Re: Big Data Request for Information

Transcription

1 March 31, 2014 Attn: Big Data Study Office of Science and Technology Policy Eisenhower Executive Office Building 1650 Pennsylvania Avenue NW Washington, D.C Ladies and Gentlemen: Re: Big Data Request for Information The Financial Services Roundtable ( FSR ) 1 is pleased to respond to the government s request for information concerning the collection, analysis and use of big data published in the Federal Register on March 4, 2014 (the RFI ) by the Office of Science and Technology Policy (the Office ). Background and Overview On January 17, 2014, President Obama called for a comprehensive review of how big data, defined in the RFI as datasets so large, diverse, and/or complex, that conventional technologies cannot adequately capture, store, or analyze them, will affect the everyday lives of Americans. The Office issued the RFI to facilitate that review and requested voluntary responses from both the public and private sector. The RFI poses five questions aimed at gathering responses on the implications of collecting, analyzing and using big data for privacy, the economy and public policy, with a focus on how 1 As advocates for a strong financial future, FSR represents 100 integrated financial services companies providing banking, insurance, and investment products and services to the American consumer. Member companies participate through the Chief Executive Officer and other senior executives nominated by the CEO. FSR member companies provide fuel for America s economic engine, accounting directly for $98.4 trillion in managed assets, $1.1 trillion in revenue, and 2.4 million jobs. 1

2 technological advances and broadening uses of such data can be maximized while minimizing the risks to privacy. FSR and its members are strongly committed to protecting the privacy of Americans. We share the Office s view that big data can be used to spur innovation and maximize the opportunities and free flow of this information, but that consumers must be provided with meaningful protections to ensure the privacy and security of data about them, including personal information. Our response to the RFI addresses this balance of interests, first, by providing an overview of the many ways in which financial institutions currently use certain data about their consumers to provide financial services (i.e., from enhancing fraud prevention to complying with anti-money laundering regulations); and second, by summarizing the primary federal statutes and regulations and industry guidelines already in place governing how financial institutions collect, use, share and secure information about consumers. This response follows on the heels of the March 27, 2013 meeting at the White House between representatives from the financial services industry and Administration officials. At that meeting, BITS (the technology policy division of FSR) and other financial services executives emphasized to Administration officials the importance of data analytics for the purposes of fraud reduction and cybersecurity, and discussed other direct and indirect benefits to consumers. There is no question that increased access to big data not only will combat fraud and improve security, but also will provide new insights and opportunities to improve financial products and customer relationships. We welcome the Office s efforts to undertake a review of big data. We note, however, that the concept of big data is an evolving one, and therefore, any questions, policies or frameworks that may be developed to address it should be formulated in ways that do not unnecessarily stymie its possible beneficial effects on society, individuals and the economy. Big data and enhanced data analytics, in general, can be used to strengthen national security, drive effective marketing, improve health care, enable a cleaner environment, and build safer cities. To the extent there are concerns about big data whether it is the creepiness factor or that it may lead to profiling or discrimination the financial services industry is vigilant about these concerns and operates not only in strict compliance with existing privacy and data security laws and regulations, but also works with BITS and other industry organizations to continually develop best practices for the industry. We appreciate this opportunity to share our industry s experiences and expertise with the Office and look forward to being part of the government s continuing dialogue about big data in the future. 2

3 Overview of Uses of Consumer Data In general, financial institutions collect, analyze and use data about consumers to provide better, more secure financial products to them. The data that is reviewed is not necessarily big data, as defined in the RFI, but as big data becomes easier to access and manage, it undoubtedly will be used for the same purposes. An overview of some of the key ways in which consumer data is used today is provided below. To Improve Access to Financial Products Consumers today require quick access to banks, credit, and other financial services. In order to make rapid, reliable, and appropriate decisions about credit, insurance, and other consumer loans, financial institutions need to have ready access to a range of information about consumers. This information provides two downstream effects: first, it reduces the cost of financial services, and second, it increases the availability of those services. Banks are able to reduce costs by pooling consumer loans (securitization), practical only when accurate consumer information is available. Credit is provided based on historical consumer data including credit (FICO) scores, and is already highly regulated by the Fair Credit Reporting Act. As more consumer data becomes available in the future (e.g., in the form of big data ), banks may be able to better gauge the creditworthiness of consumers, including those who have not yet established credit, by reviewing a broader array of relevant data and not relying solely on FICO scores. The data also may be used to create new financial products personalized to the consumer. In short, by using enhanced analytics, financial institutions will be able to better define and service their customers. Enhancing Fraud Prevention and Customer Service The ability of financial institutions to use big data to detect and prevent fraudulent activity saves billions of dollars each year for consumers and for financial institutions. In 2010, 73% of banks reported losses from check fraud, totaling around $893 million, but attempted check fraud amounted to around $11 billion. 2 Banks are estimated to have prevented around $13 billion in fraudulent transactions that would have affected consumers in 2012, in no small part because they have been able to use consumer data to spot these transactions early on. 3 2 Association for Financial Professionals, 2013 AFP Payments Fraud and Control Survey, available at 3 American Bankers Association, Banks Stop $13 Billion in Fraud Attempts in 2012, available at 3

4 Financial institutions generally bear the burden of fraudulent transactions: they refund consumers and retailers affected by the fraud. To stem these losses and protect their consumers, they rely heavily on access to consumer transaction histories which allow them to detect and prevent fraudulent activity. By sharing consumer data with affiliates, they also are able to deter broader fraudulent activity across affiliate accounts. Access to consumer data also allows financial institutions to provide better, more responsive customer service, including across affiliates. This can include not only helping customers when they have problems with their accounts, but also offering targeted or bundled services to customers with particular needs. Compliance Financial institutions are subject to anti-money laundering regulations and other laws that require mandatory reporting of suspicious transactions. In particular, banks are required to notify the government of high-value currency transactions and similar suspicious activity. Access to consumer data can efficiently limit the occurrence of false positives when a bank checks suspicious names against a sanctions list. In addition, by responsibly monitoring customer activity over time, banks also can improve the accuracy of their reporting to the government. Marketing Financial institutions also use consumer data to identify the needs of their customers and ensure more relevant advertisements are reaching those customers. Targeted marketing can reduce unwanted or duplicative advertising, and engage consumers more efficiently. Consumers have the ability to control whether to receive such advertising by opting out of receiving s, phone calls and direct mail solicitations. Technological Trends in the Collection and Use of Big Data (Question 3) Financial institutions collect consumer data directly from the consumer, from affiliates and from non-affiliates with notice to the consumer through a variety of traditional methods, including through the institution s website, at branches or other physical locations, and by phone. Due to technological advances, the types of information they are able to collect and the means by which they can collect it have expanded in recent years, as detailed below. The collected data, in turn, is used to provide better financial products and to improve customer relationships. Mobile Applications and Social Media Today virtually every major financial services institution offers mobile applications (e.g., a mobile banking application), which offer convenience and accessibility to users. Mobile applications present a new opportunity to improve communication between customers and financial institutions, permitting more real time 4

5 interactions like balance notifications, potential fraudulent activity alerts, and other up-tothe-minute information. They also offer consumers a portable means of accessing their financial data. Data collected from mobile applications can include personal information, financial information and location data. Mobile privacy has received significant attention in recent years. The Federal Trade Commission (the FTC ) and California s Attorney General issued mobile privacy guidelines in 2013 to address the unique privacy concerns raised by mobile applications, including the collection of location data. Those guidelines serve as guide posts for the financial services and other industries. Financial institutions also are increasingly engaging with consumers through social media platforms for marketing purposes, but social media is not a primary source for consumer information. Location Data and Biometrics The kinds of personal information available to financial institutions have expanded in recent years. A primary example is consumer location data, which is used to provide customer services (e.g., to identify the location of nearby ATMs through a mobile banking app) and to detect possible fraud (e.g., to verify transactions based on the location of the consumer). Fingerprint recognition technology is also being used by banks in countries like Brazil to secure transactions and protect customers against fraud. However, further research and consideration of the associated privacy and security risks will be required before biometrics are adopted by the U.S. financial services industry in any meaningful way. Online Behavioral Advertising For marketing purposes, financial institutions today engage in some level of online behavioral advertising ( OBA ). OBA basically is advertising targeted to consumers based on their prior actions online. In the financial services context, OBA primarily takes the form of retargeting advertisements: consumers are shown ads for products or services they previously viewed online. Retargeting provides consumers with more relevant and useful advertising based on expressed needs, and can decrease the amount of unwanted and unnecessary advertising consumers see or receive. Many financial institutions are members of the Digital Advertising Alliance (DAA) s self-regulating program, which requires enhanced transparency and optimizes consumer choice with respect to OBA. The program allows consumers to opt out of their data being used for OBA by clicking on the ad choices icon, a universal symbol found near advertisements or on Internet pages where data is collected for OBA purposes. 5

6 Existing Privacy Laws Governing the Financial Services Sector (Questions 1, 3, and 5) As noted above, banks and other financial institutions necessarily collect, analyze and use a significant amount of consumer information in the ordinary course of business. For that reason, in addition to privacy regulations applicable to all industries (e.g., Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, and similar state laws), the financial services sector has long been subject to a set of specific federal and state laws that regulate how personal information may be collected, used, shared and secured by financial institutions. Importantly, the laws are in place to protect the consumer and seek to accomplish this primarily through transparency and notice. Under the existing legal framework, financial institutions have affirmative disclosure obligations to ensure that consumers are aware of the types of information that are being collected and how that data may be used or shared by financial institutions. Consumers are also provided with meaningful choice as to how that data may be used or shared by affiliated or unaffiliated entities (e.g., through opt-out notices). Financial institutions also provide customers with the option to limit , telephone and direct mail solicitations. The federal laws are reinforced by various U.S. state law requirements as well as industry best practices. Nearly all states have enacted laws that regulate the collection and use of consumer credit and financial data as well as laws requiring data breach notification. And some states, like California, afford even greater privacy protections to the financial information of consumers. Through its partnership with organizations like BITS, the financial services industry also has developed and implemented data security best practices. Together, these laws and standards establish a comprehensive framework for maintaining the highest standards of protection and privacy for consumer data. The Gramm-Leach-Bliley Financial Modernization Act of 1999 ( GLBA ) 4 The GLBA is the primary law governing the privacy of consumer financial information. First, financial institutions covered by the GLBA are required to adopt privacy policies and make their information-sharing practices transparent to customers in annual privacy notices. The privacy policy must plainly inform consumers and customers of what information is collected, identify with whom the information will be shared, and describe how that information will be protected. Second, the GLBA generally prohibits financial institutions from sharing nonpublic and personally identifiable financial information with unaffiliated third parties, unless the customer receives notice and opportunity to opt-out. Lastly, the GLBA requires financial institutions to develop, implement 4 15 U.S.C et seq. 6

7 and maintain a comprehensive information security program designed to safeguard customer data. The Fair Credit Reporting Act of 1970 ( FCRA ) 5 The FCRA regulates the practices of consumer reporting agencies that compile consumer information used by companies, including financial institutions, to make credit, employment, or insurance decisions affecting consumers. The FCRA also regulates the users of that consumer report information. Financial institutions may only use consumer report information for the purposes specified in the statute. Depending on the proposed use of the information, certain disclosures are required either before obtaining this information, in connection with using the information to take adverse action, or both. Consumers may opt out of the sharing of certain information between affiliates. And in the marketing context, there are rules about pre-screened offers for credit or insurance, restrictions on the sharing of information between affiliates for marketing purposes, and mechanisms for consumer choice. The Fair and Accurate Credit Transactions Act of 2003 ( FACTA ) 6 FACTA, which substantially amended the FCRA, enhanced consumer protections by requiring federal agencies to adopt affiliate marketing, disposal, and identity theft red flag rules. The affiliate marketing provisions of FACTA generally prohibit companies from using consumer information received by an affiliate to make marketing solicitations, unless the consumer is provided with clear and conspicuous notice and the opportunity to opt out. Importantly, the rules apply to information that is otherwise excluded from the scope of consumer report information under the FCRA. The Disposal Rule protects against unauthorized access or use of consumer information and obligates companies to securely dispose of information in consumer reports. Financial institutions must incorporate disposal practices into the information security program required by the GLBA Safeguards Rule. Finally, under the Identity Theft Red Flag Rule, financial institutions and creditors that hold any consumer account for which there is a reasonably foreseeable risk of identity theft must implement programs designed to detect, prevent, and mitigate these risks U.S.C et seq. 6 Pub. L. No , 117 Stat (Dec. 4, 2003). 7

8 The California Financial Information Privacy Act ("SB1") 7 California state privacy laws are widely considered the most comprehensive and stringent of the state financial privacy laws. SB1 imposes obligations on financial institutions operating in its jurisdiction that are stricter than those provided for under federal law. Namely, SB1 defines identifiable information more broadly than federal law, requires opt-in as opposed to opt-out consent under certain circumstances and contains stricter limitations on the sharing of covered information with affiliates. For example, affirmative opt-in consent is required under California law before financial institutions may share covered information with nonaffiliated third parties. An opt-out opportunity must also be provided to consumers before financial institutions share covered information with affiliates in different lines of business. BITS Cybersecurity and Fraud Reduction Best Practices As the technology policy division of FSR, BITS addresses issues at the intersection of financial services, technology and public policy, where industry cooperation serves the public good, such as cybersecurity, critical infrastructure protection, fraud prevention, and the safety of financial services and its consumers. BITS, which was formed in 1996, works with subject matter experts from within its 100 member companies in each of the areas noted to develop best practices related to safe and sound computing, the protection of consumer information and protection of its members and their consumers from cyber attacks and fraud schemes. (See more at: Federal Financial Institutions Examination Council ( FFIEC ) Guidance The Federal Financial Institutions Examination Council, or FFIEC, is a government organization that works to promote uniform supervision of financial institutions. The FFIEC has issued a number of data security guidance documents, including standards for authentication that recommend the use of multi-factor identification or other means of identifying consumers (including biometric templates) to increase security and prevent unauthorized access. 8 The FFIEC guidance statements represent evolving best practices and are another helpful mechanism for ensuring the application of uniform, sufficient controls for safeguarding consumer data in a rapidly changing landscape. 7 Cal. Fin. Code FFIEC, Security Controls Implementation: Authentication, available at 8

9 The Financial Services Information Sharing & Analysis Center ( FS-ISAC ) Data Security Standards 9 Conclusion Another key component critical to safeguarding sensitive consumer information held by financial institutions is collaboration and information sharing among industry members and between industry and the government. To that end, FS- ISAC was formed in 1999 to facilitate partnership between the public and private sectors working to defend the nation s critical infrastructures from cyber threats. There are thousands of member institutions primarily consisting of large financial services firms. The FS-ISAC model allows members to share threat, vulnerability, and incident information anonymously to protect the sector as a whole. It also developed best practices for mitigating system risks, as well as the development and testing of crisis management procedures. Access to big data whether it is personal information collected from the consumer or information about their transaction histories collected from third parties is crucial for the provision of financial services and the security of consumers. Perhaps more than any sector, the financial services industry has had to balance these important interests against the risks of minimizing consumer privacy. We believe that the existing legal framework governing the financial services sector, including data best practices adopted by the industry, accomplish just that through various mandatory notice obligations and security standards. We would be happy to provide the Office with any additional information as it proceeds with its work of framing the main questions and policy concerns surrounding big data. Thank you for the opportunity to respond to the RFI. If you have any questions, please feel free to contact me at (202) Respectfully submitted, Richard Foster Vice President & Senior Counsel for Regulatory and Legal Affairs Financial Services Roundtable 9 See Industry Best Practices, available at 9