Disclosure of Consumer Complaint Narrative Data, 42765-42769 [2014-17274]
Download as PDF
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 79, No. 141 / Wednesday, July 23, 2014 / Notices
‘‘Debt Collection Survey from the
Consumer Credit Panel.’’
DATES: Written comments are
encouraged and must be received on or
before August 22, 2014 to be assured of
consideration.
ADDRESSES: You may submit comments,
identified by the title of the information
collection, OMB Control Number (see
below), and docket number (see above),
by any of the following methods:
• Electronic: https://
www.regulations.gov. Follow the
instructions for submitting comments.
• Mail: Consumer Financial
Protection Bureau (Attention: PRA
Office), 1700 G Street NW., Washington,
DC 20552.
• Hand Delivery/Courier: Consumer
Financial Protection Bureau, 1275 First
Street NE., Washington, DC 20002.
Please note that comments submitted
by fax or email and those submitted
after the comment period will not be
accepted. In general, all comments
received will be posted without change
to regulations.gov, including any
personal information provided.
Sensitive personal information, such as
account numbers or social security
numbers, should not be included.
FOR FURTHER INFORMATION CONTACT:
Documentation prepared in support of
this information collection request is
available at www.reginfo.gov (this link
active on the day following publication
of this notice). Requests for additional
information should be directed to the
Consumer Financial Protection Bureau,
(Attention: PRA Office), 1700 G Street
NW., Washington, DC 20552, (202) 435–
9575, or email: PRA@cfpb.gov. Please do
not submit comments to this email box.
SUPPLEMENTARY INFORMATION:
Title of Collection: Debt Collection
Survey from the Consumer Credit Panel.
OMB Control Number: 3170–XXXX.
Type of Review: New Collection
(Request for a new OMB Control
Number).
Affected Public: Individuals and
households.
Estimated Number of Respondents:
3000.
Estimated Total Annual Burden
Hours: 1,000.
Abstract: The CFPB plans to conduct
a mail survey of consumers to learn
about their experiences interacting with
the debt collection industry. The survey
will ask consumers about their
experiences with debt collectors, such
as whether they have been contacted by
debt collectors in the past, whether they
recognized the debt that was being
collected, and about their interactions
with the debt collectors. The survey will
also ask consumers about their
VerDate Mar<15>2010
17:33 Jul 22, 2014
Jkt 232001
preferences for how they would like to
be contacted by debt collectors,
opinions about potential regulatory
interventions in debt collection markets,
and about their knowledge of their legal
rights regarding debt collections. The
information collected through this
survey will be used to inform a CFPB
rule making concerning debt collection
and research purposes.
Request for Comments: The Bureau
issued a 60-day Federal Register notice
on March 7th, 2014, 79 FR 13043.
Comments were solicited and continue
to be invited on: (a) Whether the
collection of information is necessary
for the proper performance of the
functions of the Bureau, including
whether the information will have
practical utility; (b) the accuracy of the
Bureau’s estimate of the burden of the
collection of information, including the
validity of the methods and the
assumptions used; (c) ways to enhance
the quality, utility, and clarity of the
information to be collected; and (d)
ways to minimize the burden of the
collection of information on
respondents, including through the use
of automated collection techniques or
other forms of information technology.
Comments submitted in response to this
notice will be summarized and/or
included in the request for Office of
Management and Budget (OMB)
approval. All comments will become a
matter of public record.
Dated: July 15, 2014.
Ashwin Vasan,
Chief Information Officer, Bureau of
Consumer Financial Protection.
[FR Doc. 2014–17272 Filed 7–22–14; 8:45 am]
BILLING CODE 4810–AM–P
BUREAU OF CONSUMER FINANCIAL
PROTECTION
[Docket No. CFPB–2014–0016]
Disclosure of Consumer Complaint
Narrative Data
Bureau of Consumer Financial
Protection.
ACTION: Notice of proposed policy
statement with request for public
comment.
AGENCY:
The Bureau of Consumer
Financial Protection (‘‘Bureau’’)
currently discloses certain complaint
data it receives regarding consumer
financial products and services via its
web-based, public-facing database
(‘‘Consumer Complaint Database’’). The
Bureau proposes to expand that
disclosure to include unstructured
consumer complaint narrative data
SUMMARY:
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
42765
(‘‘narratives’’). Only those narratives for
which opt-in consumer consent had
been obtained and a robust personal
information scrubbing standard and
methodology applied would be subject
to disclosure. The proposed policy
(‘‘Proposed Policy Statement’’) would
supplement the Bureau’s existing Policy
Statements establishing and expanding
the Consumer Complaint Database.
DATES: Comments regarding the
Proposed Policy Statement are due on or
before August 22, 2014.
ADDRESSES: You may submit comments
regarding the Proposed Policy
Statement, identified by Docket No.
CFPB–2014–0016, by any of the
following methods:
• Electronic: https://
www.regulations.gov. Follow the
instructions for submitting comments.
• Mail: Monica Jackson, Office of the
Executive Secretary, Consumer
Financial Protection Bureau, 1700 G
Street NW., Washington, DC 20552.
• Hand Delivery/Courier: Monica
Jackson, Office of the Executive
Secretary, Consumer Financial
Protection Bureau, 1275 First Street NE.,
Washington, DC 20002.
Instructions: The Bureau encourages
the early submission of information and
other comments. Because paper mail in
the Washington, DC area and at the
Bureau is subject to delay, commenters
are encouraged to submit comments
electronically. In general, all
submissions received will be posted
without change to https://
www.regulations.gov. In addition,
submissions will be available for public
inspection and copying at 1275 First
Street NE., Washington, DC 20002, on
official business days between the hours
of 10 a.m. and 5 p.m. Eastern Standard
Time. You can make an appointment to
inspect the documents by telephoning
(202) 435–7275.
All submissions, including
attachments and other supporting
materials, will become part of the public
record and will be subject to public
disclosure. Do not include sensitive
personal information, such as account
numbers or Social Security numbers.
Comments will not be edited to remove
any identifying or contact information,
such as name and address information,
email addresses, or telephone numbers.
FOR FURTHER INFORMATION CONTACT:
Scott Pluta, Assistant Director, Office of
Consumer Response, Bureau of
Consumer Financial Protection, at (202)
435–7306.
Authority: 12 U.S.C. 5492(a), 5493(b)(3)(C),
5496(c)(4), 5511(b)(1), (5), 5512(c)(3)(B).
SUPPLEMENTARY INFORMATION:
E:\FR\FM\23JYN1.SGM
23JYN1
42766
Federal Register / Vol. 79, No. 141 / Wednesday, July 23, 2014 / Notices
I. Background
mstockstill on DSK4VPTVN1PROD with NOTICES
A. Previous Policy Statements Regarding
the Consumer Complaint Database
On December 8, 2011, the Bureau
published in the Federal Register a
proposed policy statement describing its
plans to disclose certain data about the
credit card complaints that consumers
submit to the Bureau (‘‘December 2011
Proposed Policy Statement’’).1 After
receiving and considering a number of
comments, the Bureau finalized its
plans for publically disclosing data from
consumer credit card complaints and
published the final policy statement on
June 22, 2012 (‘‘June 2012 Policy
Statement’’).2
Also on June 22, 2012, the Bureau
concurrently published in the Federal
Register a proposed policy statement
describing its plans to disclose data
from consumer complaints about
financial products and services other
than credit cards (‘‘June 2012 Proposed
Policy Statement’’).3 After receiving and
considering a number of comments, the
Bureau published the final policy
statement on March 25, 2013 (‘‘March
2013 Policy Statement’’).4 In the June
2012 Proposed Policy Statement, the
Bureau did not propose including
narratives in the Consumer Complaint
Database. Notwithstanding this, the
Bureau received a significant number of
comments specific to narrative
disclosure. Consumer, civil rights, and
open government groups supported
disclosure on the grounds that
disclosing narratives would provide
consumers with more useful
information on which to base financial
decisions and would allow reviewers to
assess the validity of the complaints.
Two privacy groups, while
acknowledging privacy risk stemming
from publication of ‘‘non-identifiable’’
data and calling for further study,
supported disclosure on an opt-in basis.
Trade groups and industry commenters
nearly uniformly opposed disclosure of
consumer complaint narratives. In the
March 2013 Policy Statement, the
Bureau noted that it would not post
narratives to the Consumer Complaint
Database at least until it could assess
whether there were practical ways to
disclose narrative data submitted by
consumers without undermining
consumer privacy.
1 76
FR 76628, Dec. 8, 2011.
FR 37616, June 22, 2012.
3 77 FR 37616, June 22, 2012.
4 78 FR 21218, April 10, 2013.
2 77
VerDate Mar<15>2010
17:33 Jul 22, 2014
Jkt 232001
B. Policy Considerations of Disclosing
Narratives
The purpose of the Consumer
Complaint Database, as stated in the
Bureau’s two previous policy
statements, is to provide consumers
with timely and understandable
information about consumer financial
products and services, and improve the
functioning, transparency, and
efficiency of markets for such products
and services. As a general matter, the
Bureau believes that adding additional
information to the Consumer Complaint
Database, such as narratives, is
consistent with and promotes this
purpose.
In specifically examining the
incremental benefits and risks of
disclosing narratives, the Bureau
focused on the direct and indirect
benefits to consumers, the benefit to the
Bureau, and the advancement of open
government principles.
In terms of the direct benefit provided
to consumers, for some consumers a
primary reason for submitting a
complaint may be to share their
experience with other consumers.
Complainants may desire to do so as a
means of providing information they
deem useful to others who may be
considering doing business with a
particular financial institution or as a
means of letting others who may be
experiencing a similar situation know
that they are not alone. These needs
cannot be served by the Bureau simply
by disclosing the non-narrative portions
of the complaint. Indeed, some
consumers may choose to submit a
complaint only if they will have the
opportunity to share their story and
other consumers may overcome their
reticence to submit a complaint by
reading the experiences of others. By
increasing the direct benefits to
consumers of submitting a complaint,
publishing complaint narratives may
expand the number of complaints
submitted to the Bureau and thereby
enhance the value of the Consumer
Complaint Database.
Indirect benefits to consumers and the
marketplace would include the effect
narratives can have on consumer
purchasing decisions. Research has
shown that consumer word of mouth
(which includes consumer reviews and
complaints) is a reliable signal of
product quality that consumers consult
and act upon when making purchasing
decisions. Companies, responsive to the
effect word of mouth can have on sales,
adjust prices to match product quality
and improve customer service in order
to remain competitive.
PO 00000
Frm 00012
Fmt 4703
Sfmt 4703
Publishing narratives would also be
impactful by making the complaint data
personal (the powerful first person voice
of the consumer talking about their
experience), local (the ability for local
stakeholders to highlight consumer
experiences in their community), and
empowering (by encouraging similarly
situated consumers to speak up and be
heard).
The Bureau believes that the utility of
the overall Consumer Complaint
Database would greatly increase with
the inclusion of narratives. This could
lead to increased use by advocates,
academics, the press, and entrepreneurs,
which itself would lead to increased
consumer contacts with the Bureau.
The Bureau believes that the
aforementioned increase in benefits and
utility would lead to an increase in
consumer contacts, which would have a
positive effect on Bureau operations. As
a critical mass of complaint data is
achieved and exceeded, the
representativeness of Bureau complaint
data increases. Thus, narratives would
not only enhance the above consumer
benefits but also the many Bureau
functions that rely, in part, on
complaint data to perform their
respective missions including the
Offices of Supervision, Enforcement,
and Fair Lending, Consumer Education
and Engagement, and Research,
Markets, and Rulemaking.
The Bureau also would benefit by
further establishing itself as a leader in
the realm of open government and open
data. On December 8, 2009, the Office
of Management and Budget (‘‘OMB’’)
issued its Open Government Directive
requiring agencies to ‘‘take prompt steps
to expand access to information by
making it available online.’’ 5 Although
agencies have historically withheld data
from the public due to privacy and cost
controls, with new technology comes
new opportunities for openness without
significant increases to privacy risk and
costs. Moving forward ‘‘the presumption
shall be in favor of openness.’’ 6 While
there is no requirement to publish ‘‘all’’
information, as a matter of policy and
‘‘to the extent permitted by law and
subject to valid privacy, confidentiality,
security, or other restrictions,’’ agencies
should ‘‘proactively use modern
technology to disseminate useful
information, rather than waiting for
specific requests under FOIA.’’ 7
Although an independent agency, the
Bureau shares OMB’s commitment to
open and transparent government. The
5 Peter Orszag, Director, Office of Management &
Budget, Open Government Directive, Dec. 8, 2009.
6 Id.
7 Id.
E:\FR\FM\23JYN1.SGM
23JYN1
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 79, No. 141 / Wednesday, July 23, 2014 / Notices
‘‘presumption of openness’’ is quickly
becoming a governmental best practice.
Agencies from the Department of Health
and Human Services (‘‘HHS’’), to the
Federal Trade Commission (‘‘FTC’’) are
moving quickly to expand open data
offerings. Projects like HealthData.gov,
Regulations.gov, and the Green Button
form a new vanguard of government
engagement with the public and the
marketplace through open data.
OMB Memorandum M–13–13, Open
Data Policy—Managing Information as
an Asset, usefully grounds the
‘‘presumption of openness’’ in
utilitarian and economic terms. It
describes information as ‘‘a valuable
national resource and a strategic asset to
the Federal Government, its partners,
and the public,’’ and points out that
‘‘[m]aking information resources
accessible, discoverable, and usable by
the public can help fuel
entrepreneurship, innovation, and
scientific discovery—all of which
improve Americans’ lives and
contribute significantly to job creation.’’
Always subject to legal obligations such
as those to protect privacy and
confidentiality, the government can
treat information as a public asset
which, when made available to its
public owners, creates public value.
Publishing narratives, however, is not
without risks. A principal risk of
publishing narratives is the potential
harm associated with the possible reidentification of actual consumers
within the Consumer Complaint
Database. To de-identify data is to
remove personal information from a
dataset, thereby obscuring individual
identities. Re-identification generally
occurs when separate datasets are
combined to reestablish some number of
individual identities. Individuals with
personal knowledge of events described
in a narrative may also be able to
identify consumers using de-identified
narratives. Some within the research
community question the sufficiency of
de-identification and suggest that the
risks generally outweigh the benefits of
sharing data.8
On the other hand, many researchers
espouse the sufficiency of deidentification and highlight the
extremely low risk of actual reidentification and potential harm—
suggesting a cost-benefit analysis where
the benefits outweigh this risk. In
support of de-identification, supporters
make a number of arguments, including
that modern scrubbing standards such
as the Health Insurance Portability and
8 Paul Ohm, Broken Promises of Privacy:
Responding To The Surprising Failure Of
Anonymization, 57 UCLA L. Rev. 1701 (2010).
VerDate Mar<15>2010
17:33 Jul 22, 2014
Jkt 232001
Accountability Act (‘‘HIPAA’’) Privacy
Rule (which forms the basis of the
Bureau’s narrative scrubbing standard)
decrease re-identification risk to
acceptable levels and the number of
known, successful attempts to reidentify publicly available datasets are
de minimus.
There is a second major risk
associated with publishing narratives
which arises from the fact that the
narratives may contain factually
incorrect information as a result of, for
example, a complainant’s
misunderstanding or misrecollection of
what happened. If consumers were to
rely without question on all narrative
data, it is possible that subsequent
purchasing decisions may be based on
misinformation. To the extent this risk
may be realized, both consumers and
the financial institutions that lose
business due to misinformation would
be disserved. Indeed, even absent any
effect on consumer decision-making,
there is a risk that financial institutions
could incur intangible reputational
damage as a result of the dissemination
of complaint narratives.
To a large extent, this risk is inherent
in any release of complaint data. In
deciding to release the structured
complaint data, the Bureau addressed
this concern and concluded that, while
there is always a risk that market
participants will draw erroneous
conclusions from available data, the
Bureau was persuaded that the
marketplace of ideas would be able to
determine what the data shows. The
Bureau believes that is true, as well,
with respect to complaint narratives.
Furthermore, to mitigate this risk, the
Bureau’s proposed policy provides for
the public release of the company’s
response, side-by-side and scrubbed of
any personal information, to the
consumer’s complaint. This process will
assure that, to the extent there are
factual disputes, both sides of the
dispute can be made public.
C. Operational Feasibility of Disclosing
Narratives
In deciding to release certain
structured data, the Bureau stated that it
would not disclose narratives unless it
is operationally feasible to do so
without compromising consumer
privacy. In November 2013, Consumer
Response began piloting a
comprehensive program to scrub all
personal information from copied
narratives using a scrubbing standard
based on government best practices
(discussed in detail below). This pilot is
ongoing and the scrubbing standard is
continually improved as lessons are
learned and implemented.
PO 00000
Frm 00013
Fmt 4703
Sfmt 4703
42767
The Bureau is currently conducting a
study to further verify that the proposed
scrubbing standard and methodology
will sufficiently address concerns
related to the FOIA, the Privacy Act, the
Dodd-Frank Act, and the Bureau’s
confidentiality regulations where (1)
consent for publication is obtained from
the consumer; (2) narratives are
scrubbed of consumer personal
information consistent with a robust
standard and methodology: (a) that
substantially meets government best
practices for re-identification risk; (b) as
written, results in a low risk of reidentification; (c) as applied, maintains
a low rate of operational error; and (3)
an independent, third party privacy
expert conducts a review and
operational test of the standard and
methodology in support of the above
conditions.
The Bureau is cognizant that other
federal agencies have thought about
these issues and have successfully
adopted a variety of approaches. For
example, the Consumer Product Safety
Commission (‘‘CPSC’’) proactively
publishes narrative consumer reports of
harm on its Web site, which include
consented-to-consumer and industry
narratives. And the FTC routinely
releases consumer complaints,
including the narratives (up to a given
quantity), when requested through the
FOIA.
II. Proposed Policy Statement
Regarding Disclosure of Unstructured
Narrative Data From Consumer
Complaints and Company Responses
The Bureau hears directly from the
American public about their
experiences with the nation’s consumer
financial marketplace. An important
element of the Bureau’s mission is the
handling of individual consumer
complaints regarding financial products
and services. Indeed, ‘‘collecting,
investigating, and responding to
consumer complaints’’ is one of only six
statutory ‘‘primary functions’’ of the
Bureau.9
In June 2012, the Bureau began
making de-identified individual-level
complaint data available via its webbased, public facing database (the
‘‘Consumer Complaint Database’’). Since
launch, the Consumer Complaint
Database has been expanded multiple
times to include additional financial
products and data fields. Consistent
with its strategic vision, the Bureau is
committed to the continued expansion
of the Consumer Complaint Database in
both the number of complaints and
fields of data made publicly available,
9 12
E:\FR\FM\23JYN1.SGM
U.S.C. 5511(c) (2012).
23JYN1
42768
Federal Register / Vol. 79, No. 141 / Wednesday, July 23, 2014 / Notices
while still protecting privacy and
incorporating the appropriate security
controls.
A. Consumer Narratives
The Bureau will provide consumers
the opportunity to share their individual
stories with other consumers and the
marketplace by including consumer
complaint narratives in the Consumer
Complaint Database where consent for
publication is first obtained from the
consumer.
B. Consumer Consent To Disclose
Narratives
The Bureau will only disclose
narratives (1) for which informed
consumer consent has been obtained
and (2) that have been scrubbed of
personal information. Consumers who
submit a complaint will be given the
opportunity to check a consent box
giving the Bureau permission to publish
his or her narrative. The opt-in consent
will state, among other things, and in
plain language, that: (1) whether or not
consent is given will have no impact on
how the Bureau handles the complaint,
(2) if given, the consumer may thereafter
inform the Bureau that she withdraws
her consent at any time and the
narrative will be removed from the
Consumer Complaint Database, and (3)
the Bureau will take reasonable steps to
remove personal information from the
complaint to minimize (but not
eliminate) the risk of re-identification.
mstockstill on DSK4VPTVN1PROD with NOTICES
C. Company Response
Where the consumer provides consent
to publish their narrative, the related
company will be given the opportunity
to submit a narrative response for
inclusion in the Consumer Complaint
Database. The company will be
instructed not to provide direct
identifying information in its publicfacing response, and the Bureau will
take reasonable steps to remove
personal information from the response
to minimize (but not eliminate) the risk
of re-identification. The Company Portal
will include a data field into which
companies have the option to provide
narrative text that would appear next to
a consumer’s narrative in the Consumer
Complaint Database.
D. Personal Information Scrubbing
Standard and Methodology
Sharing data containing personal
information presents a tension between
data utility and individual privacy. As
a particular personal informationscrubbing standard becomes more or
less stringent, the utility of a given deidentified dataset becomes respectively
less or more useful. The publication of
VerDate Mar<15>2010
17:33 Jul 22, 2014
Jkt 232001
narratives involves risks, including the
potential harm associated with the reidentification of actual consumers
within the Consumer Complaint
Database.
In order to minimize the risk of reidentification, the Bureau will apply to
all publically-disclosed narratives, a
robust personal information scrubbing
standard and methodology. The Bureau
recognizes that mitigating privacy risks
in complaint level data disclosed to the
public may decrease the utility of the
data to users. The Bureau will,
exercising discretion, modify data when
privacy risks clearly and substantially
outweigh the benefits of disclosure. By
taking these steps to minimize the
impact, the Bureau believes that
publicly releasing redacted narratives,
subject to consumer consent, will best
protect all consumers without harming
the protected privacy interests of any
individual consumer.
In designing its proposed scrubbing
standard, the Bureau relied heavily on
guidance by the Department of Health
and Human Services (‘‘HHS’’) for deidentification of health data outlined in
the Health Insurance Portability and
Accountability Act (‘‘HIPAA’’) Privacy
Rule.10 HIPAA requires covered entities,
e.g., health plans, providers, and
clearinghouses, to de-identify patient
personal information such that it no
longer provides any reasonable basis to
ascertain individual identities. Under
HIPAA, data may be considered deidentified if either of the following
conditions holds:
• Safe Harbor Method—All the
identifying information of 18 different
types is entirely removed, and what
remains cannot be used to identify
any individual, or
• Expert Determination Method—An
expert applies statistical methods to
estimate the probability that an
individual could be identified and
determines that the risk of
identification is very low.
The HIPAA Safe Harbor Method
(‘‘HIPAA De-identification Standard’’)
stipulates the removal of 18 specific
identifiers from any disclosed datasets,
including:
• Names
• All geographic subdivisions smaller
than a state, including street address,
city, county, precinct, ZIP code, and
their equivalent geocodes, except for
certain ZIP code prefixes depending
on the circumstances
• All elements of dates for dates (except
year) that are directly related to an
individual, including birth date,
PO 00000
10 45
CFR 164.514.
Frm 00014
Fmt 4703
Sfmt 4703
admission date, discharge date, death
date, and all ages over 89 and all
elements of dates indicative of such
age, except that such ages and
elements may be aggregated into a
single category of age 90 or older
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security number
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial
numbers, including license plate
numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators
• Internet Protocol addresses
• Biometric identifiers, including finger
and voice prints
• Full-face photographs and any
comparable images
• Any other unique identifying number,
characteristic, or code
HHS specifically notes that the category
‘‘any other unique identifying number,
characteristic, or code’’ is very broad. It
can contain, among other identifiers,
physical attributes, employer names,
positions, titles, and other identifying
information. HHS does not provide a
comprehensive list of such categories,
but does state that to meet the deidentification standard, unstructured
text must be free of content for which
the de-identifying entity has ‘‘actual
knowledge that residual information
could be used to individually identify a
patient’’.
The Bureau will follow a scrubbing
standard with the following elements:
• The Bureau scrubbing standard
shall include all of the HIPAA
identifiers at a minimum;
• Where HIPAA identifiers are
specific to the health domain, the
Bureau’s scrubbing standard shall
include appropriate analogues in the
consumer financial domain; and
• The Bureau’s scrubbing standard
shall specifically include identifiers
(e.g., employer name) which the Bureau
knows (1) appear in complaints and (2)
could reasonably be used to identify
individuals.
Generally, the scrubbing methodology
will include a computer-based
automated step and a quality assurance
step performed by human reviewers.
III. Scope of the Proposed Policy
Statement
In the June 2012 Policy Statement and
the March 2013 Policy Statement, the
Bureau addressed comments received in
response to the December 2011
E:\FR\FM\23JYN1.SGM
23JYN1
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 79, No. 141 / Wednesday, July 23, 2014 / Notices
Proposed Policy Statement and the June
2012 Proposed Policy Statement,
respectively. These comments ranged
from the very general, such as the
Bureau’s authority to disclose consumer
complaint data of any kind and the
impact the database would have on
consumers and covered persons, to the
more specific, such as the impact of
specific proposed data fields (e.g.,
company disposition) and the inclusion
of other data fields (e.g., narratives). In
both Policy Statements, the Bureau
affirmed its openness to the inclusion of
additional data fields and its
willingness to work with external
stakeholders to address the value of
adding such fields. Consistent with this
commitment, and in response to
comments urging the disclosure of
narratives, the Bureau is today
proposing the inclusion of narratives in
the Consumer Complaint Database.
Broadly, the Bureau seeks comments
that are related to the proposed
extension of the policies to include
complaint narratives. With that scope,
the Bureau is specifically seeking public
comment on:
• Consumer Consent to Disclose
Narratives—The Bureau is currently in
the process of conducting research and
user testing to inform design decisions
regarding the need for any additional
information to help inform consumer
consent, the precise language to most
effectively communicate with the
consumer, at what point in the
complaint process (at complaint
submission or later in the complaint
handling process) and where on the
Bureau Web site the information in
support of the opt-in consent should be
displayed.
• Company Response—The Company
Portal will include a data field into
which companies have the option to
provide narrative text that would appear
next to a consumer’s narrative in the
Consumer Complaint Database. The
Bureau is seeking comment on whether
this public-facing response should be
distinct and in addition to the response
companies send directly to the
consumer.
• Personal Information Scrubbing
Standard and Methodology—In Section
II.D, above, the Bureau detailed the
standard and methodology it intends to
utilize to scrub personal information
from the narratives. The Bureau is
seeking comment on both the standard
and methodology, including suggestions
of appropriate analogues to the HIPAA
identifiers in the consumer financial
domain, and any other identifiers which
could reasonably be used to identify
individuals. Specific to ZIP codes, at
this time the Bureau has not yet
VerDate Mar<15>2010
17:33 Jul 22, 2014
Jkt 232001
determined whether to continue
publishing 5-digit ZIP codes in the
Consumer Complaint Database
alongside redacted narratives. The
Bureau seeks comment on whether ZIP
codes should be redacted consistent
with the HIPAA standard and if so, the
number of digits to provide, e.g., five or
three, and any relevant population
thresholds under which to limit ZIP
code disclosure, e.g., less than 20,000 or
10,000 individuals in a given ZIP code.
The Bureau believes that it has
sufficiently addressed comments
concerning the Consumer Complaint
Database generally, as well as comments
regarding the current data fields, in the
June 2012 Policy Statement and the
March 2013 Policy Statement.
IV. Procedural Requirements
The CFPB concludes that Proposed
Policy Statement constitutes an agency
statement of general policy exempt from
notice and public comment pursuant to
5 U.S.C. 553(b).
Notwithstanding this conclusion, the
CFPB invites public comment on this
proposed Policy Statement.
Because no notice of proposed
rulemaking is required, the provisions
of the Regulatory Flexibility Act (5
U.S.C. Chapter 6) do not apply.
Dated: July 14, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial
Protection.
[FR Doc. 2014–17274 Filed 7–22–14; 8:45 am]
BILLING CODE 4810–AM–P
DEPARTMENT OF DEFENSE
Office of the Secretary
Proposed Collection; Comment
Request
Defense Finance and
Accounting Service, DoD.
ACTION: Notice.
AGENCY:
In compliance with the
Paperwork Reduction Act of 1995, the
Defense Finance and Accounting
Service (DFAS) announces a proposed
public information collection and seeks
public comment on the provisions
thereof. Comments are invited on: (a)
Whether the proposed collection of
information is necessary for the proper
performance of the functions of the
agency, including whether the
information shall have practical utility;
(b) the accuracy of the agency’s estimate
of the burden of the proposed
information collection; (c) ways to
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
enhance the quality, utility and clarity
of the information to be collected; and
(d) ways to minimize the burden of the
information collection on respondents,
including through the use of automated
collection techniques or other forms of
information technology.
DATES: Consideration will be given to all
comments received by September 22,
2014.
You may submit comments,
identified by docket number and title,
by any of the following methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
• Mail: Federal Docket Management
System Office, 4800 Mark Center Drive,
East Tower, Suite 02G09, Alexandria,
VA 22350–3100.
Instructions: All submissions received
must include the agency name, docket
number and title for this Federal
Register document. The general policy
for comments and other submissions
from members of the public is to make
these submissions available for public
viewing on the Internet at https://
www.regulations.gov as they are
received without change, including any
personal identifiers or contact
information.
ADDRESSES:
To
request more information on this
proposed information collection or to
obtain a copy of the proposal and
associated collection instruments,
please write to the Defense Finance and
Accounting Services—Indianapolis,
DFAS–ZPR. ATTN: La Zaleus D. Leach,
8899 E. 56th St., Indianapolis, IN 46249,
Lazaleus.Leach@DFAS.MIL, 317–212–
6032.
FOR FURTHER INFORMATION CONTACT:
SUPPLEMENTARY INFORMATION:
[Docket ID DoD–2013–OS–0128]
SUMMARY:
42769
Title, Associated Form, and OMB
Number: Request for Information
Regarding Deceased Debtor, DD Form
2840, OMB Number 0730–0015.
Needs and Uses: This form is used to
obtain information on deceased debtors
from probate courts. Probate courts
review their records to see if an estate
was established. They provide the name
and address of the executor or lawyer
handling the estate. From the
information obtained, DFAS submits a
claim against the estate for the amount
due the United States.
Affected Public: Clerks of Probate
Courts.
Annual Burden Hours: 167 hours.
Number of Respondents: 2,000.
Responses per Respondent: 1.
Average Burden per Response: 5
minutes.
Frequency: On occasion when DFAS
is notified a debtor is deceased.
E:\FR\FM\23JYN1.SGM
23JYN1
Agencies
[Federal Register Volume 79, Number 141 (Wednesday, July 23, 2014)]
[Notices]
[Pages 42765-42769]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-17274]
-----------------------------------------------------------------------
BUREAU OF CONSUMER FINANCIAL PROTECTION
[Docket No. CFPB-2014-0016]
Disclosure of Consumer Complaint Narrative Data
AGENCY: Bureau of Consumer Financial Protection.
ACTION: Notice of proposed policy statement with request for public
comment.
-----------------------------------------------------------------------
SUMMARY: The Bureau of Consumer Financial Protection (``Bureau'')
currently discloses certain complaint data it receives regarding
consumer financial products and services via its web-based, public-
facing database (``Consumer Complaint Database''). The Bureau proposes
to expand that disclosure to include unstructured consumer complaint
narrative data (``narratives''). Only those narratives for which opt-in
consumer consent had been obtained and a robust personal information
scrubbing standard and methodology applied would be subject to
disclosure. The proposed policy (``Proposed Policy Statement'') would
supplement the Bureau's existing Policy Statements establishing and
expanding the Consumer Complaint Database.
DATES: Comments regarding the Proposed Policy Statement are due on or
before August 22, 2014.
ADDRESSES: You may submit comments regarding the Proposed Policy
Statement, identified by Docket No. CFPB-2014-0016, by any of the
following methods:
Electronic: https://www.regulations.gov. Follow the
instructions for submitting comments.
Mail: Monica Jackson, Office of the Executive Secretary,
Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC
20552.
Hand Delivery/Courier: Monica Jackson, Office of the
Executive Secretary, Consumer Financial Protection Bureau, 1275 First
Street NE., Washington, DC 20002.
Instructions: The Bureau encourages the early submission of
information and other comments. Because paper mail in the Washington,
DC area and at the Bureau is subject to delay, commenters are
encouraged to submit comments electronically. In general, all
submissions received will be posted without change to https://www.regulations.gov. In addition, submissions will be available for
public inspection and copying at 1275 First Street NE., Washington, DC
20002, on official business days between the hours of 10 a.m. and 5
p.m. Eastern Standard Time. You can make an appointment to inspect the
documents by telephoning (202) 435-7275.
All submissions, including attachments and other supporting
materials, will become part of the public record and will be subject to
public disclosure. Do not include sensitive personal information, such
as account numbers or Social Security numbers. Comments will not be
edited to remove any identifying or contact information, such as name
and address information, email addresses, or telephone numbers.
FOR FURTHER INFORMATION CONTACT: Scott Pluta, Assistant Director,
Office of Consumer Response, Bureau of Consumer Financial Protection,
at (202) 435-7306.
Authority: 12 U.S.C. 5492(a), 5493(b)(3)(C), 5496(c)(4),
5511(b)(1), (5), 5512(c)(3)(B).
SUPPLEMENTARY INFORMATION:
[[Page 42766]]
I. Background
A. Previous Policy Statements Regarding the Consumer Complaint Database
On December 8, 2011, the Bureau published in the Federal Register a
proposed policy statement describing its plans to disclose certain data
about the credit card complaints that consumers submit to the Bureau
(``December 2011 Proposed Policy Statement'').\1\ After receiving and
considering a number of comments, the Bureau finalized its plans for
publically disclosing data from consumer credit card complaints and
published the final policy statement on June 22, 2012 (``June 2012
Policy Statement'').\2\
---------------------------------------------------------------------------
\1\ 76 FR 76628, Dec. 8, 2011.
\2\ 77 FR 37616, June 22, 2012.
---------------------------------------------------------------------------
Also on June 22, 2012, the Bureau concurrently published in the
Federal Register a proposed policy statement describing its plans to
disclose data from consumer complaints about financial products and
services other than credit cards (``June 2012 Proposed Policy
Statement'').\3\ After receiving and considering a number of comments,
the Bureau published the final policy statement on March 25, 2013
(``March 2013 Policy Statement'').\4\ In the June 2012 Proposed Policy
Statement, the Bureau did not propose including narratives in the
Consumer Complaint Database. Notwithstanding this, the Bureau received
a significant number of comments specific to narrative disclosure.
Consumer, civil rights, and open government groups supported disclosure
on the grounds that disclosing narratives would provide consumers with
more useful information on which to base financial decisions and would
allow reviewers to assess the validity of the complaints. Two privacy
groups, while acknowledging privacy risk stemming from publication of
``non-identifiable'' data and calling for further study, supported
disclosure on an opt-in basis. Trade groups and industry commenters
nearly uniformly opposed disclosure of consumer complaint narratives.
In the March 2013 Policy Statement, the Bureau noted that it would not
post narratives to the Consumer Complaint Database at least until it
could assess whether there were practical ways to disclose narrative
data submitted by consumers without undermining consumer privacy.
---------------------------------------------------------------------------
\3\ 77 FR 37616, June 22, 2012.
\4\ 78 FR 21218, April 10, 2013.
---------------------------------------------------------------------------
B. Policy Considerations of Disclosing Narratives
The purpose of the Consumer Complaint Database, as stated in the
Bureau's two previous policy statements, is to provide consumers with
timely and understandable information about consumer financial products
and services, and improve the functioning, transparency, and efficiency
of markets for such products and services. As a general matter, the
Bureau believes that adding additional information to the Consumer
Complaint Database, such as narratives, is consistent with and promotes
this purpose.
In specifically examining the incremental benefits and risks of
disclosing narratives, the Bureau focused on the direct and indirect
benefits to consumers, the benefit to the Bureau, and the advancement
of open government principles.
In terms of the direct benefit provided to consumers, for some
consumers a primary reason for submitting a complaint may be to share
their experience with other consumers. Complainants may desire to do so
as a means of providing information they deem useful to others who may
be considering doing business with a particular financial institution
or as a means of letting others who may be experiencing a similar
situation know that they are not alone. These needs cannot be served by
the Bureau simply by disclosing the non-narrative portions of the
complaint. Indeed, some consumers may choose to submit a complaint only
if they will have the opportunity to share their story and other
consumers may overcome their reticence to submit a complaint by reading
the experiences of others. By increasing the direct benefits to
consumers of submitting a complaint, publishing complaint narratives
may expand the number of complaints submitted to the Bureau and thereby
enhance the value of the Consumer Complaint Database.
Indirect benefits to consumers and the marketplace would include
the effect narratives can have on consumer purchasing decisions.
Research has shown that consumer word of mouth (which includes consumer
reviews and complaints) is a reliable signal of product quality that
consumers consult and act upon when making purchasing decisions.
Companies, responsive to the effect word of mouth can have on sales,
adjust prices to match product quality and improve customer service in
order to remain competitive.
Publishing narratives would also be impactful by making the
complaint data personal (the powerful first person voice of the
consumer talking about their experience), local (the ability for local
stakeholders to highlight consumer experiences in their community), and
empowering (by encouraging similarly situated consumers to speak up and
be heard).
The Bureau believes that the utility of the overall Consumer
Complaint Database would greatly increase with the inclusion of
narratives. This could lead to increased use by advocates, academics,
the press, and entrepreneurs, which itself would lead to increased
consumer contacts with the Bureau.
The Bureau believes that the aforementioned increase in benefits
and utility would lead to an increase in consumer contacts, which would
have a positive effect on Bureau operations. As a critical mass of
complaint data is achieved and exceeded, the representativeness of
Bureau complaint data increases. Thus, narratives would not only
enhance the above consumer benefits but also the many Bureau functions
that rely, in part, on complaint data to perform their respective
missions including the Offices of Supervision, Enforcement, and Fair
Lending, Consumer Education and Engagement, and Research, Markets, and
Rulemaking.
The Bureau also would benefit by further establishing itself as a
leader in the realm of open government and open data. On December 8,
2009, the Office of Management and Budget (``OMB'') issued its Open
Government Directive requiring agencies to ``take prompt steps to
expand access to information by making it available online.'' \5\
Although agencies have historically withheld data from the public due
to privacy and cost controls, with new technology comes new
opportunities for openness without significant increases to privacy
risk and costs. Moving forward ``the presumption shall be in favor of
openness.'' \6\ While there is no requirement to publish ``all''
information, as a matter of policy and ``to the extent permitted by law
and subject to valid privacy, confidentiality, security, or other
restrictions,'' agencies should ``proactively use modern technology to
disseminate useful information, rather than waiting for specific
requests under FOIA.'' \7\
---------------------------------------------------------------------------
\5\ Peter Orszag, Director, Office of Management & Budget, Open
Government Directive, Dec. 8, 2009.
\6\ Id.
\7\ Id.
---------------------------------------------------------------------------
Although an independent agency, the Bureau shares OMB's commitment
to open and transparent government. The
[[Page 42767]]
``presumption of openness'' is quickly becoming a governmental best
practice. Agencies from the Department of Health and Human Services
(``HHS''), to the Federal Trade Commission (``FTC'') are moving quickly
to expand open data offerings. Projects like HealthData.gov,
Regulations.gov, and the Green Button form a new vanguard of government
engagement with the public and the marketplace through open data.
OMB Memorandum M-13-13, Open Data Policy--Managing Information as
an Asset, usefully grounds the ``presumption of openness'' in
utilitarian and economic terms. It describes information as ``a
valuable national resource and a strategic asset to the Federal
Government, its partners, and the public,'' and points out that
``[m]aking information resources accessible, discoverable, and usable
by the public can help fuel entrepreneurship, innovation, and
scientific discovery--all of which improve Americans' lives and
contribute significantly to job creation.'' Always subject to legal
obligations such as those to protect privacy and confidentiality, the
government can treat information as a public asset which, when made
available to its public owners, creates public value.
Publishing narratives, however, is not without risks. A principal
risk of publishing narratives is the potential harm associated with the
possible re-identification of actual consumers within the Consumer
Complaint Database. To de-identify data is to remove personal
information from a dataset, thereby obscuring individual identities.
Re-identification generally occurs when separate datasets are combined
to reestablish some number of individual identities. Individuals with
personal knowledge of events described in a narrative may also be able
to identify consumers using de-identified narratives. Some within the
research community question the sufficiency of de-identification and
suggest that the risks generally outweigh the benefits of sharing
data.\8\
---------------------------------------------------------------------------
\8\ Paul Ohm, Broken Promises of Privacy: Responding To The
Surprising Failure Of Anonymization, 57 UCLA L. Rev. 1701 (2010).
---------------------------------------------------------------------------
On the other hand, many researchers espouse the sufficiency of de-
identification and highlight the extremely low risk of actual re-
identification and potential harm--suggesting a cost-benefit analysis
where the benefits outweigh this risk. In support of de-identification,
supporters make a number of arguments, including that modern scrubbing
standards such as the Health Insurance Portability and Accountability
Act (``HIPAA'') Privacy Rule (which forms the basis of the Bureau's
narrative scrubbing standard) decrease re-identification risk to
acceptable levels and the number of known, successful attempts to re-
identify publicly available datasets are de minimus.
There is a second major risk associated with publishing narratives
which arises from the fact that the narratives may contain factually
incorrect information as a result of, for example, a complainant's
misunderstanding or misrecollection of what happened. If consumers were
to rely without question on all narrative data, it is possible that
subsequent purchasing decisions may be based on misinformation. To the
extent this risk may be realized, both consumers and the financial
institutions that lose business due to misinformation would be
disserved. Indeed, even absent any effect on consumer decision-making,
there is a risk that financial institutions could incur intangible
reputational damage as a result of the dissemination of complaint
narratives.
To a large extent, this risk is inherent in any release of
complaint data. In deciding to release the structured complaint data,
the Bureau addressed this concern and concluded that, while there is
always a risk that market participants will draw erroneous conclusions
from available data, the Bureau was persuaded that the marketplace of
ideas would be able to determine what the data shows. The Bureau
believes that is true, as well, with respect to complaint narratives.
Furthermore, to mitigate this risk, the Bureau's proposed policy
provides for the public release of the company's response, side-by-side
and scrubbed of any personal information, to the consumer's complaint.
This process will assure that, to the extent there are factual
disputes, both sides of the dispute can be made public.
C. Operational Feasibility of Disclosing Narratives
In deciding to release certain structured data, the Bureau stated
that it would not disclose narratives unless it is operationally
feasible to do so without compromising consumer privacy. In November
2013, Consumer Response began piloting a comprehensive program to scrub
all personal information from copied narratives using a scrubbing
standard based on government best practices (discussed in detail
below). This pilot is ongoing and the scrubbing standard is continually
improved as lessons are learned and implemented.
The Bureau is currently conducting a study to further verify that
the proposed scrubbing standard and methodology will sufficiently
address concerns related to the FOIA, the Privacy Act, the Dodd-Frank
Act, and the Bureau's confidentiality regulations where (1) consent for
publication is obtained from the consumer; (2) narratives are scrubbed
of consumer personal information consistent with a robust standard and
methodology: (a) that substantially meets government best practices for
re-identification risk; (b) as written, results in a low risk of re-
identification; (c) as applied, maintains a low rate of operational
error; and (3) an independent, third party privacy expert conducts a
review and operational test of the standard and methodology in support
of the above conditions.
The Bureau is cognizant that other federal agencies have thought
about these issues and have successfully adopted a variety of
approaches. For example, the Consumer Product Safety Commission
(``CPSC'') proactively publishes narrative consumer reports of harm on
its Web site, which include consented-to-consumer and industry
narratives. And the FTC routinely releases consumer complaints,
including the narratives (up to a given quantity), when requested
through the FOIA.
II. Proposed Policy Statement Regarding Disclosure of Unstructured
Narrative Data From Consumer Complaints and Company Responses
The Bureau hears directly from the American public about their
experiences with the nation's consumer financial marketplace. An
important element of the Bureau's mission is the handling of individual
consumer complaints regarding financial products and services. Indeed,
``collecting, investigating, and responding to consumer complaints'' is
one of only six statutory ``primary functions'' of the Bureau.\9\
---------------------------------------------------------------------------
\9\ 12 U.S.C. 5511(c) (2012).
---------------------------------------------------------------------------
In June 2012, the Bureau began making de-identified individual-
level complaint data available via its web-based, public facing
database (the ``Consumer Complaint Database''). Since launch, the
Consumer Complaint Database has been expanded multiple times to include
additional financial products and data fields. Consistent with its
strategic vision, the Bureau is committed to the continued expansion of
the Consumer Complaint Database in both the number of complaints and
fields of data made publicly available,
[[Page 42768]]
while still protecting privacy and incorporating the appropriate
security controls.
A. Consumer Narratives
The Bureau will provide consumers the opportunity to share their
individual stories with other consumers and the marketplace by
including consumer complaint narratives in the Consumer Complaint
Database where consent for publication is first obtained from the
consumer.
B. Consumer Consent To Disclose Narratives
The Bureau will only disclose narratives (1) for which informed
consumer consent has been obtained and (2) that have been scrubbed of
personal information. Consumers who submit a complaint will be given
the opportunity to check a consent box giving the Bureau permission to
publish his or her narrative. The opt-in consent will state, among
other things, and in plain language, that: (1) whether or not consent
is given will have no impact on how the Bureau handles the complaint,
(2) if given, the consumer may thereafter inform the Bureau that she
withdraws her consent at any time and the narrative will be removed
from the Consumer Complaint Database, and (3) the Bureau will take
reasonable steps to remove personal information from the complaint to
minimize (but not eliminate) the risk of re-identification.
C. Company Response
Where the consumer provides consent to publish their narrative, the
related company will be given the opportunity to submit a narrative
response for inclusion in the Consumer Complaint Database. The company
will be instructed not to provide direct identifying information in its
public-facing response, and the Bureau will take reasonable steps to
remove personal information from the response to minimize (but not
eliminate) the risk of re-identification. The Company Portal will
include a data field into which companies have the option to provide
narrative text that would appear next to a consumer's narrative in the
Consumer Complaint Database.
D. Personal Information Scrubbing Standard and Methodology
Sharing data containing personal information presents a tension
between data utility and individual privacy. As a particular personal
information-scrubbing standard becomes more or less stringent, the
utility of a given de-identified dataset becomes respectively less or
more useful. The publication of narratives involves risks, including
the potential harm associated with the re-identification of actual
consumers within the Consumer Complaint Database.
In order to minimize the risk of re-identification, the Bureau will
apply to all publically-disclosed narratives, a robust personal
information scrubbing standard and methodology. The Bureau recognizes
that mitigating privacy risks in complaint level data disclosed to the
public may decrease the utility of the data to users. The Bureau will,
exercising discretion, modify data when privacy risks clearly and
substantially outweigh the benefits of disclosure. By taking these
steps to minimize the impact, the Bureau believes that publicly
releasing redacted narratives, subject to consumer consent, will best
protect all consumers without harming the protected privacy interests
of any individual consumer.
In designing its proposed scrubbing standard, the Bureau relied
heavily on guidance by the Department of Health and Human Services
(``HHS'') for de-identification of health data outlined in the Health
Insurance Portability and Accountability Act (``HIPAA'') Privacy
Rule.\10\ HIPAA requires covered entities, e.g., health plans,
providers, and clearinghouses, to de-identify patient personal
information such that it no longer provides any reasonable basis to
ascertain individual identities. Under HIPAA, data may be considered
de-identified if either of the following conditions holds:
---------------------------------------------------------------------------
\10\ 45 CFR 164.514.
Safe Harbor Method--All the identifying information of 18
different types is entirely removed, and what remains cannot be used to
identify any individual, or
Expert Determination Method--An expert applies statistical
methods to estimate the probability that an individual could be
identified and determines that the risk of identification is very low.
The HIPAA Safe Harbor Method (``HIPAA De-identification Standard'')
stipulates the removal of 18 specific identifiers from any disclosed
datasets, including:
Names
All geographic subdivisions smaller than a state, including
street address, city, county, precinct, ZIP code, and their equivalent
geocodes, except for certain ZIP code prefixes depending on the
circumstances
All elements of dates for dates (except year) that are
directly related to an individual, including birth date, admission
date, discharge date, death date, and all ages over 89 and all elements
of dates indicative of such age, except that such ages and elements may
be aggregated into a single category of age 90 or older
Telephone numbers
Fax numbers
Email addresses
Social Security number
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license
plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators
Internet Protocol addresses
Biometric identifiers, including finger and voice prints
Full-face photographs and any comparable images
Any other unique identifying number, characteristic, or code
HHS specifically notes that the category ``any other unique identifying
number, characteristic, or code'' is very broad. It can contain, among
other identifiers, physical attributes, employer names, positions,
titles, and other identifying information. HHS does not provide a
comprehensive list of such categories, but does state that to meet the
de-identification standard, unstructured text must be free of content
for which the de-identifying entity has ``actual knowledge that
residual information could be used to individually identify a
patient''.
The Bureau will follow a scrubbing standard with the following
elements:
The Bureau scrubbing standard shall include all of the
HIPAA identifiers at a minimum;
Where HIPAA identifiers are specific to the health domain,
the Bureau's scrubbing standard shall include appropriate analogues in
the consumer financial domain; and
The Bureau's scrubbing standard shall specifically include
identifiers (e.g., employer name) which the Bureau knows (1) appear in
complaints and (2) could reasonably be used to identify individuals.
Generally, the scrubbing methodology will include a computer-based
automated step and a quality assurance step performed by human
reviewers.
III. Scope of the Proposed Policy Statement
In the June 2012 Policy Statement and the March 2013 Policy
Statement, the Bureau addressed comments received in response to the
December 2011
[[Page 42769]]
Proposed Policy Statement and the June 2012 Proposed Policy Statement,
respectively. These comments ranged from the very general, such as the
Bureau's authority to disclose consumer complaint data of any kind and
the impact the database would have on consumers and covered persons, to
the more specific, such as the impact of specific proposed data fields
(e.g., company disposition) and the inclusion of other data fields
(e.g., narratives). In both Policy Statements, the Bureau affirmed its
openness to the inclusion of additional data fields and its willingness
to work with external stakeholders to address the value of adding such
fields. Consistent with this commitment, and in response to comments
urging the disclosure of narratives, the Bureau is today proposing the
inclusion of narratives in the Consumer Complaint Database.
Broadly, the Bureau seeks comments that are related to the proposed
extension of the policies to include complaint narratives. With that
scope, the Bureau is specifically seeking public comment on:
Consumer Consent to Disclose Narratives--The Bureau is
currently in the process of conducting research and user testing to
inform design decisions regarding the need for any additional
information to help inform consumer consent, the precise language to
most effectively communicate with the consumer, at what point in the
complaint process (at complaint submission or later in the complaint
handling process) and where on the Bureau Web site the information in
support of the opt-in consent should be displayed.
Company Response--The Company Portal will include a data
field into which companies have the option to provide narrative text
that would appear next to a consumer's narrative in the Consumer
Complaint Database. The Bureau is seeking comment on whether this
public-facing response should be distinct and in addition to the
response companies send directly to the consumer.
Personal Information Scrubbing Standard and Methodology--
In Section II.D, above, the Bureau detailed the standard and
methodology it intends to utilize to scrub personal information from
the narratives. The Bureau is seeking comment on both the standard and
methodology, including suggestions of appropriate analogues to the
HIPAA identifiers in the consumer financial domain, and any other
identifiers which could reasonably be used to identify individuals.
Specific to ZIP codes, at this time the Bureau has not yet determined
whether to continue publishing 5-digit ZIP codes in the Consumer
Complaint Database alongside redacted narratives. The Bureau seeks
comment on whether ZIP codes should be redacted consistent with the
HIPAA standard and if so, the number of digits to provide, e.g., five
or three, and any relevant population thresholds under which to limit
ZIP code disclosure, e.g., less than 20,000 or 10,000 individuals in a
given ZIP code.
The Bureau believes that it has sufficiently addressed comments
concerning the Consumer Complaint Database generally, as well as
comments regarding the current data fields, in the June 2012 Policy
Statement and the March 2013 Policy Statement.
IV. Procedural Requirements
The CFPB concludes that Proposed Policy Statement constitutes an
agency statement of general policy exempt from notice and public
comment pursuant to 5 U.S.C. 553(b).
Notwithstanding this conclusion, the CFPB invites public comment on
this proposed Policy Statement.
Because no notice of proposed rulemaking is required, the
provisions of the Regulatory Flexibility Act (5 U.S.C. Chapter 6) do
not apply.
Dated: July 14, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-17274 Filed 7-22-14; 8:45 am]
BILLING CODE 4810-AM-P