Bureau of Consumer Financial Protection.
Notice of proposed policy statement with request for public comment.
The Bureau of Consumer Financial Protection (“Bureau”) currently discloses certain complaint data it receives regarding consumer financial products and services via its web-based, public-facing database (“Consumer Complaint Database”). The Bureau proposes to expand that disclosure to include unstructured consumer complaint narrative data (“narratives”). Only those narratives for which opt-in consumer consent had been obtained and a robust personal information scrubbing standard and methodology applied would be subject to disclosure. The proposed policy (“Proposed Policy Statement”) would supplement the Bureau's existing Policy Statements establishing and expanding the Consumer Complaint Database.
Comments regarding the Proposed Policy Statement are due on or before August 22, 2014.
You may submit comments regarding the Proposed Policy Statement, identified by Docket No. CFPB-2014-0016, by any of the following methods:
http://www.regulations.gov. Follow the instructions for submitting comments.
Mail: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 20552.
Hand Delivery/Courier: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1275 First Street NE., Washington, DC 20002.
Instructions: The Bureau encourages the early submission of information and other comments. Because paper mail in the Washington, DC area and at the Bureau is subject to delay, commenters are encouraged to submit comments electronically. In general, all submissions received will be posted without change to http://www.regulations.gov. In addition, submissions will be available for public inspection and copying at 1275 First Street NE., Washington, DC 20002, on official business days between the hours of 10 a.m. and 5 p.m. Eastern Standard Time. You can make an appointment to inspect the documents by telephoning (202) 435-7275.
All submissions, including attachments and other supporting materials, will become part of the public record and will be subject to public disclosure. Do not include sensitive personal information, such as account numbers or Social Security numbers. Comments will not be edited to remove any identifying or contact information, such as name and address information, email addresses, or telephone numbers.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Scott Pluta, Assistant Director, Office of Consumer Response, Bureau of Consumer Financial Protection, at (202) 435-7306.
End Further Info
Start Supplemental Information
Start Printed Page 42766
A. Previous Policy Statements Regarding the Consumer Complaint Database
On December 8, 2011, the Bureau published in the Federal Register a proposed policy statement describing its plans to disclose certain data about the credit card complaints that consumers submit to the Bureau (“December 2011 Proposed Policy Statement”).
After receiving and considering a number of comments, the Bureau finalized its plans for publically disclosing data from consumer credit card complaints and published the final policy statement on June 22, 2012 (“June 2012 Policy Statement”).
Also on June 22, 2012, the Bureau concurrently published in the Federal Register a proposed policy statement describing its plans to disclose data from consumer complaints about financial products and services other than credit cards (“June 2012 Proposed Policy Statement”).
After receiving and considering a number of comments, the Bureau published the final policy statement on March 25, 2013 (“March 2013 Policy Statement”).
In the June 2012 Proposed Policy Statement, the Bureau did not propose including narratives in the Consumer Complaint Database. Notwithstanding this, the Bureau received a significant number of comments specific to narrative disclosure. Consumer, civil rights, and open government groups supported disclosure on the grounds that disclosing narratives would provide consumers with more useful information on which to base financial decisions and would allow reviewers to assess the validity of the complaints. Two privacy groups, while acknowledging privacy risk stemming from publication of “non-identifiable” data and calling for further study, supported disclosure on an opt-in basis. Trade groups and industry commenters nearly uniformly opposed disclosure of consumer complaint narratives. In the March 2013 Policy Statement, the Bureau noted that it would not post narratives to the Consumer Complaint Database at least until it could assess whether there were practical ways to disclose narrative data submitted by consumers without undermining consumer privacy.
B. Policy Considerations of Disclosing Narratives
The purpose of the Consumer Complaint Database, as stated in the Bureau's two previous policy statements, is to provide consumers with timely and understandable information about consumer financial products and services, and improve the functioning, transparency, and efficiency of markets for such products and services. As a general matter, the Bureau believes that adding additional information to the Consumer Complaint Database, such as narratives, is consistent with and promotes this purpose.
In specifically examining the incremental benefits and risks of disclosing narratives, the Bureau focused on the direct and indirect benefits to consumers, the benefit to the Bureau, and the advancement of open government principles.
In terms of the direct benefit provided to consumers, for some consumers a primary reason for submitting a complaint may be to share their experience with other consumers. Complainants may desire to do so as a means of providing information they deem useful to others who may be considering doing business with a particular financial institution or as a means of letting others who may be experiencing a similar situation know that they are not alone. These needs cannot be served by the Bureau simply by disclosing the non-narrative portions of the complaint. Indeed, some consumers may choose to submit a complaint only if they will have the opportunity to share their story and other consumers may overcome their reticence to submit a complaint by reading the experiences of others. By increasing the direct benefits to consumers of submitting a complaint, publishing complaint narratives may expand the number of complaints submitted to the Bureau and thereby enhance the value of the Consumer Complaint Database.
Indirect benefits to consumers and the marketplace would include the effect narratives can have on consumer purchasing decisions. Research has shown that consumer word of mouth (which includes consumer reviews and complaints) is a reliable signal of product quality that consumers consult and act upon when making purchasing decisions. Companies, responsive to the effect word of mouth can have on sales, adjust prices to match product quality and improve customer service in order to remain competitive.
Publishing narratives would also be impactful by making the complaint data personal (the powerful first person voice of the consumer talking about their experience), local (the ability for local stakeholders to highlight consumer experiences in their community), and empowering (by encouraging similarly situated consumers to speak up and be heard).
The Bureau believes that the utility of the overall Consumer Complaint Database would greatly increase with the inclusion of narratives. This could lead to increased use by advocates, academics, the press, and entrepreneurs, which itself would lead to increased consumer contacts with the Bureau.
The Bureau believes that the aforementioned increase in benefits and utility would lead to an increase in consumer contacts, which would have a positive effect on Bureau operations. As a critical mass of complaint data is achieved and exceeded, the representativeness of Bureau complaint data increases. Thus, narratives would not only enhance the above consumer benefits but also the many Bureau functions that rely, in part, on complaint data to perform their respective missions including the Offices of Supervision, Enforcement, and Fair Lending, Consumer Education and Engagement, and Research, Markets, and Rulemaking.
The Bureau also would benefit by further establishing itself as a leader in the realm of open government and open data. On December 8, 2009, the Office of Management and Budget (“OMB”) issued its Open Government Directive requiring agencies to “take prompt steps to expand access to information by making it available online.” 
Although agencies have historically withheld data from the public due to privacy and cost controls, with new technology comes new opportunities for openness without significant increases to privacy risk and costs. Moving forward “the presumption shall be in favor of openness.” 
While there is no requirement to publish “all” information, as a matter of policy and “to the extent permitted by law and subject to valid privacy, confidentiality, security, or other restrictions,” agencies should “proactively use modern technology to disseminate useful information, rather than waiting for specific requests under FOIA.” 
Although an independent agency, the Bureau shares OMB's commitment to open and transparent government. The Start Printed Page 42767“presumption of openness” is quickly becoming a governmental best practice. Agencies from the Department of Health and Human Services (“HHS”), to the Federal Trade Commission (“FTC”) are moving quickly to expand open data offerings. Projects like HealthData.gov, Regulations.gov, and the Green Button form a new vanguard of government engagement with the public and the marketplace through open data.
OMB Memorandum M-13-13, Open Data Policy—Managing Information as an Asset, usefully grounds the “presumption of openness” in utilitarian and economic terms. It describes information as “a valuable national resource and a strategic asset to the Federal Government, its partners, and the public,” and points out that “[m]aking information resources accessible, discoverable, and usable by the public can help fuel entrepreneurship, innovation, and scientific discovery—all of which improve Americans' lives and contribute significantly to job creation.” Always subject to legal obligations such as those to protect privacy and confidentiality, the government can treat information as a public asset which, when made available to its public owners, creates public value.
Publishing narratives, however, is not without risks. A principal risk of publishing narratives is the potential harm associated with the possible re-identification of actual consumers within the Consumer Complaint Database. To de-identify data is to remove personal information from a dataset, thereby obscuring individual identities. Re-identification generally occurs when separate datasets are combined to reestablish some number of individual identities. Individuals with personal knowledge of events described in a narrative may also be able to identify consumers using de-identified narratives. Some within the research community question the sufficiency of de-identification and suggest that the risks generally outweigh the benefits of sharing data.
On the other hand, many researchers espouse the sufficiency of de-identification and highlight the extremely low risk of actual re-identification and potential harm—suggesting a cost-benefit analysis where the benefits outweigh this risk. In support of de-identification, supporters make a number of arguments, including that modern scrubbing standards such as the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (which forms the basis of the Bureau's narrative scrubbing standard) decrease re-identification risk to acceptable levels and the number of known, successful attempts to re-identify publicly available datasets are de minimus.
There is a second major risk associated with publishing narratives which arises from the fact that the narratives may contain factually incorrect information as a result of, for example, a complainant's misunderstanding or misrecollection of what happened. If consumers were to rely without question on all narrative data, it is possible that subsequent purchasing decisions may be based on misinformation. To the extent this risk may be realized, both consumers and the financial institutions that lose business due to misinformation would be disserved. Indeed, even absent any effect on consumer decision-making, there is a risk that financial institutions could incur intangible reputational damage as a result of the dissemination of complaint narratives.
To a large extent, this risk is inherent in any release of complaint data. In deciding to release the structured complaint data, the Bureau addressed this concern and concluded that, while there is always a risk that market participants will draw erroneous conclusions from available data, the Bureau was persuaded that the marketplace of ideas would be able to determine what the data shows. The Bureau believes that is true, as well, with respect to complaint narratives. Furthermore, to mitigate this risk, the Bureau's proposed policy provides for the public release of the company's response, side-by-side and scrubbed of any personal information, to the consumer's complaint. This process will assure that, to the extent there are factual disputes, both sides of the dispute can be made public.
C. Operational Feasibility of Disclosing Narratives
In deciding to release certain structured data, the Bureau stated that it would not disclose narratives unless it is operationally feasible to do so without compromising consumer privacy. In November 2013, Consumer Response began piloting a comprehensive program to scrub all personal information from copied narratives using a scrubbing standard based on government best practices (discussed in detail below). This pilot is ongoing and the scrubbing standard is continually improved as lessons are learned and implemented.
The Bureau is currently conducting a study to further verify that the proposed scrubbing standard and methodology will sufficiently address concerns related to the FOIA, the Privacy Act, the Dodd-Frank Act, and the Bureau's confidentiality regulations where (1) consent for publication is obtained from the consumer; (2) narratives are scrubbed of consumer personal information consistent with a robust standard and methodology: (a) that substantially meets government best practices for re-identification risk; (b) as written, results in a low risk of re-identification; (c) as applied, maintains a low rate of operational error; and (3) an independent, third party privacy expert conducts a review and operational test of the standard and methodology in support of the above conditions.
The Bureau is cognizant that other federal agencies have thought about these issues and have successfully adopted a variety of approaches. For example, the Consumer Product Safety Commission (“CPSC”) proactively publishes narrative consumer reports of harm on its Web site, which include consented-to-consumer and industry narratives. And the FTC routinely releases consumer complaints, including the narratives (up to a given quantity), when requested through the FOIA.
II. Proposed Policy Statement Regarding Disclosure of Unstructured Narrative Data From Consumer Complaints and Company Responses
The Bureau hears directly from the American public about their experiences with the nation's consumer financial marketplace. An important element of the Bureau's mission is the handling of individual consumer complaints regarding financial products and services. Indeed, “collecting, investigating, and responding to consumer complaints” is one of only six statutory “primary functions” of the Bureau.
In June 2012, the Bureau began making de-identified individual-level complaint data available via its web-based, public facing database (the “Consumer Complaint Database”). Since launch, the Consumer Complaint Database has been expanded multiple times to include additional financial products and data fields. Consistent with its strategic vision, the Bureau is committed to the continued expansion of the Consumer Complaint Database in both the number of complaints and fields of data made publicly available, Start Printed Page 42768while still protecting privacy and incorporating the appropriate security controls.
A. Consumer Narratives
The Bureau will provide consumers the opportunity to share their individual stories with other consumers and the marketplace by including consumer complaint narratives in the Consumer Complaint Database where consent for publication is first obtained from the consumer.
B. Consumer Consent To Disclose Narratives
The Bureau will only disclose narratives (1) for which informed consumer consent has been obtained and (2) that have been scrubbed of personal information. Consumers who submit a complaint will be given the opportunity to check a consent box giving the Bureau permission to publish his or her narrative. The opt-in consent will state, among other things, and in plain language, that: (1) whether or not consent is given will have no impact on how the Bureau handles the complaint, (2) if given, the consumer may thereafter inform the Bureau that she withdraws her consent at any time and the narrative will be removed from the Consumer Complaint Database, and (3) the Bureau will take reasonable steps to remove personal information from the complaint to minimize (but not eliminate) the risk of re-identification.
C. Company Response
Where the consumer provides consent to publish their narrative, the related company will be given the opportunity to submit a narrative response for inclusion in the Consumer Complaint Database. The company will be instructed not to provide direct identifying information in its public-facing response, and the Bureau will take reasonable steps to remove personal information from the response to minimize (but not eliminate) the risk of re-identification. The Company Portal will include a data field into which companies have the option to provide narrative text that would appear next to a consumer's narrative in the Consumer Complaint Database.
D. Personal Information Scrubbing Standard and Methodology
Sharing data containing personal information presents a tension between data utility and individual privacy. As a particular personal information-scrubbing standard becomes more or less stringent, the utility of a given de-identified dataset becomes respectively less or more useful. The publication of narratives involves risks, including the potential harm associated with the re-identification of actual consumers within the Consumer Complaint Database.
In order to minimize the risk of re-identification, the Bureau will apply to all publically-disclosed narratives, a robust personal information scrubbing standard and methodology. The Bureau recognizes that mitigating privacy risks in complaint level data disclosed to the public may decrease the utility of the data to users. The Bureau will, exercising discretion, modify data when privacy risks clearly and substantially outweigh the benefits of disclosure. By taking these steps to minimize the impact, the Bureau believes that publicly releasing redacted narratives, subject to consumer consent, will best protect all consumers without harming the protected privacy interests of any individual consumer.
In designing its proposed scrubbing standard, the Bureau relied heavily on guidance by the Department of Health and Human Services (“HHS”) for de-identification of health data outlined in the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.
HIPAA requires covered entities, e.g., health plans, providers, and clearinghouses, to de-identify patient personal information such that it no longer provides any reasonable basis to ascertain individual identities. Under HIPAA, data may be considered de-identified if either of the following conditions holds:
- Safe Harbor Method—All the identifying information of 18 different types is entirely removed, and what remains cannot be used to identify any individual, or
- Expert Determination Method—An expert applies statistical methods to estimate the probability that an individual could be identified and determines that the risk of identification is very low.
The HIPAA Safe Harbor Method (“HIPAA De-identification Standard”) stipulates the removal of 18 specific identifiers from any disclosed datasets, including:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for certain ZIP code prefixes depending on the circumstances
- All elements of dates for dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security number
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators
- Internet Protocol addresses
- Biometric identifiers, including finger and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code
HHS specifically notes that the category “any other unique identifying number, characteristic, or code” is very broad. It can contain, among other identifiers, physical attributes, employer names, positions, titles, and other identifying information. HHS does not provide a comprehensive list of such categories, but does state that to meet the de-identification standard, unstructured text must be free of content for which the de-identifying entity has “actual knowledge that residual information could be used to individually identify a patient”.
The Bureau will follow a scrubbing standard with the following elements:
- The Bureau scrubbing standard shall include all of the HIPAA identifiers at a minimum;
- Where HIPAA identifiers are specific to the health domain, the Bureau's scrubbing standard shall include appropriate analogues in the consumer financial domain; and
- The Bureau's scrubbing standard shall specifically include identifiers (e.g., employer name) which the Bureau knows (1) appear in complaints and (2) could reasonably be used to identify individuals.
Generally, the scrubbing methodology will include a computer-based automated step and a quality assurance step performed by human reviewers.
III. Scope of the Proposed Policy Statement
In the June 2012 Policy Statement and the March 2013 Policy Statement, the Bureau addressed comments received in response to the December 2011 Start Printed Page 42769Proposed Policy Statement and the June 2012 Proposed Policy Statement, respectively. These comments ranged from the very general, such as the Bureau's authority to disclose consumer complaint data of any kind and the impact the database would have on consumers and covered persons, to the more specific, such as the impact of specific proposed data fields (e.g., company disposition) and the inclusion of other data fields (e.g., narratives). In both Policy Statements, the Bureau affirmed its openness to the inclusion of additional data fields and its willingness to work with external stakeholders to address the value of adding such fields. Consistent with this commitment, and in response to comments urging the disclosure of narratives, the Bureau is today proposing the inclusion of narratives in the Consumer Complaint Database.
Broadly, the Bureau seeks comments that are related to the proposed extension of the policies to include complaint narratives. With that scope, the Bureau is specifically seeking public comment on:
- Consumer Consent to Disclose Narratives—The Bureau is currently in the process of conducting research and user testing to inform design decisions regarding the need for any additional information to help inform consumer consent, the precise language to most effectively communicate with the consumer, at what point in the complaint process (at complaint submission or later in the complaint handling process) and where on the Bureau Web site the information in support of the opt-in consent should be displayed.
- Company Response—The Company Portal will include a data field into which companies have the option to provide narrative text that would appear next to a consumer's narrative in the Consumer Complaint Database. The Bureau is seeking comment on whether this public-facing response should be distinct and in addition to the response companies send directly to the consumer.
- Personal Information Scrubbing Standard and Methodology—In Section II.D, above, the Bureau detailed the standard and methodology it intends to utilize to scrub personal information from the narratives. The Bureau is seeking comment on both the standard and methodology, including suggestions of appropriate analogues to the HIPAA identifiers in the consumer financial domain, and any other identifiers which could reasonably be used to identify individuals. Specific to ZIP codes, at this time the Bureau has not yet determined whether to continue publishing 5-digit ZIP codes in the Consumer Complaint Database alongside redacted narratives. The Bureau seeks comment on whether ZIP codes should be redacted consistent with the HIPAA standard and if so, the number of digits to provide, e.g., five or three, and any relevant population thresholds under which to limit ZIP code disclosure, e.g., less than 20,000 or 10,000 individuals in a given ZIP code.
The Bureau believes that it has sufficiently addressed comments concerning the Consumer Complaint Database generally, as well as comments regarding the current data fields, in the June 2012 Policy Statement and the March 2013 Policy Statement.
IV. Procedural Requirements
The CFPB concludes that Proposed Policy Statement constitutes an agency statement of general policy exempt from notice and public comment pursuant to 5 U.S.C. 553(b).
Notwithstanding this conclusion, the CFPB invites public comment on this proposed Policy Statement.
Because no notice of proposed rulemaking is required, the provisions of the Regulatory Flexibility Act (5 U.S.C. Chapter 6) do not apply.
End Supplemental Information
Dated: July 14, 2014.
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-17274 Filed 7-22-14; 8:45 am]
BILLING CODE 4810-AM-P