Options for Promoting Privacy on the National Information Infrastructure. 1. Personal Financial Records


Most people consider their financial condition a private matter and are reluctant to disclose their net worth or annual income. At the same time, however, many entities -- including the government, banks, and credit reporting agencies -- possess detailed information on the financial status of many individuals. Frequently, the use and disclosure of this information is regulated, but information that cannot be obtained from one source may be readily available from another.

Tax Records. Tax records held by the government are strictly governed by section 6103 of the Internal Revenue Code. This statute applies to use of tax records by the government for government purposes, as well as disclosure by the government to the private sector.168

Bank Records. Financial institutions generate and retain vast quantities of financial data on individuals.

(a) Government access. Government access to financial information held by financial institutions is regulated by the Right to Financial Privacy Act of 1978 (RFPA).169 The impetus for enactment of the RFPA can be traced to both prior legislation and judicial decisions.170

The RFPA limits federal government access to and use of personal financial information maintained by private sector financial institutions in two ways: (1) it regulates the disclosure from the financial institution to the federal agency in the first instance, and (2) it regulates the disclosure among government agencies where an agency has lawfully obtained records from a financial institution pursuant to the Act171.

The RFPA affords significant protection regarding government access to personal financial information. The RFPA attempts to balance this protection with the federal government's legitimate interest in such information. For example, the RFPA requires the government to notify customers of any request for their financial records172 and permits customers to challenge the government's request.173 Under certain conditions, however, the government may delay the notification.174 Additionally, the RFPA provides for civil penalties and injunctive relief where financial records have been disclosed in violation of the Act but does not provide for the suppression of records so obtained.175 Finally, the Act exempts many types of disclosures (e.g. disclosure pursuant to a grand jury subpoena or in conjunction with litigation to which the government authority and the customer are parties).176

(b) Private sector use. Banking customers value financial privacy. The banking industry, from the consumer's perspective, is very competitive, particularly at the branch level. A consumer's ability to take his or her banking business elsewhere may account, in part, for the banking industry's traditional reluctance to disclose banking records.

In the Information Age, can consumers continue to rely on competition to protect their banking records from unwanted disclosure? As new information technologies rapidly expand the abilities of banks to collect, combine, and transmit data about customers, incentives to use banking records for marketing purposes may erode industry's historic restraint. In many cases individuals have little knowledge of or control over the use of their bank records. BankAmerica describes the dilemma aptly:

Privacy is not a new concept in banking. By law and custom, it is recognized throughout the world that the relationship between a bank and its customer is confidential. The proliferation of computers has made the adherence to this concept of privacy more complex. Specifically, the public's concern has centered on the difficulty an individual can have in discovering and controlling what data will be collected about him or her, challenging the accuracy of the data, and determining who will have access to that data and for what purpose.177

The financial services industry is being challenged by new technology. For example, on-line banking allows customers to pay bills, transfer money between accounts, check balances, and perform other banking transactions by computer or touch-tone phone.178 Today, consumers can download mortgage application forms, fill out the forms on a computer, and then submit the loan application electronically.179 Several innovative U.S. banks are exploring the uses of smart cards. These services in turn generate digitized transactional data. Smart cards, for example, might contain a customer's entire credit, purchase, and medical history, along with any other data that can be stored on a microchip.180 Banks are beginning to use existing customer information more creatively, and adding demographic information to existing customer lists for targeted marketing purposes.181

Changes in the banking industry hold the promise of significant consumer benefits, including:

... the great potential to permit cost-effective, risk-managed marketing to small niches that were often by-passed in big-scale mass marketing efforts because they were too small to pitch a product or promotion to. Lots of data and sophisticated scoring models make it possible to evaluate risk and set prices soundly at low cost, while lots of data and sophisticated marketing make it possible to design products and promotions that go just to target groups, at low cost. This combination opens an opportunity for expanded marketing pitched to the special interests of ethnic minorities, to people who lack traditional credit profiles, and to more people at the margins of the economic mainstream.182

The move from traditional banking services into other areas such as database marketing, however, presents new privacy concerns for the industry.183 For example, card-issuing banks have access to direct-marketer customer information as part of their billing procedures. Database marketing has likewise brought banks into business relationships with buyers and sellers of personal information who do not share the banking industry's traditional approach to customer privacy. These information brokers are essentially unregulated in their use of personal data.184 The dramatic fall in the price of computer storage has made it possible for businesses to accumulate and maintain large quantities of data about their customers. For ten cents a name, middlemen offer extensive data on most U.S. families.185

In the absence of privacy statutes applicable to the financial services sector, some individual financial institutions have adopted privacy codes. But the banking industry is only beginning to adopt industry wide privacy principles.186

Individual banks and financial service providers have developed internal policies on handling and disseminating customer information. For example, a bank might not release account numbers along with personal financial information furnished to credit bureaus, or may enter into a confidentiality agreement that precludes a third party service provider, such as a supplier of credit life insurance, from using customers' names for any other purpose.187 Some financial services providers have demonstrated leadership by adopting formal privacy policies.188 These policies generally restrict disclosure of data to those with a "business need" to see it, and often offer consumers the ability to "opt out" of receiving promotional mail. The opt-out programs do not limit the information that financial companies collect about their customers or purchase from outside sources.189

In the Information Age, inadequate protection of privileged financial information among banks, credit bureaus, and software manufacturers, especially when combined with other types of information such as demographic profiles, could result in the misuse or abuse of personal information. As banks merge and become more electronically oriented, the potential for privacy problems increases dramatically. Yet, as noted above, there are few laws and privacy principles in place. Whether privacy standards in the banking industry will keep pace with the industry's adoption of new information technologies remains to be seen. But, to the extent that confidentiality of customer information has been "the missing link" for providing on-line transactions,190 privacy concerns must be addressed if "cyberbanking" is to take root.

Credit Information. The credit reporting industry maintains the largest repositories of information about Americans outside of the federal government.191 The industry is dominated by three giant credit bureaus -- Experian Inc. (formerly TRW Information Services), Equifax, and TransUnion. These bureaus keep files on anyone who buys anything on credit, which includes nearly 90 percent of American adults.192

Credit bureaus sell credit reports to credit grantors so that they can assess a consumer's willingness and ability to repay a credit grant. Businesses that grant credit, such as banks, retail stores, and credit card issuers, report the credit history of their customers to these credit bureaus.

For the consumer, the credit reporting industry does not provide competitive options. Credit reports about an individual are often maintained by more than one of the big three bureaus, and the consumer will only know which bureau possesses what information if he or she makes the effort to acquire his or her credit records. Within the industry, however, there is a great deal of competition among the large credit bureaus for the business of credit grantors.

The Fair Credit Reporting Act (FCRA) governs disclosure of credit information by credit bureaus.193 Congress enacted the FCRA in 1970 to ensure that consumer reporting agencies provide consumer credit information only to businesses with a legitimate need for this information, and in a manner that is fair to the consumer with respect to the confidentiality, accuracy, relevancy, and proper use of such information.194

The FCRA regulates the information that credit reporting agencies may maintain on consumers. For example, agencies must delete most adverse information from consumer credit reports after seven years.195 The FCRA also prohibits the production of reports on a consumer's character and reputation based solely on interviews, without disclosure to the consumer and other safeguards.196 Furthermore, whenever a consumer is denied credit for personal, family, or household purposes, or is denied employment, and (in either case) the denial is based on information in a consumer report, the entity that received and used the report is required to notify the consumer and identify the consumer reporting agency in question.197

The FCRA also requires consumer reporting agencies to provide consumers with information from their files; establish procedures for dealing with disputes about the completeness or accuracy of information maintained in their files, and take special precautions, when reporting public record information, to ensure the completeness and accuracy of that information or, in the alternative, to notify the consumer that such information is being reported.198 Finally, the FCRA places some restrictions on the dissemination of credit information to third parties. For example, it provides that a consumer reporting agency may disseminate a report on a consumer only pursuant to a subpoena or court order; with the consumer's consent; or for use in connection with one of several enumerated purposes.199

Early proponents of the FCRA had sought to limit the disclosure of confidential credit information to third parties, such as banks and other credit grantors, who needed access to this information to make credit granting decisions.200 As enacted, however, the FCRA requires only that credit bureau customers must have a permissible business purpose to purchase credit reports.201 The FCRA defines permissible purposes broadly, encompassing employers, landlords, private investigators, and others.202 The scope of the permissible purpose language concerns many privacy advocates. According to one commentator, just one of the "big three" credit reporting agencies sells 500,000 records each day.203

Other commentators have criticized the FCRA for vague drafting, poor enforcement, obsolescence in the face of technological change, and lack of consumer education.204 Additionally, commentators have pointed out that only limited transactions are protected. For example, the FCRA does not cover exchanges of information involving business transactions, only those involving "consumer" oriented matters.205 In addition, the FCRA only applies to the items specifically enumerated in the statute, excluding from coverage items such as credit reports sought in connection with insurance claims.206

During recent years the credit reporting industry has come under increasing attack on consumer issues. In 1993, the Associated Credit Bureaus (ACB) adopted mandatory member policies to improve privacy, accuracy, and consumer relations issues.207 Additionally, the industry has recently acted to establish standards and procedures for the automation of consumer dispute verification208 and has created a specialized electronic mail network to speed resolution of consumer complaints about inaccurate personal information.209 In 1991 Experian (then TRW) agreed to a consumer credit information gathering and dissemination code in cooperation with a number of states. Equifax reached a similar agreement in 1992.210

The industry has also adopted some voluntary privacy standards and mechanisms to correct erroneous personal information. For example, Experian adopted what it calls a "values approach" to guide decisions on how to use information.211 Equifax first created and published a code of fair information practices in the 1980s, and has recently updated that code.212 Equifax has also conducted and published annual national surveys of consumer attitudes about privacy.213 Furthermore, in 1990, Equifax responded to mounting consumer and privacy concerns by establishing a toll-free number that consumers could call to order credit reports, obtain advice, and correct inaccuracies.214

Notwithstanding these laudable efforts, complaints of damaging mistakes in credit reports and the release of names to marketers and others who do not meet the "permissible use" requirement under the FCRA continue to plague credit agencies.215 "Prescreening" techniques now used extensively also generate many new privacy concerns.216

In 1996 Congress adopted sweeping changes to the Fair Credit Reporting Act, to be effective on October 1, 1997.217 The amendments establish opt-out requirements for prescreening, permit corporate affiliates to share information without becoming subject to the FCRA requirements, impose new obligations on creditors with respect to the accuracy of information furnished to consumer reporting agencies, establish new reinvestigation and notice obligations, an impose significant new consent requirements to obtain reports containing medical information and reports for employment purposes.

The 1996 FCRA Amendments also required the Federal Reserve Board to conduct a study, in consultation with the Federal Trade Commission and other banking agencies, of whether organizations that are not credit reporting agencies are making sensitive consumer identifying information available to the public. The Federal Reserve released the report on April 7, 1997.218 The Report explains how information becomes available and discusses some aspects of financial fraud. Although it reaches no conclusions about whether legislation is needed at this time, the Report does indicate that fraud related to identity theft is a growing concern that is expanded by relatively easy access to personal information.219

168. See discussion supra at 19.

169. Pub. L. No. 95-630, 12 U.S.C.A. §§ 3401-22, 92 Stat. 3697, as amended Pub. L. No. 101-647, 101 Stat. 4908, 12 U.S.C.A. §§ 3401-22 (1989 & Supp. 1997).

170. In 1970 Congress imposed record keeping requirements on banks because it found that such records "have a high degree of usefulness in criminal, tax, or regulatory investigations and proceedings." Bank Secrecy Act, Pub. L. No. 91-508, 12 U.S.C. § 1951(a), 84 Stat. 1114-1124 (1994). In 1976, the Supreme Court held that a bank customer has no constitutionally protected right of privacy in his or her bank records because these records are the "business records of the bank." United States v. Miller, 425 U.S. 432 (1976). The Court concluded that the lack of any expectation of privacy in such records was assumed by Congress when it passed the Bank Secrecy Act. Miller, 425 U.S. at 441-442. In 1978, Congress passed the RFPA in direct response to this decision: "The title is a congressional response to the Supreme Court decision inUnited States v. Miller which held that a customer of a financial institution has no standing under the Constitution to contest government access to financial records. The Court did not acknowledge the sensitive nature of these records . . . ." H. R. Rep. No. 95-1383, at 34 (1978),reprinted in 1978 U.S.C.C.A.N. 9273, 9306.

171. 12 U.S.C. §§ 3403, 3412.

172. 12 U.S.C. § 3404.

173. 12 U.S.C. § 3410.

174. Delay in notice may occur when there is reason to believe that notice will result in endangering life or physical safety, flight from prosecution, destruction or tampering with evidence, intimidation of potential witnesses, or will otherwise seriously jeopardize an investigation. 12 U.S.C. § 3409.

175. 12 U.S.C. § 3417.

176. 12 U.S.C. § 3402.

177. See BankAmerica Corporation Privacy Code 48, quoted in Bell Atlantic, Handbook of Privacy Codes (1994).

178. See Kristen Davis & Scott Nelson, Safe Travel on the Info Superhighway: Measures to Protect Individuals' Privacy when Paying Bills Electronically, Kiplinger's Pers. Fin. Mag., Jan. 1994, at 34.

179. See Marianne Kyriakos et al., Netting a Loan, Wash. Post, May 8, 1995, at F03.

180. See Sylvester Flood, Smart Cards: U.S. Banks Take Wait and See Approach to Tomorrow's ATMS, Bank Marketing, Sept. 1992, at 51.

181. See Smith, supra note 27, at 27 & 80-83.

182. See JoAnne S. Barefoot, The Next Compliance Controversy: Privacy, ABA Banking Journal 22 (Jan. 1997).

183. Id.

184. See discussion of direct marketing infra at 45.

185. See Saul Hansell, Getting to Know You, Inst. Investors, June 1991, at 71.

186. See Robert E. Kearney, Keep Your Hands Off My Data, Bank Marketing, May 1995, at 19. As of June 1996, neither the American Bankers Association or its affiliate, the Bank Marketing Association, had established privacy guidelines for banks to follow. See John N. Frank, The Brouhaha over Privacy, Credit Card Management, May 1996, at 32. The 850 member Consumer Bankers Association recently promulgated voluntary privacy guidelines for its members. See Darryl Hicks, CBA Issues Privacy Guidelines for Lenders, Nat'l Mortgage News, Feb. 3, 1997 at 35.

187. See Cynthia Graham, Banks Must Address Consumer Privacy Concerns, Privacy & Am. Bus., Mar. 1995, at 23.

188. American Express, Citicorp, Chemical Bank and Visa International have all adopted privacy policies. Citicorp, for example, promises its credit card users that it will use Visa and MasterCharge data only in connection with Visa or MasterCard business. Citibank Visa and MasterCard Privacy Policy, 1993. See also, Hansell, supra note 180, at 22 (discussing bank privacy policies).

189. See Smith supra note 27, at 17-27 (noting that although banks are some of the most highly regulated institutions in the U.S., most federal banking regulation has focused on issues related to solvency and to fairness in lending).

190. See Editorial, Financial Services Can Now Be Offered On Internet, Bank Marketing, May 1995, at 82.

191. See Rothfeder. supra note 139, at 32.

192. See Consumer Rep., What Price Privacy? May 1991, at 356; Ann Merrill, Credit Bureaus Continue to be Leading Source of Complaints About Privacy, Star-Trib. (Minneapolis - St. Paul), Feb. 1, 1996, at 4D, available in 1996 WL 6900979.

193. Pub. L. No. 91-508, 84 Stat. 1127 as amended by Omnibus Consolidated Appropriations Act for Fiscal Year 1997, Pub. L. No. 104-208, div. A, tit. II, § 2402(a)-(g), 110 Stat. 3009-____, 15 U.S.C.A. §§ 1681-1681u (1986 & Supp. 1997).

194. 15 U.S.C. § 1681b.

195. There are two exceptions: there is a 10 year limit for bankruptcies and no time limit for certain transactions involving substantial amounts of money. 15 U.S.C. § 1681.

196. 15 U.S.C. § 1681d.

197. 15 U.S.C. § 1681m.

198. See 15 U.S.C. §§ 1681c-k.

199. See 15 U.S.C. § 1681b.

200. See Rothfeder, supra note 139, at 56-57.

201. See 15 U.S.C. § 1681b.

202. Id.

203. See Rothfeder, supra note 139, at 56-57.

204. See Cheryl B. Preston, Honor Among Bankers: Ethics in the Exchange of Commercial Credit Information and the Protection of Customer Interests, 40 Kans. L. Rev. 943, 995 n.31 (1992).

205. Id. at 947.

206. See Elwin Griffith, The Quest for Fair Credit Reporting and Equal Credit Opportunity in Consumer Transactions, 25 U. Mem. L. Rev. 37, 46 (1994).

207. See Barry Connelly, Credit Bureaus Adopt Initiatives in the Absence of a New Law, Credit World, July/Aug. 1993, at 7.

208. See Kenneth Solomon, Consumer Dispute Verification, Credit World, Mar./Apr. 1994, at 28.

209. See, e.g., Mitch Betts, Credit Industry Employs E-Mail Address to Address Dispute Resolution Woes, Computerworld, Apr. 4, 1994, at 61; see also Gary Belsky, Junk Mailers Lose One in the Privacy Battles, Money, Dec. 1994, at 46.

210. See Equifax Agrees to Info Gathering Standards, Info. Indus. Bull., July 2, 1992, at 5.

211. See Fair information Values, July 1994, available at Experian, Inc., (visited Mar. 24, 1997) <http://www.experian.com>.

212. See Bell Atlantic, supra note 177, at 34-43.

213. See, e.g., Lou Harris & Associates, Inc., supra note 24.

214. See Rothfeder, supra note 139, at 58.

215. See James J. Daly, One Hand Clapping, 8 Credit Card Management 52-55 (July 1995); Privacy Top Credit Reporting Concern, 6 Credit Risk Management Report (Jan. 29, 1996).

216. Prescreening is a process whereby a credit reporting agency compiles or edits lists of consumers who meet specific criteria and then sells the lists to a credit grantor or marketer. Id.

217. Omnibus Consolidated Appropriations Act, Pub. L. No. 104-208, tit. 2, 110 Stat. 3009 (1996). See also Fair Credit Reporting Act of 1996, 17 ABA Bank Compliance 4-5

218. Bd. of Governors of the Fed. Reserve Sys., Report to Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud, 1997.

219. Id. at 3, 21.