TESTIMONY OF ANNETTE L. NAZARETH DIRECTOR OF MARKET REGULATION U.S. SECURITIES AND EXCHANGE COMMISSION CONCERNING FINANCIAL PRIVACY BEFORE THE SUBCOMMITTEE ON FINANCIAL INSTITUTIONS AND CONSUMER CREDIT COMMITTEE ON BANKING AND FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES JULY 21, 1999 Chairwoman Roukema, Congressman Vento, and Members of the Subcommittee: I am pleased to testify today on behalf of the Securities and Exchange Commission (the "Commission" or "SEC") regarding financial privacy. The Commission supports the legislative efforts that are currently being made to enhance financial privacy. Americans generally expect that their financial transactions -- and their financial information -- to be private. This expectation exists across the broad range of financial services -- not just in the securities business. Meeting this expectation of privacy is one way that providers of financial services demonstrate their own integrity and earn their customers’ and clients’ confidence. That confidence is essential to the continued success of all financial services providers, including those that the Commission regulates. I. Background Americans always have placed a great deal of importance on privacy. As Justice Brandeis noted many years ago, privacy is "the most comprehensive of all rights and the right most cherished by a free people."[1] A number of factors have converged in recent years to bring discussions about the importance of privacy -- and in particular, financial privacy -- to the forefront. The exponential growth in electronic commerce, and in technology, means that more information can be collected than ever before. Moreover, that information can be stored, sorted, and analyzed quickly and cost effectively. The effects of living in the Information Age can be seen throughout our daily lives. Even grocery stores track our purchases in order to target their marketing efforts. As we all know, privacy concerns are not just domestic. In the international sphere, the European Union’s Directive concerning data protection -- and U.S. efforts to respond to it -- have heightened the need to address concerns about protecting personal data, including financial data. Financial modernization and the burgeoning merger activity among banks, securities firms, and insurance companies have heightened interest in the need to protect financial privacy. Mergers of large companies can result in huge databases of customer information. We’ve all read the recent media reports of financial institutions sharing -- or even selling -- their personal customer information.[2] Moreover, we recognize the risk that a financial institution may inadvertently disclose financial information just because it lacks adequate controls.[3] There is, however, another side of this coin. Financial institutions often have a legitimate need to share personal financial information. A good example of this is credit checks. Another example is when a customer does business with two affiliated companies and the companies share information in order to save the customer time and trouble. So what is the difference between legitimate information sharing and violations of customers’ privacy? The key here is the customer’s expectations. If a bank customer opens a bank account linked with a securities account offered by the bank’s securities affiliate, the customer would reasonably expect for the bank to share information with the securities affiliate. The customer might not, however, expect the bank to share this same information with a third party that was marketing other financial services.[4] In the past, customary business practice came much closer to matching customer expectations. It was just too expensive to gather and transmit data in the pre-computer age. Moreover, many businesses had the incentive to keep their customer information from others. While those incentives are still valid today, consolidation of financial services businesses has made them less critical. As Congress considers the issues inherent in reforming financial services regulation, it is appropriate for Congress and financial regulators to evaluate how to ensure that the expectations of privacy of financial services customers will be met. II. Privacy and the Securities Regulatory Scheme Although the federal securities laws do not contain an express requirement for registered broker-dealers, investment advisers, or investment companies to safeguard the personal financial information of their customers and clients, the Commission has reminded these entities that, as financial professionals, they should protect this information.[5] In particular, the Commission has stated that broker-dealers, transfer agents, investment companies and investment advisers should take reasonable precautions to ensure the integrity, confidentiality, and security of personal financial information when it is delivered through electronic means.[6] In addition to being regulated by the Commission, broker-dealers are regulated by securities self-regulatory organizations ("SROs"). We believe that SROs, which are required to have rules to promote just and equitable principles of trade, have the authority to address privacy concerns. SROs have used this authority to bring disciplinary actions. For example, one SRO censured a registered representative and barred him from the industry for, among other things, improperly disclosing customer account information that was used to withdraw funds from the customer's account without the customer’s knowledge. In imposing these sanctions, the SRO found the registered representative’s conduct was inconsistent with just and equitable principles of trade.[7] Of course, misuse of customer information may also be an element of fraud. **FOOTNOTES** [1]: Samuel D. Warren and Louis D. Brandeis, "The Right to Privacy," 4 Harv. L. Rev. 193 (1890). [2]: On June 9, 1999, the State of Minnesota sued Minneapolis-based U.S. Bancorp for allegedly violating the federal Fair Credit Reporting Act, as well as state consumer fraud and deceptive advertising practices laws for selling customer information to Member Works, Inc., a seller of memberships in discount health programs, in exchange for $4 million plus 22% of sales. [3]: The practice of "pretexting" (i.e., obtaining private financial information from banks and others under false pretenses) has been on the increase. Pretexting has been used to effect "financial identity theft," which occurs when someone uses the identifying information of another person -- the name, Social Security number, mother’s maiden name, or other financial information -- to commit fraud or otherwise engage in other unlawful activities. Using account balances and numbers obtained from a pretexter, an identity thief could deplete a bank account or liquidate a stock portfolio. See "The Federal Trade Commission on Financial Identity Theft," Prepared Statement of Joan Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, before the House Commerce Committee, Telecommunications, Trade and Consumer Protection Subcommittee, and Finance and Hazardous Materials Subcommittee, April 22, 1999. [4]: Customers also might not expect the bank to share the information with affiliates for marketing purposes. See e.g., In the Matter of NationsSecurities and NationsBank, N.A., Securities Act Release No. 7532 (May 4, 1998). In that case, employees of a bank provided its affiliated broker-dealer with maturing CD lists and lists of likely prospective investors. The broker-dealer's employees also received other bank customer information such as financial statements and account balances. Those broker-dealer employees then used that information to target bank customers for securities purchases, and in so doing, mischaracterized the nature of the investments sold. As a result, many elderly customers were moved from bank CDs to high-risk mutual funds or other unsuitable investments. In settling the Commission's enforcement action for violations of the antifraud provisions of the federal securities laws, the defendants paid a civil penalty of $4 million. [5]: Securities Exchange Act Release No. 37182 (May 9, 1996), 61 FR 24652 (May 15, 1996). [6]: Id. [7]: In re Albert Anthony Dello Russo, New York Stock Exchange Panel Decision 96-23 (March 5, 1996). III. Description of H.R. 10 Proposal The privacy provisions in Title V of H.R. 10 are an important first step in rationalizing the current patchwork scheme of privacy protection.[8] In general, these provisions would impose an affirmative and continuing obligation on financial institutions to respect their customers’ privacy, and to protect the security and confidentiality of those customers’ nonpublic personal information. While the provisions would permit information sharing between affiliates and agents of financial institutions, they would restrict the disclosure of nonpublic personal information to unaffiliated third- parties. Among other things: ( All financial institutions would be required to disclose their practices and policies with regard to protecting the consumer’s non-public personal information. Financial institutions are broadly defined and would include brokers-dealers, investment companies, investment advisers, banks, thrifts, savings and loans, insurance companies, among others. ( All financial institutions would be required to disclose their practices and would be limited. Among other things, consumers would have to be notified, and given the opportunity to opt-out, of the disclosure before the disclosure occurs. Certain disclosures would be exempted from this requirement, including disclosures to third parties that provide services or functions on behalf of financial institutions. Disclosure of customer financial data to non-affiliated third parties for marketing purposes, however, would be prohibited. Financial institution regulators would be required to jointly issue rules to implement these provisions. IV. Comments on H.R. 10’s Privacy Proposal H.R. 10 is an important step forward in creating a consistent, enforceable privacy protection framework for American investors. We support requiring financial institutions to disclose their privacy policies to their customers and prospective customers. In receiving this notice, investors would have the ability to choose among firms based on their personal priorities.[9] We are also sympathetic to giving customers the ability to decide whether their personal financial information will be shared, even among affiliates, and particularly when it is to be used for marketing purposes. Any legislative proposal to heighten financial privacy protections needs to balance a number of concerns. First, information sharing may be necessary for a financial services provider to be able to do its job. A broker- dealer, for example, must be able to share elements of its customers’ personal financial information with other brokers or clearing agencies in order to clear and settle trades. Information sharing can also be a cost-saving device for financial services providers. As firms consolidate, they enjoy many efficiencies of scale, including the ability to avoid duplicative information gathering. Customers, as well as firms, can benefit from these efficiencies. Customers, however, should know when their personal information is going to be shared, and they should have a voice in saying how far that information should go. The Commission also strongly supports an exception for information shared in the context of executing transactions. Elements of apparently seamless securities transactions often involve parties that must share customer information in order to continue to provide the services customers have come to expect. Depending on the size and the structure of the firm involved, these parties may or may not be affiliated. For example, a customer’s purchase of shares in a mutual fund may involve a sharing of functions among an investment company, an investment adviser, a fund administrator, a distributor, and a transfer agent. A purchase of an equity security from a broker may involve an introducing broker, a clearing broker, a transfer agent and a depository. Depending on the particular circumstances of a transaction, any of these parties may or may not receive customer information and may or may not be affiliated with the originating organization. In addition, we note that there are various technical issues contained in H.R. 10’s privacy provisions that will need to be addressed if H.R. 10 becomes law. In particular, the SEC and SROs need clear and express authority to enforce the privacy provisions and rules applicable to securities firms. The bill currently is unclear whether enforcement authority is shared with the Comptroller of the Currency and the Office of Thrift Supervision. For broker-dealers that are subsidiaries of national banks and savings associations, respectively, we believe that enforcement authority over the broker-dealer affiliate should be allocated solely to the Commission. Similarly, we believe that the system for joint rulemaking by the federal regulators with a six-month deadline is unrealistic, given the number of agencies involved in the joint rulemaking, the requirement of consultation with the FTC and state insurance authorities, and the requirements of the Administrative Procedure Act. VII. Conclusion I appreciate the opportunity to provide this testimony on behalf of the Commission. The issues that you are considering here today are important. While the decisions you make will affect all segments of the financial system -- from large corporations to small investors -- we believe that the key concern is to meet the reasonable expectations of individual investors, policy holders, and bank customers, both in terms of privacy and in terms of efficiency and service. We support the efforts of this Subcommittee to address this important issue. We would be happy to work with you and your staff going forward in addressing issues relating to the SEC, investors and the securities industry generally. **FOOTNOTES** [8]: An appendix discussing current federal and state laws that affect how securities firms handle personal financial information is attached. [9]: We presume, however, that any legislation adopted by Congress would include provisions that ensure that any new protections enacted would not interrupt the ability of the Commission or the SROs to obtain the information we need to carry out our regulatory mandates.