Privacy Rights Clearinghouse
September 26, 2003
Office of the Comptroller of Currency
250 E. Street, S.W.
Public Information Room, Mailstop 1-5
Washington, D.C. 20219
Comments submitted electronically, email@example.com
RE: Docket No. 03-16; Bank Activities and Operations; Real Estate Lending and Appraisals (http://www.occ.treas.gov/fr/fedregister/68fr46119.pdf )
A. Preemption of state laws that govern access to and use of credit reports
B. Preemption of state laws that mandate statements, disclosures, etc.
C. Need for concurrent enforcement
D. Clarification of OCC's intent
The Privacy Rights Clearinghouse (PRC), PrivacyActivism (PA), and Electronic Privacy Information Center (EPIC) submit the following comments in response to the notice of proposed rulemaking published by the Office of Comptroller of Currency (OCC) on August 5, 2003. The OCC's proposed revisions to 12 CFR Parts 7 and 34 of its regulations identify certain types of state laws that would be preempted for non-real estate loans made by national banks.
The scope of the OCC's proposal potentially affects consumer protection and privacy laws of many states. However, we limit our comments to the potential impact on California laws. Particularly troubling is the uncertain implication of the OCC's rulemaking for important identity theft laws that involve access to, and use of, credit reports. Of equal concern is the OCC's proposed regulation to preempt state laws that require national banks to give mandated statements to be included in billing or credit related documents.
The Privacy Rights Clearinghouse (PRC) www.privacyrights.org  is a nonprofit consumer education and advocacy organization based in San Diego, California. Over the past 11 years, the PRC has counseled thousands of victims of identity. It has seen this crime grow from one without a name to what is now called the "crime of our times" by Federal Trade Commission Chairman Muris. www.ftc.gov/opa/2003/09/idtheft.htm 
PrivacyActivism (PA) is a San Francisco-based nonprofit consumer advocacy organization whose overall mission is to enable people to make well-informed decisions both on a personal and societal level about the importance of privacy. It examines the privacy risks associated with data collection.
Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
The FTC's study on identity fraud as well as recently released private studies confirm what privacy advocates have long known: Identity fraud wreaks havoc on victims and financial institutions alike. Recent studies have found that in the past year there were seven to 10 million victims, with losses to financial institutions in the billions of dollars. The breadth of this crime requires cooperative efforts from federal, state, and local law enforcement agencies. (To read summaries of these studies, see www.privacyrights.org/ar/idtheftsurveys.htm .)
California lawmakers have made significant strides enacting laws that help victims of identity theft regain their financial health and that mandate business practices that prevent this crime. California laws also address financial privacy, giving consumers the ability to control what is done with their sensitive personal information.
The OCC's notice of proposed rulemaking is unclear about what specific state laws it intends to preempt through rulemaking. From the broadly worded regulations as proposed, we can envision any number of state laws that might be affected. However, because the OCC's proposal is broadly stated, we also respond to the solicitation for comments on the use of plain language in the notice of proposed rulemaking.
Under the proposed regulations, national banks would be preempted from state laws having to do with:
(vii) Access to, and use of, credit reports (§7.4008 (c)(2)(vii))
The scope of this intended change to the OCC's regulation is not clear from the preamble to the regulations. We find no discussion in the OCC's interpretation of any specific state laws governing use and access to credit reports that would be preempted under the proposed regulation. Similarly, the discussion does not include any notation of a case involving credit reports where a state law significantly, or to any extent, interfered with the operation of a national bank.
Clearly, the federal Fair Credit Reporting Act (FCRA) (15 U.S. C §1681) sets the standard for access to and use of credit reports. The FCRA gives the OCC authority to enforce the Act as it pertains to national banks, but it does not set a different standard for banks. However, the FCRA does not give the OCC authority to usurp the authority of states to pass and enforce consumer protection and privacy laws.
Under the FCRA, national banks are both "users" and "furnishers" of consumer reports. Banks access credit reports, for example, when a consumer applies for a loan. And, during the life of the loan, banks report a satisfactory or negative payment record. In addition, banks, like other creditors, routinely monitor credit reports of existing debtors to ensure that the consumer continues to meet the terms of the loan. Rights and obligations of users and furnishers are established by the FCRA, not federal banking laws.
National banks are also major users and furnishers of another type of consumer report, the ChexSystems Report. ChexSystems operates as an exchange system where banks furnish information about savings and checking accounts that have been mishandled to a consumer reporting agency, called ChexSystems. Information is also furnished about any outstanding debt related to an account.
ChexSystems compiles this information into a database, and, in turn, issues a consumer report when a member bank gets a consumer's application to open a savings or checking account. It is not clear from the proposal that the OCC intends to exempt state laws on credit reports from Experian, TransUnion, or Equifax, or if it intends to preempt other consumer reports such as ChexSystems as well.
Nonetheless, the duties of users and furnishers are the same for all consumer reports. For most states Congress has preempted the authority to impose additional duties on furnishers. Congress, however, extended the limits of state laws for furnishers to California. FCRA Section §624 (15 USC 1681t(b)(F)(ii). California's Consumer Credit Reporting Reform Act of 1996 was allowed to stand, allowing California to set the standards for furnishers of information. In providing this exception, Congress did not carve out an exception for national banks operating in California.
Californians have good reason to fear identity theft, since the instances of identity theft are higher in California than nearly any other state. Credit card fraud and bank fraud are among the top three types of fraud reported by Californians to the FTC. www.consumer.gov/idtheft/idt_statemap/California%20CY2002.pdf 
Following are some of the California laws that could be adversely affected if the OCC's proposed rule is adopted claiming preemption of state laws that touch upon use and access to credit reports:
Credit bureaus must enable consumers to establish a "freeze," prohibiting the credit bureau from giving report to anyone without the consumer's consent. California Civil Code §§ 1785.11.2 (effective Jan. 1, 2003)
Creditor must verify a change of address on a mailed solicitation
Where credit is to be extended by mail pursuant to a mailed solicitation, requirement to mail the extension of credit to the same address as the solicitation unless the creditor verifies any address change by contacting the consumer. California Civil Code § 1785.14(a)(3)
User of a credit report must verify there was no ID theft where address is mismatched
Requirement for user of credit report to verify requested extension of credit is not an instance of identity theft, where the address on the application does not match the address on the credit report. Civil Code § 1785.20.3 06
No forwarding of instant loan checks
Requirement that "instant loan checks" be mailed in envelope that does not indicate a negotiable instrument is enclosed and that is marked "do not forward": California Financial Code § 22342
Access to records for victims and law enforcement
Banks, public utilities, and certain other companies must provide both the victim and law enforcement (on request) with copies of applications, checks, account statements, and records of transactions initiated by an imposter. California Penal Code § 530.8
Creditor cannot sell a debt to a debt collector once the individual has reported to the credit bureau that the debt resulted from fraud. California Civil Code § 1785.16.2
Victim of identity theft may seek an injunction against a creditor or debt collector who pursues payment from the victim of a debt incurred by a thief. California Civil Code §§ 1798.92-97
In addition, although not directly related to credit reports, we are concerned that the following California consumer protection and privacy laws may be adversely affected by the OCC's proposed preemptive regulations.
Destruction of customer records -- the "shredding" law
Businesses are required to take reasonable steps to destroy records containing personal information upon disposal of the records by shredding, erasing, or modifying the information to make it unreadable. California Civil Code §§ 1798.80-82
Confidentiality of Social Security Numbers
(California Civil Code § 1798.85 (Phased in from July 2002 - July 2005)
Individuals and commercial entities may not:
- Publicly display or post SSNs.
- Print SSNs on ID cards or badges.
- Require people to transmit SSNs over the Internet unless the connection is secure or
the number is encrypted
- Require people to use the SSN to logon to the Internet without a password
Section (c) (2)(viii) of the OCC's proposed regulations, list the following as types of state law that would be preempted for national banks:
Mandated statements, disclosure and advertising, including laws requiring specific statements, information, or other content to be included in credit application forms, credit solicitations, billing statements, credit contracts, or other credit-related documents.
Preemption of statements like this seems to speak directly to the newly enacted Senate Bill 1, (SB1) California's financial privacy legislation.
California SB1 was enacted under the authority granted by Congress in the Financial Services Modernization Act, commonly known as the Gramm-Leach-Bliley Act (GLB). GLB specifically gives states the authority to adopt a statute, regulation, order, or interpretation that affords that state's citizens greater privacy protections than that of the federal statute. GLB's authority to states does not carve out any special exceptions for national banks.
A necessary part of SB1 is a revised privacy statement, notifying California consumers of information sharing choices that go beyond the federal law. The statement required by SB1 must be given by all financial institutions doing business in California, including national banks.
We are concerned that the OCC's proposed regulation raises questions about the necessity for national banks to supply customers with the required California privacy notice.
Identity fraud and credit reports
Most states have passed laws to deal with the exploding crime of identity fraud. Particularly hard hit by this crime, California has been a leader in laws that focus on preventive measures as well as assistance to victims once the crime has occurred.
Instances of identity theft almost always lead back to the consumer credit report. Like any other purveyor of credit, national banks solicit and accept applications for consumer loans. The creditor accesses the credit report and either accepts or rejects the applicant based upon information included in the credit report. For the identity theft victim, the crime is all the same whether the erroneous credit is granted by a national bank, a retail establishment, or a rental agency.
To the criminal, a national bank is no different than any other conduit of fraudulent credit. Thieves apply for new credit in the victim's name, sometimes supplying a different address from that of the victim. The new credit account and the new address are recorded in the credit report. The victim seldom learns about the crime unless applying for new credit or responding to a collection action. The collection action also ends up as a negative statement on the consumer credit report.
A crime of this magnitude must be fought by all levels of government.
In 1999 Congress passed GLB, a law that gave consumers minimal rights to notice about the information collection and sharing practices of financial institutions, including national banks. That GLB gave consumers any privacy rights was due largely to enforcement efforts by state Attorneys General, exposing egregious information sharing practices of national banks. GLB also gave consumers a limited right to control the flow of personal information for disclosures made to third-party non-affiliates. Although modest, GLB's consumer rights of notice and the limited opportunity to opt-out must be enforced.
For consumers, the saving grace of GLB was the right granted to states to give citizens greater protection in how personal financial information is used by financial companies. Implicit in this right is the authority for states to design mandated statements to advise that state's citizens of the greater rights to protect financial information afforded by state law.
After nearly four years, California lawmakers became the first to enact financial privacy legislation stronger than GLB. The California law, introduced as SB1, necessarily mandates that financial institutions, including national banks, provide California consumers with a statement that outlines the unique privacy choices available here.
The California law, which takes effect July 1, 2004, also vests enforcement authority with the state Attorney General. Consumers have no right to sue for financial privacy violations, either under GLB or the new California law. Prior to the passage of SB1, the only authority to enforce the financial privacy provisions of GLB rested with the federal functional regulators and the Federal Trade Commission (FTC).
To our knowledge, there have been no GLB enforcement actions against national banks. This void in GLB enforcement actions should be seen more as an indication of limited agency resources than an exemplary record of consumer privacy protection by financial institutions. In addition, this lack of federal enforcement of consumer privacy only points out the need for concurrent federal and state authority.
In addition to the proposed regulations, the agency solicits comment on the clarity of the proposal. Given the sweeping implications of the OCC's proposal to preempt state laws that govern credit reports and mandatory statements, the initiative warrants a more specific explanation.
In particular, the OCC should revise its notice of proposed rulemaking to identity existing state laws that would be preempted under each of the 10 categories of law it proposes to exempt.
For states like California with strong consumer protection and privacy laws, the agency's proposal raises many questions as to which specific laws would not apply to national banks. Without a definite list of preempted laws, states are disadvantaged in having only to guess at what laws might be attacked by the federal government. Consumers, too, are harmed when confidence in the ability of states to pass consumer protection laws is undermined by the threat of federal preemption. For sake of clarity, the OCC should publish a revised Federal Register notice to inform states of all existing laws that might be affected.
As the OCC is well aware, preemption of state laws governing credit reports and consumer reporting agencies is one of the many issues now before Congress as it revisits the FCRA. Consumer and privacy advocates have come out strongly against efforts to roll back state consumer protection laws. If in the unfortunate event states are denied the right to protect consumer interests, this decision should come from Congress and not through federal agency rulemaking.
Indeed, preemption of state consumer protection laws through agency rulemaking would result in a piecemeal approach, resulting in a different standard for national banks, thrifts, credit unions, and federally chartered banks. Fear of a piecemeal approach to regulations is the very argument the financial services industry makes to support preemption.
Furthermore, federal government agencies may promulgate regulations only pursuant to a statutory grant of authority. Congress did not give the OCC or any other federal agency statutory authority to limit the right to individual states to provide greater consumer protection under either the FCRA or GLB.
We strongly urge the OCC to abandon this arbitrary rulemaking. Instead of attempting to create unique standards for its regulated institutions, the OCC should form strong enforcement alliances at all levels of government. Without strong, cooperative enforcement efforts, the crime of identity fraud will only get worse.
Beth Givens, Director
Privacy Rights Clearinghouse
Deborah Pierce, Executive Director
Chris Jay Hoofnagle, Associate Director
Electronic Privacy Information Center