Securities and Exchange Commission
Proposed Rule on
Privacy of Consumer Financial Information
File No. S7-6-00
Piper Marbury Rudnick & Wolfe LLP
1200 19th Street, N.W.
Washington, D.C. 20036
March 31, 2000
STATEMENT OF INTEREST
Acxiom Corporation ("Acxiom"), headquartered in Little Rock Arkansas with operations throughout the United States and abroad, is one of the leading companies of the information age. Included in its wide area of services are data integration services, mailing list services, modeling and analyses, and information technology outsourcing services, as well as data warehousing. Acxiom's interest in the proposed regulation stems from the fact that Acxiom performs services for a great majority of the financial services industry and uses information in its services obtained either directly or indirectly from financial institutions.
Acxiom is interested in the proposed financial services regulation on several fronts. First, Acxiom offers significant marketing services that use information that could potentially be covered within the scope of the proposed rule. Additionally, Acxiom offers information services to a large majority of the financial services industry, and Acxiom is concerned with the extent to which the proposed regulation could govern the manner in which financial institutions interact with Acxiom. For example, Acxiom serves 24 of the top 26 credit card issuers in the United States. Acxiom's data experience runs more than 30 years from receiving and processing customer files to receiving and processing external data. Finally, Acxiom offers "look-up" services to customers that are in large part based on publicly available information and non-sensitive information obtained from consumer reports. Acxiom is concerned that the proposed rule might impact Acxiom's ability to offer these important services.
Acxiom combines data from many of the top information providers in the country to provide the best possible address coverage in the United States. Acxiom formats, standardizes, identifies duplicate records, and enhances data to ensure accurate and deliverable addresses. Acxiom services are used by new and established businesses to increase their market share by acquiring new and profitable customers and to retain important customers. Likewise, Acxiom services are used to maximize customer relationships and to establish one to one marketing strategies. By creating effective marketing databases, Acxiom is able to build profitable relationships with customers and assist businesses in becoming profitable. Ultimately, these services can greatly reduce costs allowing businesses more opportunity to be profitable and pass savings on to consumers. Likewise, effective marketing helps in providing consumers with products in which they are interested.
Defining effective policy for the information age is both a priority for Acxiom and an area in which it possesses tremendous experience. Acxiom has always taken a proactive approach toward privacy. Through its Corporate Privacy Council, founded in 1991, Acxiom has looked for ways to protect the information it processes on consumers and to promote policies within the industry to protect individual privacy. Acxiom is a member of the Direct Marketing Association, the Individual Reference Services Group, and the Online Privacy Alliance, and supports the fair information practices of all of these organizations.
Acxiom is concerned that the draft rules extend to cover information that is not truly "financial" in a manner that threatens its ability to provide good marketing and locator products. As proposed, the rules would extend to information that is identifiable and possessed by a financial institution even when it is not of a type that is sensitive in nature. Such an overly broad interpretation that extends beyond truly financial information is apparent in the proposed Rule's extension to cover virtually any personally identifiable information (1) provided to a financial institution by a consumer in an application, (2) obtained by a financial institution to verify information about a customer, or (3) contained in a financial services customer list. The final rule should be narrowed to apply to such information only when it is in fact financial in nature.
In response to the alternatives set forth with regard to the treatment of publicly available information, Acxiom believes that information that could be obtained from a public source should be treated as publicly available without a requirement that the information in fact is obtained from a source listed in the proposed rule. The proposed rule should also be clarified so as not to limit consumer reporting agencies from redissemminating identifying information that would in turn limit Acxiom's ability to use such information in its services. Finally, the proposed rule should adopt an exception for the sharing of account number information in encrypted from.
I. The Ability to Provide Good Marketing and Locator Products is Threatened By the Breadth of the Definition of Nonpublic Personal Information, which Extends to Non Financial Identifying Information.
Acxiom believes that it is vital for the proposed regulation not to extend beyond information that is truly financial in nature. The statute is intended to govern financial information, the type of information generally considered to be sensitive in nature. As currently drafted, the proposed rules extend the legislative requirements into areas of information that are not truly financial. Such an extension of the scope of the statute could have the ultimate effect of unnecessarily burdening and limiting valuable services offered by Acxiom and others.
Acxiom services provide among the best means of ensuring accurate consumer information. Acxiom combines data from many of the top information providers in the country, including financial institutions, to provide the best possible address coverage in the United States. Through services that format, standardize, and identify duplicate records, Acxiom can enhance data to ensure accurate and deliverable addresses. Some of the information in these databases originates with financial institutions, although it is not financial in nature.
The overly expansive interpretation of the definition of "nonpublic personal information" lies at the heart of Acxiom's concern. The proposed rule attempts to flesh out the definition of "nonpublic personal information" by defining the statutory term "personally identifiable financial information," and providing examples of information that would fall within it. The proposed rule's interpretation results in covering information that is not intrinsically financial, even though Congress in the statute clearly differentiates protected information from other data by requiring that protected information be both "financial" and "personally identifiable." More specifically, the statute requires nonpublic personal information to be (1) personally identifiable, (2) financial, and (3) either (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution. Evaluation of the examples set forth of personally identifiable financial information reveals how the proposed regulation effectively excludes "financial" from the congressionally-mandated criteria for information to constitute "nonpublic personal information."
The examples set forth in the proposed rule include information provided by an applicant to obtain a loan, credit card, or other financial product or service. The examples appear to extend to all information that an applicant may provide to the financial institution. However, some of the information that consumers routinely provide to obtain financial products or services is not of the type that is financial in nature. For example, the name, address, and social security number of an individual obtained from a financial application, while identifiable information, are not themselves financial. Such information should not be treated as information that is financial in nature and governed by the proposed rule. One of the primary uses of Acxiom services is to verify, for accuracy purposes, the identity of a specific individual. Accuracy in identifying an individual is essential in today's marketing and individual look-up services. We live in a highly mobile world in which individuals change addresses regularly. Often, the most recent application may be the best means of verifying an individual for accuracy. This fact will be increasingly true when such applications and information exchanges occur instantaneously over the Internet.
Other examples in the proposed regulation appear to limit the use of information that result from transactions between the financial institution and the consumer that is not financial in nature. Services that are offered by Acxiom are increasingly being used to verify information provided to Acxiom's financial institution clients by a consumer that is not known to that Client to ensure accuracy in transactions. These services rely on name and address and other non financial identifying information obtained from financial institutions. Such services result in a more efficient marketplace that decreases fraud and increases profitability for business and lowers costs to consumers.
The examples also include information obtained from a consumer report or obtained by the bank or its agent in connection with collecting on a loan or servicing a loan. Acxiom uses information in its services that it acquires directly from financial institutions, which the financial institutions in turn have obtained from an outside source. For example, information obtained from some financial institutions is maintained in Acxiom databases. This information is valuable to providing the accuracy and effectiveness available in Acxiom services.
In practice, information obtained by Acxiom from financial institutions is not specifically identified as having been obtained from the consumer or from a third party for verification. Similar to information obtained from applications for financial services, identifiable information could include social security numbers, name, address and other non-financial identifying information. Whether obtained from a consumer report or from another outside source, such information is important to Acxiom's services. This information and the services derived from it are irreplaceable in the modern information economy for accuracy and identification services. Without such information, costs of doing business will increase, creating inefficiencies that could eliminate many businesses or pass higher costs onto consumers.
II. The Proposed Definition of Nonpublic Personal Information Should Not Treat as "Financial Information" Customer Lists That Simply Reveal the Existence of a Customer Relationship Between an Individual and a Financial Institution.
Acxiom also is concerned with the proposed rule's treatment of customer lists that reveal the existence of a customer relationship between an individual and a financial institution. The disclosure of the existence of a customer relationship with a financial institution is not, in and of itself, the type of financial information that could result in substantial harm or inconvenience to an individual that the statute is intended to govern. Every consumer that presents a personal check for payment of on obligation discloses to all who care to observe that they have a customer relationship with a financial institution. Therefore, the existence of a customer relationship should not be interpreted as nonpublic personal information. Of course, the disclosure of more than simply the existence of a customer relationship in some cases could be sufficiently revealing to warrant being classified as financial information. For example, if a customer list were so specific as to identify a person's financial portfolio, this information would, as a practical matter, be financial.
Given the vast diversity of financial products and services that any one financial institution can now offer, however, the disclosure of the existence of a customer relationship with a particular financial institution reveals virtually nothing about the type of financial product or service that a consumer has purchased from such institution. The beneficial marketing uses of financial institution customer lists in the information economy coupled with the absence of any harm associated with mere disclosure of the existence of a customer relationship, mandates exclusion of such information from the coverage of the rule.
III. Information That Could Be Obtained From One Of The Sources Identified In The Proposed Rule Should Be Treated As Publicly Available Information.
The proposed rule contains two versions of the definition of what constitutes "publicly available information." The first version, Alternative A, would not treat information as publicly available unless it is obtained from one of the public sources listed in the proposed rule. Alternative B, would treat information that could be obtained from public sources listed in the rules as "publicly available."
Acxiom believes that with an appropriate amendment to reflect the concerns stated above, Alternative B contains the appropriate definition for what constitutes publicly available information in this context. To impose an obligation on companies that would require them to verify that--in fact--the information is obtained from a public source is overly burdensome and a tremendous waste of resources. One of the key benefits of the information society is the efficient and instant exchange of information. As an example, Acxiom has been developing products that can provide instantaneous distribution of information to its customers through the Acxiom Data Network. In today's emerging information and Internet economy changes in the marketplace occur rapidly. It is important to have instantaneous and up to date information to accurately market to and locate individuals. Requiring confirmation that publicly available information obtained from financial services has, in fact, been obtained from a public source could be detrimental to the instantaneous flow of information and set a dangerous precedent with regard to limiting the dissemination of publicly available information.
IV. The Proposed Regulation Should Clarify That Third Parties, Such As Consumer Reporting Agencies, Can Redisseminate Identifiable Data if Supplied by Financial Institutions For Non-Exempted Uses.
Acxiom uses non-financial information obtained from the consumer reporting agencies that includes name, address, date of birth, and other identifying information. This information is generally obtained, in part, from the consumer reporting agencies in the form of "credit header information." As the use of credit cards and similar offerings of financial services institutions have increased in recent years, one of the primary means of obtaining the most current address information of consumers is from the name and address portion of a consumer report. In its services that assist in locating and verifying the identity of individuals, this source of information is among the most reliable. Such information is used by Acxiom customers to locate and identify individuals. Such services are used for numerous societally beneficial uses. For example such services are used for fraud prevention, child support enforcement, locating heirs to estates, uniting separated families, locating pension fund beneficiaries, to name just a few.
As proposed, the rules could limit the ability of Acxiom to obtain non-sensitive identifying information from consumer reports. The proposed section which implements Section 502(c) of the Act, restricts the ability of third parties to redisclose nonpublic personal information they receive from financial institutions. This provision "places the institution that receives the information into the shoes of the institution that disclosed the information for purposes of determining whether redisclosures by the receiving institution are `lawful.'" The financial institutions could interpret this language in a manner whereby they contractually limit the use of information that consumer reporting agencies obtained from the financial institution.
If under the proposed regulation a financial institution is prohibited from disclosing names and addresses of its customers because it reveals a customer relationship, then no consumer reporting agency could redisclose the name and address information obtained from a financial institution unless it falls within an exception. This would be the case even though the rationale for why a financial institution is prohibited from disclosing the information-because it reveals a customer relationship-does not apply to the "sanitized" name and address information contained in header form. While perhaps appropriate for information that is truly "financial" in nature, such a limitation on use and disclosure should not extend to such non-financial identifying information.
As currently drafted, the proposed rules are not clear as to whether the section 502(e)(6) exemption for consumer reporting agencies exempts the redissemination of identifying data from consumer reports. This might be read to cover only the protected data that banks furnish to consumer reporting agencies and the data that these agencies publish in "consumer reports." It is unclear that the exemption applies to an agency's distribution of identifying information that it obtains from its database.
One possible interpretation that would allow for the use and distribution of identifying information handled by consumer reporting agencies can be found in section 506(c) of the Act, which states in relevant part that "nothing in this act shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act." Preventing the consumer reporting agencies' current practice of disseminating identifying data certainly would modify the current operation of the FCRA. Thus, the final rule should clarify that financial institutions and thus consumer reporting agencies can disclose such information.
V. Data Processors Should Not Be Subject to the Act's Disclosure Requirements.
The proposed rules recognize that the definition of "financial institutions" encompasses a broad spectrum of businesses. Included in this definition are data processors who perform services for a financial institution, but do not provide financial products or services to individuals. The proposed rule would not subject these financial institutions to the Rule's disclosure requirements because such institutions do not have "consumers" or establish "customer relationships."
Acxiom serves as a data processor for numerous financial institutions. Acxiom does not currently provide notice to consumers of the myriad of financial services that it supports through its data processing services. Such a requirement could potentially subject Acxiom to disclosure requirements to more than two hundred million Americans. Obviously, such a requirement would be very burdensome and provides no obvious benefit to consumers. As a result of their direct relationship with the customer, the financial institution is best situated to comply with the Act's disclosure requirements.
VI. The Proposed Regulation Should Adopt an Exception for the Sharing of Account Numbers To Non-Affiliates in Encrypted Form.
Section 502(d) of the Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, account numbers or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. The conferees contemplated that the regulating agencies could adopt an exception to this section to permit the disclosure of customer account numbers or similar forms of access numbers or access codes in encrypted, scrambled, or similarly coded form.
Section 502(d) was drafted to prevent account numbers and similar account access codes from being used without the consumer's consent. If a consumer consents to the disclosure and use of their account number information by third parties for use in marketing, such use should not be prohibited by the regulation. Moreover, if the account number is unable to be used by the third party to access the consumer's account because the account number is encrypted, a prohibition on such transfers would be unnecessary. For these reasons, in order to implement the congressional intent, the final rules should adopt an exception as discussed in the conference report to permit the disclosure of account numbers in encrypted, scrambled, or similarly coded form.
Acxiom urges that the clarifications suggested above be adopted. These clarifications are faithful to the protection of financial privacy while at the same time allowing for many societally beneficial uses of information that are not of such a sensitive nature. Acxiom appreciates the opportunity to comment.