February 2, 2006
Comptroller Dugan Praises Interagency Effort to Overhaul Privacy Notices; Supports Efforts to Develop Federal Standards to Protect Consumer Financial Data
WASHINGTON – Comptroller of the Currency John C. Dugan said today that most bank customers don’t find the privacy notices they receive to be especially useful and said an ongoing interagency process to simplify those notices will better serve banks and their customers.
That’s partly because the statutory requirements are complex and mandate a host of very specific disclosures, the Comptroller said. In addition, the regulations implementing the law encourage the use of legal terms in notices. Finally, there was no requirement in the law or regulations for uniformity or consistency among institutions in the way the information is presented.
"When you combine these three factors, the result is what we have today: notices with too much information, too many legal terms, and too much variability in presentation from institution to institution," Mr. Dugan said in a speech to a meeting sponsored by the American Law Institute and the American Bar Association.
"Each year, banks and other financial institutions bear the cost of mailing such mandatory notices to their many millions of customers, even though we suspect that most of the notices go from postman to trashcan without ever being read," Mr. Dugan added. "Put more harshly, in too many instances privacy notices are nothing more than costly waste."
Mr. Dugan noted that the federal banking agencies have retained expert consultants to test privacy notices with consumers. The purpose of the testing is to determine whether consumers find the notices useful, he added.
"For example, if a consumer wants to limit his bank’s sharing of personal information, can he easily determine from the notice how to ‘opt out’?" Mr. Dugan asked. "If a consumer wants to compare sharing practices among banks, can she easily do so based on the banks’ notices?"
The Comptroller said shorter, more focused notices would reduce the burden on banks and "empower consumers to make informed decisions about their personal information."
In the area of data security, Mr. Dugan noted that banks are subject both to federal requirements that specify when they must notify customers about security breaches involving their personal information, as well as a patchwork of state laws. However, federal law does not apply to all companies that handle confidential customer information.
"It does not apply to data brokers, merchant card processors, or retailers—all of which suffered well-publicized breaches last year, some involving account information of millions of consumers," Mr. Dugan said. "There is no federal law that compels these companies to notify consumers of breaches involving their personal information."
Given the spate of well-publicized security breaches, the lack of a federal standard outside the financial services sector, and the patchwork treatment by the states, it is no surprise that Members of Congress have weighed in on this disparity, he said. A handful of congressional committees are considering legislation and, while it is not clear whether the regulatory regime applied to banks would work well for other types of companies, it is equally unclear whether a one-size-fits-all standard designed for all companies would work for banks.
"What is clear, however, is that banks should not be subjected to two different federal standards," the Comptroller added. "Either they should continue to be subject to the Gramm-Leach-Bliley regime alone, with modifications as appropriate, or that regime should be supplemented by one that applies to all companies—so long as a standard can be crafted that makes sense to apply to bank and nonbank companies alike."
If Congress adopts a single federal standard for all institutions, including banks, Mr. Dugan recommended three principles to guide their actions. First, functional regulators should write the rules for institutions within their jurisdiction. Second, functional regulators should have exclusive authority to enforce these rules. Third, a uniform national standard is appropriate to govern the safeguarding of personal information and notice to consumers of security breaches.