preempt state law in areas involving financial services. In some cases, like FDICIA, the Congress was focused on protecting the FDIC. In others, like GLBA, Congress preempted state law in order to eliminate regulatory burdens (as in Section 104 regarding affiliations), and to empower insurers regarding the selection of their operating structure (the right to re-domesticate to a state authorizing mutual holding companies). With regard to Congress actions on managed care, pending the outcome of the House-Senate conference committee, it appears likely that state law again will be preempted.
The most pressing privacy question is how should consumers influence the ability of companies to share nonpublic personal financial information, by means of an "opt-out" or an "opt-in" requirement? Since the enactment of GLBA, most of the public debate has centered on this issue. Additional debate has mistakenly focused on whether the states should impose an "opt-out" requirement on information sharing among affiliates.
Title Vs "opt-out" provision states that all consumers have the ability to prohibit their financial institution from disclosing personal financial information to non-affiliated third parties. The Act does not restrict the exchange of nonpublic personal information among affiliates and expressly preserves the terms of the Federal Fair Credit Reporting Act, and its provision which preempts state laws seeking to prohibit or impose requirements on information sharing among affiliates until January 1, 2004. As a result, the place where the issue of "opt-in/opt-out" and state action really becomes relevant is only with respect to the sharing of personal information with non-affiliates.
It is important to remember that the draft federal regulations implementing the GLBA represent the most comprehensive statement to date on the requirements for financial institutions to protect the privacy of consumer financial information, and a significant expansion on prior law. The draft federal regulations require that a clear and conspicuous notice presenting the institutions privacy policies and practices must be given to the consumer at or prior to the time the customer relationship is established with an institution. Thereafter, financial institutions are required to send their customers a notice of their privacy policies and practices at least annually. Both the initial and annual notices must include: categories of nonpublic personal information collected by the institution, identified by source and content; categories of affiliates and non-affiliated third parties to whom nonpublic personal information is disclosed; an explanation of the consumers right to "opt-out" of disclosures to non-affiliated third parties, including the methods a consumer may use to exercise that right; additional disclosures as required by the Fair Credit Reporting Act; and policies and practices with respect to protecting the confidentiality, security and integrity of non-public personal information.
To elaborate further on the proposed federal regulations opt-out provisions, a financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the initial notice to the consumer, has given the consumer a reasonable opportunity to "opt-out" and the consumer has in fact, not opted-out. For certain one-time transactions, however, the institution may require the consumer to make an "opt-out" decision before completing the transaction. A consumer can choose to "opt-out" at any time and an "opt-out" is effective until revoked in writing. The institution can provide the means to exercise the "opt-out" including check-off boxes in prominent display on disclosure forms, by detachable pre-addressed forms, by self-addressed stamped reply forms, or by e-mail or via a website.
The draft regulations are expected to become final on May 12, 2000 and thirty days after the November 13, 2000 effective date, financial institutions would be required to provide their first notices to consumers.
Another method Congress could have specified, but did not, would have been to impose an "opt-in" system in Title V, pursuant to which financial institutions would be barred from transferring personal financial information unless specifically authorized to do so by their customers. It appears that Congress followed the "opt-out" approach because it has been utilized in other contexts where protecting consumer privacy was the goal. The "opt-out" system lets privacy-sensitive consumers decide for themselves whether they want their financial institutions to share their personal financial information with third parties. By comparison, the "opt-in" system sets as the default rule "no information shall flow". One adverse consequence of the "opt-in" method is that by constricting this flow of information, it becomes more difficult for industry to provide consumers with new and better products and services. "Opt-in", therefore, could mean fewer and more expensive choices for consumers.
At the same time, it is also important to note that whether the consumer declines to "opt-in" or elects to "opt-out", the confidentiality of the information protected is exactly the same. In that case, we must consider the costs vs. the benefits of a system that may result in consumers having to choose among fewer and more expensive financial services products, with a more cumbersome application and closing process.
I would like to return, for a moment, to the subject of functional regulation. Congressman Bliley observed during the House of Representatives deliberations on the Act that "activities should be regulated with the same strong consumer protections and safeguards no matter where the activity takes place. This is called functional regulation, and functional regulation means that everyone gets the same oversight, the same rules, with no special advantage towards any party . . . It is common sense, and it is right." The Insurance Department is delighted by the Acts recognition of the value of functional regulation and its reaffirmation of the McCarran-Ferguson Act.
It is equally important that any action at the State level also remains faithful to the concept of functional regulation.
In the Insurance Departments assessment, great care must be exercised in the resolution of the foregoing issues. We should proceed incrementally, lest we inadvertently harm consumers and the ability of financial markets to continue to provide innovative services and products through well-intended but misdirected efforts to do good.
At the same time, this does not mean that the Insurance Department will be idle. There are three primary tasks that will occupy the Departments attention as we work to implement this historic legislation.
First, the Department will continue drafting regulations while, at the same time, building on our due diligence efforts, including our ongoing dialogue with all affected stakeholders.
Second, the Department is committed to consumer outreach and education to ensure that all privacy-related disclosure is easily accessible and comprehensible to the public, and we are committed as well to ensuring that "opt-out" mechanisms financial institutions may employ are clearly articulated and user-friendly. This effort will likely include a number of prongs, one of which, undoubtedly, will be our Website, an increasingly effective medium for the Department to communicate important news and information to consumers, industry and other interested parties.
In fact, I am delighted to report that just yesterday the Consumer Federation of America awarded New Yorks Web page its highest mark, an "A" rating. New York is commended by the CFA as the first state to "webcast hearings so that the public can get more involved in the regulatory process." The Department looks forward to integrating these multimedia applications into our educational efforts in connection with the development of consumer privacy standards.
Third, the Insurance Department will be vigorously exercising its compliance oversight function to ensure that these privacy safeguards are being observed in the market. In recent years, the Department increasingly has been conducting targeted exams, which can be used in this context to ensure that adequate, complete and easily understood disclosures are being used. In instances where there are suspicions of more widespread market conduct issues, the Department can and will act swiftly to end any deficiencies or abuses that may arise.
One area where the Insurance Department could use assistance in this regard is with respect to civil money penalties. I want to thank Mr. Grannis for having introduced a bill at the request of the Insurance Department (A.9905) which would increase the Departments generic authority to impose civil money penalties for willful violations of the Insurance Law from $500 to $1,000. If enacted, this would represent the first such increase in the Departments authority in this area in over thirty years. Again, thank you for introducing the bill. I urge you and your colleagues to support its speedy passage into law. It would be an important additional tool in the Departments supervision of this and many other areas.
In conclusion, let me again state that I appreciate the opportunity to participate in todays hearing to share the perspectives of the New York State Insurance Department on these important issues. The Department is committed to meeting its GLBA responsibilities and working to protect consumers. I look forward to continuing our dialogue as we address the challenges and opportunities inherent to the implementation of this historic legislation.