CBA Letter to NIST re: Death Master File

 

March 30, 2015

 

Mr. Henry Wixon

Chief Counsel

National Institute of Standards and Technology

100 Bureau Drive, Stop 1052

Gaithersburg, MD 20899-1052

 

                Re:      Docket Number: 141219001-4999-02; RIN 0692-AA21

            Certification Program for Access to the Death Master File  Notice of proposed rulemaking; request for comments

 

Dear Mr. Wixon,

 

On behalf of the Consumer Bankers Association (“CBA”),[1] I am pleased to offer the following comments in response to the Notice of Proposed Rulemaking and the Request for

Comments on the certification program for access to the Death Master File (“DMF”), published by the National Technical Information Service (“NTIS”) on December 30, 2014 (79 Fed. Reg. 78314).  

 

CBA supports the NTIS’ efforts to implement the requirements of the Balanced Budget Act, and protect Death Master File (DMF) data from misuse, while balancing the need to preserve access and availability of the DMF data for important fraud detection and legitimate business purposes. 

 

CBA members directly obtain DMF data from NTIS for several legitimate business purposes, including fraud detection, and purchase products from Certified companies, as defined by the rule, for a wide range of purposes. These products help to protect consumers and CBA members from fraud; help ensure that CBA members do not inappropriately attempt to collect debts from or provide credit to deceased consumers; and for other purposes. Therefore, CBA is very interested in working with NTIS to help ensure that DMF is appropriately accessible by both Certified companies and those that purchase products from those companies, and that the DMF data is adequately protected to protect consumers and CBA members from fraud and other [2]inappropriate uses.

 

CBA supports the current operation of the DMF Certification process as established by NTIS in the Interim Final Rule.2 We believe that the Interim Rule sets the appropriate balance between access, data security and privacy, and we urge NTIS to maintain the current system. If changes are necessary to provide NTIS with audit or other capabilities that NTIS may believe are not provided for in the Interim Rule, we urge NTIS to make incremental changes to the Interim Rule to accomplish those goals, as opposed to the wholesale changes contemplated under this proposed final rule. We believe that the major proposed changes would be difficult and expensive to implement and maintain, would not improve security, and could harm accessibility for fraud detection or legitimate business purposes, as required under the statute. We do not believe that NTIS has established a need for or under-taken sufficient cost-benefit analysis of the proposed changes to justify such a drastic change, and so we urge NTIS to revisit these proposed changes.

 

For example, CBA believes that the Accredited Certification Body (ACB) process that NTIS proposes would impose significant, unnecessary and duplicative costs and requirements on Certified entities and on down-stream users that could make using DMF data cost-prohibitive. Such an outcome would impose significant costs on consumers and legitimate third party users of DMF data and products that contain DMF data, and would adversely impact many of the beneficial uses of DMF data, such as fraud detection and consumer protection. 

 

While NTIS permits Certified entities to provide DMF data to non-certified down-stream users,[3] as long as the recipient “meets the requirements” of this provision[4], there is no guidance as to what constitutes meeting the requirements of this provision. CBA therefore urges NTIS to provide guidance for how down-stream users can demonstrate that they meet the requirements of this provision, and to deem certain categories of users as in compliance with the requirements of this provision. Specifically, down-stream users of DMF data should be able to demonstrate that they meet the requirements of the statute if they are defined as financial institutions under the Gramm-Leach-Bliley[5] Act (“GLBA”). GLB imposes a number of significant data security and information use restrictions on financial institutions, and therefore financial institutions should be deemed to “meet the requirements” of this provision for the purposes of enabling a Certified Person to share DMF data.[6]  

 

Conclusion

 

Imposing significant costs and burdens on users of DMF data could have significant adverse consequences on consumers and businesses, including financial institutions. Instead of seeking to establish a new, expensive and unproven DMF certification program, CBA strongly urges the NTIS to instead utilize the system that was set up by the Interim Rule. It has proven to be effective and efficient, and if modifications need to be made, we urge NTIS to make minor modifications to the existing successful system, instead of wholesale changes to a new, untested and expensive system.

 

Thank you very much for your time and consideration.

 

 

Sincerely, 

  

David Pommerehn                                                        

VP & Senior Counsel                                                    

Consumer Bankers Association                

 

[1] Founded in 1919, the Consumer Bankers Association (CBA) is the trade association for today’s  leaders in retail banking - banking services geared toward consumers and small businesses. The  nation's largest financial institutions, as well as many regional banks, are CBA corporate  members, collectively holding well over half of the industry's total assets. CBA’s mission is to  preserve and promote the retail banking industry as it strives to fulfill the financial needs of the  American consumer and small business. 

 

[2] C.F.R. 16668 (2014)

 

[3] “[T]he proposed rule does not restrict disclosures of Limited Access DMF to Certified Persons…” (P. 78317) 

 

[4] Section 1110.200 of the proposed rule.

 

[5] Gramm-Leach-Bliley Act, Pub. L. 106-102

 

[6] There may be other statutes that NTIS may want to consider as meeting this test, as well, such as being a consumer reporting agency under the Fair Credit Reporting Act, but CBA members are all financial institutions as defined by

GLBA, and therefore do not express an opinion on what, if any, other statutes may demonstrate that a user “meets these requirements.”