6-14-00, Statement of Edward L. Yingling

Testimony of Edward L. Yingling
On Behalf of the American Bankers Association
Before the
Committee on Banking and Financial Services
United States House of Representatives
June 14, 2000

Mr. Chairman, I am Edward Yingling, Deputy Executive Vice President and Executive Director of Government Relations for the American Bankers Association (ABA). ABA brings together all elements of the banking community to best represent the interests of this rapidly changing industry. Its membership – which includes community, regional, and money center banks and holding companies, as well as savings institutions, trust companies, and savings banks – makes ABA the largest banking trade association in the country.

Mr. Chairman, thank you for holding this hearing on medical privacy. The issue of privacy – that is, the responsible use and protection of customer information – is the ABA’s top priority. The banking industry has a long history of earning the trust of its customers and, in particular, of protecting their private financial information. Indeed, our extensive survey work shows that consumers trust banks more than virtually any other institution to protect their information.

We are now in the middle of a revolution in information technology. This rapidly changing technology landscape raises exciting new possibilities to provide customers with new and innovative products, to increase convenience, and to lower costs. At the same time, this changing technology raises important questions about the appropriate use of information and the need to make sure we meet the expectations of our customers that information be used responsibly. While technologies have changed, the fundamental principle of protecting customer information and preserving trust has not – it remains the cornerstone of successful banking.

It would seem obvious that medical information is at the top of the list of information about which consumers are concerned, and, indeed, our survey work confirms that. Throughout its history, the banking industry has protected the medical information of its customers whenever that information has been made available to banks. Therefore, our industry’s basic approach to medical information is straightforward: Medical information should only be used for the express purpose for which it is provided and should not be shared without the express consent of the customer. More specifically, concern has been expressed that lenders might use medical information obtained elsewhere in making a credit decision. ABA’s position is that such use of medical information in a credit decision obtained without the knowledge and consent of the borrower is just plain wrong. There are instances where medical information is relevant – for example, in sole proprietorships or small businesses where the franchise value of the firm hinges on one or two key individuals. In such cases, insurance on the key individuals might be required. However, in those instances, the prospective borrower will know what information is required, and can expressly consent to its being obtained and used. Otherwise medical information should not be used.

On June 6, the ABA, joined by the Financial Services Roundtable and the Consumer Bankers Association, announced new voluntary guidelines on the appropriate use and protection of information, based on the extensive work of a blue ribbon ABA task force. Attached to this testimony is a copy of those guidelines. The guidelines represent core values for our industry. The guidelines will help bankers reassess every aspect of how they collect, use and distribute information – from who sees the information, to how it is stored and updated; from how it is used to benefit the customer, to how it is protected.

We believe one of the most important guidelines is number 3, which states:

Medical Information Will Not Be Shared

Financial institutions recognize that, when consumers provide medical information for a specific purpose, they do not wish it to be used for other purposes, such as for marketing, or in making a credit decision. If a customer provides personal medical information to a financial institution, the financial institution will not disclose the information, unless authorized by the customer.

In addition, last year the ABA supported the legislative provisions on medical privacy that were contained in early versions of what became the Gramm-Leach-Bliley Act. We were disappointed that the issue was not addressed in that legislation last year.

Therefore, ABA can clearly support the thrust behind H.R. 4585. Having said this, I must also say that the ABA has very serious concerns relating to H.R. 4585 in two areas. The first relates to process. While it may indeed be possible to obtain a broad consensus on a targeted bill on medical information, I want to emphasize that the ABA, and I believe the financial services industry generally, would be strongly opposed to opening up the privacy provisions of Gramm-Leach-Bliley on a broader front. Given the limited number of legislative days left in this Congress, any attempt to broaden the legislation would likely mean that there would be no legislation at all.

It should be clear to everyone by this time that privacy is a tremendously complex area – and one where the law of unintended consequences is very much in play. We recognize that some members of this Committee did not feel that the privacy provisions in Gramm-Leach-Bliley went far enough, but one has only to look at the length and complexity of the regulations just finalized to realize what a major piece of legislation the privacy provisions were. The ABA strongly believes that we need to see just how the current law works before we try to add additional requirements to it.

A special word is in order about regulatory costs. Our members are now beginning to estimate the cost of compliance with the new privacy law, and it is clear for the largest banking institutions that it will be in the tens of millions of dollars each. Indeed, we believe it is a conservative estimate that the initial cost across all financial services firms will be in excess of $1 billion, with additional ongoing costs each year. These costs include developing the privacy programs, reworking all information systems throughout each institution to comply with those programs, training virtually every employee within an institution, and developing and mailing the privacy notices. It is, of course, the case that in a competitive market – like that for financial services – it is the consumers of the products and services that ultimately pay most of these costs.

A second area of concern relates to some of the specific provisions in H.R. 4585. Working with our colleagues in the Financial Services Coordinating Council (FSCC), we have identified a number of specific problems in the bill that need to be addressed. (The FSCC consists of the ABA, the American Insurance Association, the American Council of Life Insurers, the Investment Company Institute, and the Securities Industry Association.) In particular, there are specific recommendations from the insurance industry relating to long-standing underwriting processes that are used to develop appropriate insurance models. ABA urges the Committee to listen carefully to those concerns and to address them in any mark-up of this bill.

Furthermore, the ABA has a very real concern with the subsection in the bill relating to "Consumer Rights to Access and Correct Information." Simply put, we find this provision totally unworkable in the real world. The concept of having a consumer be able to see his or her medical information and to correct it is likely based on the Fair Credit Reporting Act (FCRA). Under that act, consumers are given the right to see their information in their individual credit file and to ask that any misinformation be corrected. There are two very important differences between the FCRA and the consumer access provision in H.R. 4585. First, under FCRA, the request to see information relates to a very specific credit file. The entire function of credit bureaus is to develop a report on individuals, and, therefore, information is centralized into that one file. In fact, the purpose of credit bureaus is to collect in one place credit information from many sources so that a lending institution relying on a credit report will have the full history of the perspective borrower. On the other hand, banks generally do not collect medical information on customers. Whatever information a bank may have access to is a natural consequence of providing services, such as payment system services (e.g., checking, credit card, and debit card services). Because such information is not collected and stored in one place such as a specific file, it would be difficult if not impossible for a bank to retrieve with confidence any medical information that it may have access to. In fact, we would think Congress would not want us to collect it in a central location.

Secondly, the FCRA is designed to protect the information that is used for a very important purpose – making credit decisions. Credit bureaus deliberately collect this information from many sources in order to provide it to lenders for credit decisions. If the information is incorrect, it may prove to be difficult or even impossible for the consumer to obtain credit even though he or she might otherwise be considered eligible if the information were correct. The Congress, quite understandably, believed that this was of tremendous significance to the consumer. Under H.R. 4585, however, the consumer is to be given access to information whether or not it is used for any purpose whatsoever.

Thus, under the literal language of H.R. 4585, an individual can call any financial institution and demand to see any medical information that might be held anywhere in the institution no matter for what purpose it is held. In fact, the consumer apparently can generate a search even though he or she does not have a basis on which to believe the institution has or is using medical information. In order to comply with such a request, the institution would, under the language of the bill, need to query the great majority of its employees to see if each employee has somehow or other gathered some medical information on the consumer. While this may not have been the intent of the legislation, it is a plain reading of its language.

Part of the problem may be a misconception that there is, in any financial institution, one list that contains all the information about a consumer. In institutions of even the smallest size, that is not the case. At any given time, there are numerous lists, developed under different circumstances or for different purposes. There also is information in many employees’ files that is never put on any list or in a database. While it, again, may not be the intent of the legislation, let me cite a few examples that would seem to be covered by the consumer access requirement. Note in this context that the definition of "individually identifiable health information" in the bill is very broad.

First, it would seem that a bank would have to go through every check written by the consumer and every credit card slip in its files to see if they contained any applicable medical information – a process that is not done today and is antithetical to the notion of medical privacy. Such a huge undertaking would necessarily involve speculation on the part of the financial institution as to what constituted medical information. For example, would a debit card transaction at the local CVS pharmacy be considered medical information? Clearly, CVS sells thousands of products that are not medically related. Moreover, financial institutions would also have to review any loan made to the consumer to see if the proceeds of that loan were, in any fashion, used for medical purposes and the fact that the money was so used somehow communicated to the bank. All lending officers and insurance agents would have to be asked if they had ever taken any medical/insurance information as part of a loan or insurance application and kept that information in one of their files.

The institution would also, under the literal language of the bill, have to query all its branches to see if any information had been provided to branch personnel. This would not be limited to the home branch of the customer, as the customer could have had some interaction with any branch. Suppose, for example, that a customer goes into a branch away from his or her home town for a cash advance on a credit card to deal with the costs surrounding an extended stay due to injury to a family member caused by an accident. Suppose also that the branch manager, in the process of making every effort to aid the customer, recorded in a file the nature of the situation. If, six months later, that same customer calls an 800 number and requests his or her medical information, the bank would be in violation of the law if it did not include the record of that branch manager, even though the home office had no way of knowing that the branch manager had the information or had ever dealt with the customer. Literally, to be in compliance, the home office would have to query the great majority of its employees to make sure that none of them had come into possession of some medical information and had it in a file somewhere.

In this respect, the bill provides for reimbursement of "reasonable" costs. What would be a "reasonable" cost? If a "reasonable" cost is that needed to cover the cost to the institution, which we would argue it should, then it could be very expensive to the consumer to make any such inquiry. That, of course, would make the access requirement of no value. Would "reasonable" include the overhead cost of developing and maintaining a system to reply to such inquiries? If "reasonable" means a few dollars, then financial institutions will lose great amounts on any inquiry. Some may argue that such inquiries would be rare, but the institution would still be required to have an expensive process in place to access the information across its entire operation, no matter how infrequent the inquiries might be. On the other hand, since the bill allows any "consumer" to make such requests, a large group could demand searches just to hurt an institution.

ABA also is concerned about the paragraph on page 7 of the bill entitled "Restraint on Information Requests." Quite frankly, we cannot understand its effect.

In conclusion, Mr. Chairman, the ABA believes that medical information should only be used for the express purpose for which it is provided and should not be shared without the express consent of the customers. However, the ABA does have serious concerns about the legislative process going beyond medical privacy and about specific provisions of the bill. In particular, the ABA is strongly opposed to the provision which would establish a new, open-ended right to force an institution to search for information wherever it may be in an institution and whether or not it is being used to make a decision of any importance to the consumer. The situation is not analogous to the FCRA, where consumers have a legitimate concern that misinformation in a specific place – a credit file – could adversely affect his or her ability to obtain credit. Under H.R. 4585, there is no requirement that the information is being used in a manner of any importance to the consumer. We hope that these concerns can be addressed by the Committee and we look forward to working with Committee members to that end.