Consumers want more bank privacy

                Friday, August 27, 1999

                By MARCY GORDON
                The Associated Press
 

                WASHINGTON -- Consumers are up in arms over financial privacy and the practices of banks, judging from a sample of recent letters sent to the Treasury Department, the Federal Deposit Insurance Corp., and other agencies.

                "I was utterly shocked to realize my own bank would provide my credit card number to what I feel are unethical, if not illegal, telemarketers," one consumer told the Office of the Comptroller of the Currency, a Treasury division that oversees nationally chartered banks. "The next day I went to the . . [bank] branch to cancel my card."

                For the first time ever, the House voted overwhelmingly on July 1 to give people the right to block banks and other financial companies from sharing their personal data with outside firms, such as telemarketers. The lawmakers, who stayed up late to pass the measure on the eve of their Fourth of July recess, were tapping into an American nerve.  No comparable measure has cleared the Senate.

                Copies of the letters were obtained by The Associated Press under the Freedom of Information Act. The names of consumers and their financial institutions were blacked out -- to protect their privacy.

                The letters weren't prompted by the congressional action; they arose from consumers' anger at their financial institutions. About 760 were received by federal regulators from July 1998 through July 1999.

                Late last year, the government tried to institute a rule that would have required banks to track their customers' transaction patterns, the so-called Know Your Customer rule. That brought a public outcry over privacy, forcing federal agencies to scrap the proposal.

                The House privacy provision was attached to sweeping legislation that would lift Depression-era prohibitions and allow banks, securities firms, and insurance companies to merge.

                It will still allow banks and other financial companies that are affiliated with each other to share customer data, such as addresses, phone numbers, birth dates, Social Security numbers, and checking and credit card account information. Data sharing is a major reason that financial companies want to merge, as it opens numerous opportunities for the companies to market their services.  In the view of many consumers, however, such data sharing is a gross invasion of privacy.

                The banking industry defends its record on protecting customers' privacy and has warned that new laws restricting data sharing could deprive consumers of useful financial services. The industry believes that disclosure of companies' privacy policies is the best way to protect consumers.

Subject: "Hawkeish" on privacy?
   Date:   Wed, 22 Dec 1999 17:32:22 -0500
   From:  JBJ

Comptroller of the Currency John Hawke spoke on financial privacy to the Consumer Federation of America in DC on December 2, 1999  [No word yet from Mr. Hawke in support of HR 518 to sunset the Bank Secrecy Act which requires banks to serve as the eyes and ears of government surveillance!   JBJ]:

http://www.occ.treas.gov/ftp/release/99-108a.doc

"Privacy has become a key competitive factor--consumers will choose to do business where they feel their confidentiality is best protected...  "In my view, vindicating customers' expectations that their banks will hold in confidence the information that customers entrust to them is a critically important foundation stone of our banking system...

"They do not expect their banks to serve as the eyes and ears of government surveillance, nor do they expect banks to use their confidential information for the banks' own profit-making purposes--at least not without their consent.  If these expectations are not met, the consequences for the relationships between banks and their customers--and therefore for the health of the banking system--could be grave."

---------------------------------------------------

Coalition for Constitutional Liberties

Weekly Update for 12/24/99   Volume 2, Number 46
Brought to you by the Center for Technology Policy of the Free Congress Foundation
Lisa S. Dean, Vice President for Technology Policy  (mailto:lsdean@freecongress.org)
Julie Malone, Coalition Coordinator (mailto:jmalone@freecongress.org)
phone: (202) 546-3000  fax: (202) 544-2819  http://www.FreeCongress.org

THIS WEEK: (abriged)

* A Forbes Administration Means Privacy Protection - Endangered Liberties Commentary FCF Vice President for Technology Policy Lisa Dean

* Endangered Liberties Program Excerpts: "The Criminalization of Fatherhood  by the Divorce Industry" Guest: Stephen Baskerville, Howard University professor

* President Clinton's "E-Government Directive"

* Unlisted Telephone Numbers Not Private

* Washington, D.C. Metro Area Using Cell Phones for Monitoring Traffic Congestion

* Biometrics at the ATM Machines
 

A Forbes Administration Means Privacy Protection -

Endangered Liberties Commentary FCF Vice President for Technology Policy Lisa Dean
 

For months now we have been urging the Presidential candidates to come forth to express their views on the privacy/technology topics which are so important to the nation's future. These range from medical privacy, to financial privacy, to encryption to asset forfeiture to the ECHELON spy satellite system and many more [see also the European Parliament Echelon Hearings Report at http://www.iptvreports.mcmail.com/stoa_cover.htm].  In a remarkable address at the headquarters of the Free Congress Foundation in Washington last week, Republican Presidential candidate Steve Forbes did just that. In as specific a policy address as you will ever hear from a Presidential candidate, Forbes outlined the dangers to our liberty from the use of technology by the state and then made 10 specific promises as to what he would do on these issues if he had the chance to do so as President.

Among the highlights of Forbes remarks were these:  "The truth is that as we gather here today, the Clinton-Gore Administration is engaged in the greatest assault on the medical privacy of the American people in the history of this country. In the name of protecting medical privacy, this Administration is actually trying to strip it away. . . . " [by] developing a battery of regulations that would legalize access to your medical records without your consent.

They are in the initial stages of creating a massive, centralized national health care database, and a national health care ID system that would assign a "unique health identifier" to every man, woman and child in the United States."  "The medical privacy of the American people is sacred. The doctor-patient relationship is sacred and protected by centuries of legal and cultural tradition. We trust our doctors with our most sensitive, private, personal information. But we never have - and we never should - trust big government."

He also warned: "We don't want to live in a society where every innocent American is effectively monitored by a high-tech "ankle bracelet" like a criminal, watching every move we make. We must think wisely about how to protect our privacy in this high-tech era, how to balance our right to privacy with our passion for free enterprise, as well as with our government's need to protect us and enforce the law."

In a Forbes Administration he went on to say that he "will require a "Privacy Impact Assessment" of every bill before it becomes law; will vigorously protect the medical privacy of the American people by blocking national health ID cards and shutting down any federal medical database that contains information Washington does not need and has no constitutional right to have; will protect the financial privacy of the American people by ending the IRS as we know it"; and allow free development and exportation of strong encryption products which are currently being stifled by the Clinton Administration.  It now behooves the five other Republican Presidential candidates, the two Democratic candidates, candidates for the Reform party and other candidates for President to follow suit. Where do they stand on liberty? Are they willing to make the same promises to protect our liberty that Forbes has made?

Until now, the privacy/technology issues have not been on the table. Candidates could get by without taking a position on these matters because they were not being talked about. Forbes has changed all that.  What he has done puts the privacy issues foursquare in the middle of the national debate that takes place every four years for the Presidency.  First, citizens regardless of their party or philosophy should thank Forbes for breaking the code of silence on the greatest threat to our liberties since the end of the Cold War. Second, citizens should be sure that the issues Forbes has raised are brought up in every town meeting and in every candidate forum in the country. That should be especially true in those states where voters weigh in early such as Iowa, New Hampshire and South Carolina.  Finally, citizens should stay on the case of every single candidate for the Presidency until he takes a definitive stand on these issues.  Then we can compare their stands point by point with Forbes. Then and only then will lovers of liberty know who is the best of the candidates when it comes to protecting our privacy.

We issued a challenge to all the Presidential candidates. Thus far only Forbes has been heard from. The issue is now out there. The rest is up to us.
 

Unlisted Telephone Numbers Not Private

Your unlisted phone number isn't as private as you think it is. Arkansas-based telemarketing company Acxiom Corporation has a phone database with over one hundred and thirty million consumer telephone numbers according to The Washington Post.  Those toll free numbers you dial helps companies like Acxiom identify you before the caller
answers the phone.  The telemarketer, also can run your profile that includes where you live, the type of car you drive and even if you exercise.  Unlisted numbers are acquired from telephone companies' white pages and directory service files--making your unlisted number a unique identifier like a customer tag.  Acxiom says that the company doesn't give out unlisted numbers, however they say that the individual gives them permission to gather private information whenever a relationship begins--meaning when the phone number is part of the record.
Read more The Washington Post "A Hidden Toll On Free Calls: Lost Privacy Not Even Unlisted Numbers Protected From Marketers" by Robert O'Harrow Jr. December 19, 1999 at:
http://search.washingtonpost.com/wp-srv/WPlate/1999-12/19/2461-121999-idx.html
 

Washington, D.C. Metro Area Using Cell Phones For Monitoring Traffic Congestion

One outcome of extending the Communications Assistance for Law Enforcement Act (CALEA) to the physical origin of cell phone calls is to monitor traffic congestion.  Maryland and Virginia plan to use cell phone tracking to help solve problems associated with rush-hour traffic.  Officials say that this new way of measuring congestion will not include eavesdropping into cell phone conversations.   The following is from The Washington Post article.  "The most daunting challenge may not be technical but rather convincing the public that the initiative will not violate their privacy .  Sensitive that fears of Big Brother could derail the experiment, state officials and their consultants have stressed that they will not be able to monitor phone calls or identify callers.  The purpose is simply to follow the energy pattern generated by thousands of cell phones, they said.  'The best we can discern is a bunch of anonymous blobs moving
around,' said David J. Lovell, civil engineering professor at the University of Maryland and a consultant on the project.  'Nobody at the State Highway Administration will be able to sit down and track the travel pattern of their wife's suspected lover.'
Continuing: "The initiative was born of a mandate from the Federal Communications Commission that cellular companies offer by 2001 the capability of providing a user's location as soon as an emergency call is placed to 911.  U.S. Wireless Corp. of San Ramon, Calif., developed a system to meet this requirement and has tested it in California and Montana. The Beltway project would be the first effort to extend this technology to traffic."

Read more The Washington Post "Cell Phones Will Be Used to Monitor Traffic" by Alan Sipress at:
http://www.washingtonpost.com/wp-dyn/metro/A21276-1999Dec21.html
 

Biometrics at the ATM Machines

Biometrics are catching on slowly in the banking industry for securing ATM banking transactions.  According to Fox News, approximately 15 banks are testing transaction security using iris scans.  The iris scan works by scanning the approximately 200 distinct features of the iris of a customer's eye, giving the individual a unique identifier.  These distinct features are converted into numerical data through encryption.  The bank stores this personal data.  Once again the privacy issue surfaces because of another database.  Who will have access to this information?  Unfortunately the public seems to accept iris scans as a good way to protect transactions without thinking about privacy concerns.  "In a report on consumer response from Bank United's IrisScan pilot test, 98 percent of the users described their first experiences as easy, exciting, fast, and convenient.  Thirty-eight percent cited the new IrisScan ATM as a reason for moving their account to Bank United; and 98 percent want to see more iris recognition ATMs installed throughout Texas."
Continuing: "Even more interesting is MP3.com's recent announcement that it, too, will use an iris scan authentication system, using a Web cam and special software, to speed transactions and downloads of MP3 audio files."

Read more Fox News "Let's See Some ID Big Brother concerns still stigmatize biometrics, but as consumers discover that biometrics protects privacy, acceptance is on the rise" by Stephanie Izarek at:
http://www.foxnews.com/vtech/122199/biometrics.sml
 
 

Know Your Customer (still) in the news; Regulation B proposal advocates try to use perceptions of bias to promote their cause--why not just use actual facts?

By: EDMUND SANDERS, LOS ANGELES TIMES STAFF WRITER
 

Banks are not only watching their customers more closely these days.  They're telling on them, too.

In an attempt to combat money laundering, a little-known federal law has turned U.S. banks into an army of secret government agents. Each year, banks are reporting tens of thousands of their customers as suspected criminals to law enforcement agencies. In most cases, customers never learn that their names and private financial information have been disclosed.

The goal of the filings--which are up 56% over the past two years--is to nab drug dealers, gun traffickers and corrupt politicians.  But in the government's effort to catch criminals, critics worry that the system also is ensnaring innocent people, whose privacy is compromised because of mistakes or misunderstandings by banks. As a result, some customers may find themselves explaining their finances to the Internal Revenue Service, under government surveillance or, in extreme cases, facing the seizure of their bank accounts or imprisonment.

It ruined me," said Terry "Bo" Digby, who was handcuffed, arrested and thrown in jail after his Texas bank incorrectly fingered him for fraud.  Digby, 44, had defaulted on a $100,000 loan, and he believes his bank reported him as a way to get even. Eventually he convinced a jury that the charges were bogus, and last year he collected $1 million from Texas Bank, which today is part of Wells Fargo. But the damage, he said, was already done.  "I became the biggest crook in town," said Digby, who runs a trucking business in Odessa, Texas. His wife divorced him. He said he was embarrassed to go to the grocery store.  "People don't realize what can happen when your bank turns you in," he said.

Most people never find out. Banks are prohibited by law from telling customers they've filed a so-called suspicious activity report, or SAR.  Digby found out only by accident, his attorney said.  Once reported, the information - which includes a customer's name, address, occupation, Social Security number and basic account details - is forwarded to a special database run by the Financial Crimes Enforcement Network, or FinCEN, a government intelligence agency under the Treasury Department that is in charge of battling money laundering.  From there, the reports - expected to total 124,000 this year, including about 31,000 in California - are analyzed by law enforcement agencies nationwide, from the FBI to the IRS to local police departments. Foreign governments are also given access on request. No search warrant or court order is required.

Recently appointed FinCEN director James Sloan calls the reports one of the most effective anti-money-laundering tools at his disposal. "We are relying on the experience and instincts of the financial community," he said.  But exactly how helpful they are remains unclear. FinCEN will not say how many reports result in investigations or convictions. While there have been no studies to determine how many innocent people are being reported, a 1998 FinCEN review estimated that as many as one in five reports are unrelated to a serious crime. In addition, about 45% of all reports involve amounts under $10,000, far below what most law enforcement agencies require to launch an investigation.

That has led some critics to worry that the reports are missing their intended target. Rather than uncovering global money-laundering schemes and drug rings, too many reports are being filed on small, ordinary bank customers, said Gregory Nojeim, legislative counsel for the American Civil Liberties Union.  "The vast majority of transactions involve people who are engaging in innocent activities," Nojeim said. "They are never charged and many are never even investigated."

Earlier this year, Rep. Ron Paul, a Texas Republican, sponsored legislation that would repeal the SAR program. Alternatively, Paul wants to give consumers the right to review their FinCEN files and correct mistakes, as they can for other types of government files kept on citizens.  Though helpful to law enforcement agencies, the reports represent one of the fastest-growing threats to the privacy of Americans, according to Paul.  "We're teaching bankers to spy on people," Paul said. "This just gives the government additional information about people that it shouldn't have. It throws a blanket of suspicion over all people." Bankers 'Deputized' as Government Agents

Banks have long had a duty to report suspected criminal activity, and in 1985 "criminal referral forms" were created to make the process easier.  But what began as an effort to improve communication and cooperation between banks and law enforcement has evolved into a strictly enforced mandate that forces banks not only to report suspected criminal activity but to actively hunt for it among their customers.

In 1996, FinCEN replaced the old criminal referral forms with SARs as part of a government crackdown on money laundering.  "All of you have been deputized," Miami attorney Gary Bagliebter told a group of bankers at the American Bankers Assn.'s recent annual money-laundering conference. "You don't carry a badge or what the FBI calls 'creds,' but I'm here to tell you, you should all consider yourselves to be agents of the government in the war on drugs."

Helping FinCEN enforce the rule are bank regulators such as the Federal Deposit Insurance Corp. and the U.S. Comptroller of the Currency, which now review SAR filings as part of every institution's regular audit for safety and soundness. If a bank isn't filing as many reports as its peers, regulators may cite or criticize the institution, creating informal quotas for the filings.

As a further incentive for banks to monitor their customers, federal law permits the government to fine or file criminal charges against a bank for failing to file a SAR on the criminal activity of its customers.  Banks are liable even if they were unaware of the criminal activity, as long as authorities can show that the bank "should have known" about it.  It's little surprise, then, that filings are soaring. In 1996, banks filed about 50,000 reports in the program's first nine months. This year, FinCEN is on track to collect about 124,000 reports.

In return for their help, banks have demanded - and received - the same immunity granted to law enforcement agencies to protect them against lawsuits from customers in case they make mistakes or incorrect filings.  The Digby case was one of the few customer lawsuits to break through this so-called safe harbor protection.

The combination of secrecy, legal immunity and government pressure to file has created an environment in which banks have little to lose by reporting their customers.  "The system is set up to encourage filing," said L. Richard Fischer, a leading financial privacy attorney at Morrison & Foerster in Washington.  "So from the banker's perspective: When in doubt, file."

Deciding What Is Suspicious

What constitutes "suspicious" activity? Deciding which customers to turn in is often the toughest part of the job, bankers say. Though the government requires banks to report suspicious activities, it doesn't precisely define what that means, leaving many bankers scratching their heads.  "It's like the definition of pornography," jokes one banker.  "You're supposed to know it when you see it."  Some activities are easy calls: intentionally writing bad checks; wiring large amounts of money to offshore accounts or certain foreign countries; depositing bags of cash; or attempting to avoid government-mandated currency  reporting rules by making several cash deposits just under the $10,000 limit, a practice known as "structuring."

But the subjective nature of the regulation guarantees that activity considered suspicious at one bank may not raise red flags at another. To help sort out the confusion, regulators and industry experts have created a  laundry list of "suspicious" activities that often prove perfectly innocent, critics say.

For example, Money Laundering Alert - a widely read industry newsletter written by former federal prosecutor Charles Intriago - suggests that suspicious customer behavior can include "unusual or excessively nervous demeanor," reluctance to answer questions about finances, frequently depositing dirty or musty bills and opening a safe-deposit box but rarely visiting it.

On the other hand, excessive use of a safe deposit box is considered suspicious by the Office of the Comptroller of the Currency's SAR handbook.  "It's mush ball," said Gordon Greenberg, an attorney at McDermott, Will & Emery in Los Angeles and coauthor of some of California's money-laundering laws. "Under the rule, almost anything can qualify as suspicious."

Banks stress that no single activity from these lists is usually enough to merit filing a SAR.  "We don't do this lightly," said Frank San Pedro, chief of security at Imperial Bank in Los Angeles. "Things may appear suspicious at first, but upon investigation they make perfect sense."

Most banks say they carefully review the facts before filing a SAR, consider the customer's history and discuss the case with top managers.  But banks admit that the task is made more difficult because bank tellers, typically the lowest-paid and least-experienced employees, are their first line of defense in spotting suspicious activity.  "Those are not exactly the skill sets we are looking for when we hire tellers," said Stuart Lehr, chief compliance officer at Union Bank of California.

Almost everyone agrees that mistakes are inevitable.

A report earlier this year from the Treasury Department's inspector general found that "the accuracy of the SAR data needs improvement." The report suggested that low-wage FinCEN contractors had made data-inputting errors, including one example of a $5,000 transaction that was recorded as $5 million.  Rep. Paul's office has also been collecting stories about banks that have mistakenly reported the wrong name or Social Security number.

Frequently, activities that look suspicious later turn out to be easily explainable.

For example, last year several Los Angeles banks serving Chinatown noticed a sudden surge in cash deposits by local merchants, all curiously just below the $10,000 threshold for filing a currency transaction report.  Suspecting merchants were trying to launder cash, banks began filing SARs on the shopkeepers, according to Gene Elerding, a banking attorney at Manatt, Phelps & Phillips in Los Angeles.

Later, it was discovered that the merchants had all attended the same small-business seminar in which they were cautioned not to keep more than $10,000 cash at their shops. "So when the cash drawers got near $10,000, they went to the bank," Elerding said.

Sometimes customers pay a stiff price for a bank's misunderstanding.

In Florida, BankAtlantic became suspicious about some third-party checks moving from its offices in Miami to Colombia. The Fort Lauderdale-based bank reported the activity to law enforcement agents, who promptly seized 1,100 bank accounts - containing $22 million - that had some activity connected with Colombia. In the end, no criminal case was brought and a judge ruled the bank overreacted by turning over information about so many accounts.  But it was eight months before the customers - including man immigrants - got their money back, causing hardship for cash-strapped families and the collapse of some small businesses, according to Miami attorney Montgomery Blair Sibley, who is representing one customer in a suit against the bank.

Following the Money

Law enforcement officials say SARs have been helpful in cracking scores of money-laundering cases. FinCEN's Sloan says banks have a duty and  self-interest to cooperate.  "It provides an opportunity for financial institutions to keep illicit money out of their institutions," said Sloan, who has proposed extending the reporting requirement to other types of financial companies, such as securities firms, casinos and check cashers.

Law enforcement task forces - consisting of representatives from the Justice Department, FBI, IRS, Drug Enforcement Administration, U.S. Customs Service and U.S. Postal Inspection Service - are gathering each month in a growing number of cities, including Los Angeles and San Diego, to review SARs filed in their regions, looking for possible leads or trends and cross-checking names against those of ongoing investigations. Some agencies receive daily downloads of SAR data.  "We follow money. That's our job," said Albert Allison, branch chief of the IRS criminal investigation division for Southern California. "And SARs are very helpful."

Though reports are only supposed to be used for criminal investigations, the IRS is seeking approval to begin using them for civil tax audits, Allison said. In the meantime, IRS criminal investigators have found a way to refer cases to auditors by transferring the file but removing the confidential SAR form, Allison said.  To make the reports more accessible to law enforcement agencies, FinCEN plans to put the database on a secured Internet site soon.  Privacy groups worry about the database falling into the wrong hands, but Sloan said there is little harm to innocent people who are reported in the SAR database, even if they are investigated, because most often no on  ever knows about it.  "There may be people [in the database] who are not guilty of anything," Sloan said. "But SARs are confidential for that reason."

Privacy advocates say consumers are hurt, regardless of whether they learn about the report. "It's like asking what's the harm if law enforcement goes into your home while you're not there, rifles through your personal financial papers, and you never know about it," Nojeim said. "This is not a criminal investigative tool, it's a massive surveillance system, built on the theory that the government has to watch every financial transaction in case someone does something wrong."
 

Privacy Rights Clearinghouse   1717 Kettner Ave. Suite 105   San Diego, CA 92101
t: 619-298-3396  f:  619-298-5681   bgivens@privacyrights.org   http://www.privacyrights.org