• US
• EUROPE
• ASIA

• SIFMA Events
• Contact SIFMA

• About SIFMA

  • The SIFMA Organization
  • SIFMA Board and Officers
  • SIFMA Steering Committees
  • SIFMA Regional Boards
  • SIFMA Member Directory
  • SIFMA Senior Management
  • SIFMA Staff
  • SIFMA Affiliates/Divisions
  • Join SIFMA

• Capital Markets

  • Capital Markets Group
  • Fixed Income Markets
  • Risk/Prime Brokerage/Capital
  • Equity Markets
  • Interdealer Brokers
  • Capital Markets
  • Regional Capital Markets
  • Credit Rating Agency Task Force
  • Securitization Working Group
• Private Client
• Asset Management

• Legislative

  • Current Hill Activities
  • Federal Issues
  • International Issues
  • State Issues
  • Testimony
  • Legislative Correspondence
  • Landmark Legislation/Primer
  • Washington Weekly
  • PAC

• Media

  • Press Releases
  • SIFMA SmartBrief
  • Released Today NEW
  • Multimedia Library
  • FAQs
  • Public Statements
  • SIFMA In the News

• Regulatory/Legal

  • Issues
  • Comment Letters
  • White Papers
  • Amicus Briefs
  • Litigation
  • Self-Reg Materials
  • Regulatory Proposals
  • Regulatory Resources
  • Regulatory Update

• Research

  • Market Research
  • Statistical Tables
  • Surveys
• SIFMA Online Newsletters

• Services

  • Holiday Schedule
  • Standard Forms/Documentation
  • Business Continuity Planning
  • Technology/Operations
  • Publications
  • Conference Presentations
  • Affinity Programs
  • Marketing Opportunities
  • Strategic Partnership
  • Legal Elite Partnership
  • eSources
  • Industry Education
  • HR/Diversity Resources
  • Career Center
• Investor Education
• Emergency Alerts

Testimony Archives

STATEMENT FOR THE RECORD

FINANCIAL SERVICES COORDINATING COUNCIL

American Bankers Association
American Council of Life Insurers
American Insurance Association
Securities Industry Association

BEFORE THE SUBCOMMITTEE ON COMMERCE, TRADE AND CONSUMER PROTECTION

COMMITTEE ON ENERGY AND COMMERCE
U.S. HOUSE OF REPRESENTATIVES

September 28, 2004

Statement for the Record of the Financial Services Coordinating Council
This Statement for the Record is being submitted on behalf of the Financial Services Coordinating Council -- or "FSCC" -- whose members are the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. The FSCC represents the largest and most diverse group of financial institutions in the country, consisting of thousands of large and small banks, insurance companies, investment companies, and securities firms.  Together, these financial institutions provide financial services to virtually every household in the United States.

The FSCC very much appreciates the opportunity to submit this statement to the subcommittee on the use and misuse of social security numbers (or "SSNs"). Our comments focus on the integral role of social security numbers in United States commerce; the many consumer benefits that result from financial institutions' use of these numbers; and the potentially negative effects that could occur if undue restrictions are imposed on such use.  While the FSCC recognizes that there have been misuses of social security numbers, we strongly urge that any legislation intended to address this problem be carefully targeted to specifically-identified abuses, such as measures to stop identity theft. We believe it is imperative to avoid restrictions on legitimate and beneficial uses of SSNs.  

We would urge the subcommittee to exercise caution in its deliberations on any legislation in this area, including consideration of H.R. 2971, the "Social Security Number Privacy and Identity Theft Prevention Act of 2004", given the significant unintended consequences that such legislation could engender.

Our testimony today makes three fundamental points:

First, following the lead of the U.S. Government for the last 65 years, businesses' legitimate use of social security numbers as unique identifiers of individuals is now woven into the fabric of commercial transactions throughout the country. The use of these numbers has produced real benefits for American consumers and taxpayers, and has become critically important for a wide range of government agencies, financial institutions, hospitals, blood banks, and many other businesses, both large and small.

Second, broad restrictions on the use of social security numbers could have serious unintended consequences, including higher credit costs; increased fraud and identity theft; fundamental and costly changes to internal business operating systems; decreased consumer service; and costly delays in consumer transactions.

Third, Congress has recently enacted comprehensive privacy protections under the Gramm-Leach-Bliley Act that, among other things, place stringent restrictions on financial institutions' use and transfer of social security numbers. In light of these provisions, the FSCC strongly believes that further legislative restrictions on financial institutions' use and transfer of social security numbers are unnecessary.

Our statement also discusses the potentially negative impact of social security number restrictions on financial institutions' legitimate use of public records.

FSCC Position on H.R. 2971

As a preliminary matter, the FSCC would like to express its serious concerns with H.R. 2917 as adopted by the House Ways & Means Committee. At its core, the legislation seeks to restrict the availability of social security numbers to the general public. It does so by limiting the sale, purchase and display of such numbers. It imposes limits on the ability of commercial entities to collect these numbers when offering a product or service. It also imposes unclear limits on disclosures of social security numbers to government agencies and the maintenance of social security numbers in ordinary business records. Unfortunately, we believe that the bill may have the unintended consequence of restricting a wide variety of legitimate business activities that pose no danger of the public display of social security numbers. Ironically, we remain concerned that H.R. 2971 will have the effect of actually limiting our ability to combat identity theft and fraud, and to otherwise serve our customers.  It is our collective associations' view that, with respect to financial institutions, existing law already provides consumers with significant protections regarding the misuse of social security numbers, making additional restrictions unnecessary and potentially counterproductive.

As the Subcommittee is aware, in 1999 Congress enacted historic privacy protections as part of the Gramm-Leach-Bliley Act (GLBA).  The GLBA subjects the financial services industry to a comprehensive privacy framework that requires annual disclosure of the company's privacy policies, allows customers to direct the company not to share their nonpublic personal information with nonaffiliated third parties, contains significant prohibitions on the disclosure of detailed account information, and establishes regulatory standards to protect the security and confidentiality of nonpublic personal information.  Importantly, under GLBA, social security numbers are considered "nonpublic personal information" and thus are already subject to significant restrictions on the transfer of, and the ability of others to reuse, such information. Moreover, Congress just last year enacted comprehensive legislation addressing concerns over identity theft as part of its passage of the "Fair and Accurate Credit Transactions Act of 2003 (FACT Act)". Taken together, these two congressional initiatives go straight to the heart of congressional concerns over identity theft and the efforts of financial institutions to combat this growing problem.

The proposed bill, however, would create an entirely new regulatory structure for social security numbers and add it on top of a GLBA structure.  For example, financial services companies regularly sell, for a price, assets between themselves and with secondary market institutions (e.g., home mortgages), such assets having social security numbers embedded in the files. Technically, these would be "sales" prohibited under the bill.  (These would unlikely be a "trade or business" sale exempted under the bill). In addition, institutions regularly transfer information within their corporate families, either through central databases or otherwise, often in exchange for some compensation.  Again, this could be prohibited under the proposed bill, notwithstanding the fact that such transfers of information help financial institutions efficiently service customer accounts. Moreover, financial institutions regularly use third party databases that purchase data from public databases and other sources that institutions check against to uncover fraud, identity theft and credit risk. These data compilers are not "consumer reporting agencies" under the Fair Credit Reporting Act (FCRA), and thus would be subject to the bill's limitations on purchase and sale.  Ironically, each of these legitimate transfers of information benefit consumers and often facilitate our members' ability to better serve customers needs, combat fraud and root out identity theft, yet could be restricted under the bill.  These are just some examples of legitimate, customer-beneficial activities that are called into question. There are undoubtedly others. 

The bill does provide the Attorney General of the United States with the ability to exempt other transactions from these prohibitions.  As a practical matter, the AG is not familiar with the operations of financial institutions and would be ill-suited to craft appropriate exceptions that protect legitimate business activities.  The Justice Department would certainly not be able to respond quickly to questions that would arise over the implementation of this exception.  Moreover, delegating that authority to financial services regulators (as the bill permits), while potentially helpful, creates a great deal of regulatory uncertainty, inserting levels of regulatory bureaucracy in an area already adequately dealt with under federal law. As noted before, GLBA already establishes broad restrictions on the disclosure of nonpublic personal information, while specifically enumerating focused exemptions for legitimate business activities.  Congress vigorously debated these GLBA rules and exemptions, which various State and Federal regulators have since implemented after extensive notice and comment periods (e.g., Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, Federal Trade Commission, Securities and Exchange Commission, and state insurance commissioners have all engaged in such reviews). Further action in this area, as it applies to financial institutions, is not necessary.

As a practical matter, we do not believe that the financial services community is really the subject of the concern that this legislation is attempting to combat.  We use social security numbers, as well as other personal financial information, to assist us in making sound credit decisions, underwriting applications for insurance coverage and performing other ordinary insurance business functions, combating fraud, rooting out identity theft, and uncovering financial support for terrorism.  We do not make these numbers accessible to the general public.  As a result, we believe that this legislation should be targeted at those entities at the heart of the problem, be they unregulated information brokers, those engaged in illegal pretext-calling, or the like.

Integral Role of Social Security Numbers in U.S. Commercial Activities
To assist the subcommittee in its deliberations, it may be helpful to review the important role that social security numbers play in U.S. commercial activities.

As the GAO noted in its February 1999 report,¹ the Social Security Administration created social security numbers 65 years ago as a means to maintain individual earnings records for the purposes of that program. But Congress soon realized the tremendous value to society of a unique identifier that is common to nearly every American.  As a result, it began to require federal government use of the SSN as a common unique identifier for a broad range of wholly unrelated purposes. For example, "a number of federal laws and regulations require the use of the SSN as an individual's identifier to facilitate automated exchanges that help administrators enforce compliance with federal laws, determine eligibility for benefits, or both." ²   These include federal laws applicable to tax reporting, food stamps, Medicaid, Supplemental Security Income, and Child Support Enforcement, among others.  Moreover, as the GAO acknowledged, it has repeatedly recommended in numerous reports that the federal government use SSNs as a unique identifier to reduce fraud and abuse in federal benefits programs. ³

Following the federal government's lead, American businesses not only complied with federal requirements to use SSNs as identifiers for federal laws unrelated to social security, such as income tax reporting.  They also realized the powerful consumer benefits to be derived from comparable business use of SSNs as a common unique identifier.  Thus, businesses began to use SSNs in a manner similar to the federal government, e.g., to match records with other organizations to carry out data exchanges for such legitimate business purposes as transferring and locating assets, tracking patient care among multiple health care providers, and preventing fraud and identity theft. Many businesses also use SSNs as an efficient unique identifier for such internal activities as identifying income tax filers.

Similarly, the financial services industry has used the SSN for many decades as a unique identifier for a broad range of responsible purposes that benefit consumers and the economy. For example, our nation's remarkably efficient credit reporting system -- which has helped make America's affordable and accessible credit the envy of the world -- relies fundamentally on the SSN as a common identifier to compile disparate information from many different sources into a single, reliable credit report for a given individual.  And as set forth in considerably more detail in Attachment A to this testimony, the banking, insurance, and securities industries each use SSNs as unique identifiers for a variety of important regulatory and business transactions, primarily to ensure that the person with whom a financial institution is dealing really is that person. Set forth below is a very incomplete sample of the many financial institution uses of SSNs that are listed in Attachment A: 

• To combat fraud and identity theft;  
• To accurately assess underwriting risk;  
• To assist in internal benefits tracking;  
• To identify money laundering activities;  
• To comply with securities law reporting requirements;  
• To transfer assets and accounts to third parties;  
• To comply with "deadbeat dad" laws;  
• To verify appropriate Department of Motor Vehicle records when underwriting auto insurance;  
• To obtain verifiable medical information to underwrite life, disability income, and long term care insurance;  
• To locate policyholders to pay insurance proceeds;  
• To facilitate a multitude of administrative functions.

As noted in the GAO report, "[s]imply stated, the uniqueness and broad applicability of the SSN have made it the identifier of choice for government agencies and private businesses, both for compliance with federal requirements and for the agencies' and businesses' own purposes."⁴   Put another way, the use of SSNs as common unique identifiers is now woven into the very fabric of both governmental and commercial transactions in this country, and has been so for decades.

In short, the federal government began the use of SSNs for unrelated identification purposes; it required businesses to do the same under certain federal laws; and its use served as an example for businesses, including financial institutions, for over half a century. These uses have produced tremendous efficiencies and benefits for all Americans. The FSCC strongly urges members of Congress to keep such legitimate uses and benefits, including those financial institution uses listed in Attachment A, in the forefront when considering proposals to restrict the use of SSNs. 

Unintended Consequences of Broad Restrictions on Use of Social Security Numbers
As a result of the widespread use of social security numbers for legitimate purposes, the FSCC remains fundamentally concerned about the unintended consequences of legislation that is intended to restrict the abuse of these numbers. Failure to carefully target legislation to avoid these unintended consequences risks serious harm to consumers and the smooth operation of the U.S. economy.  Let me provide some specific examples:

• Potential Harm to Consumers. Financial institutions' use of social security numbers makes it possible for them to provide a level of service to customers that would otherwise not be possible.  By using such numbers to verify individual identities, credit bureaus and others can quickly provide financial institutions with accurate credit histories and verification information on people seeking loans, insurance, securities, and other financial products.  This in turn permits a financial institution to act swiftly and efficiently on applications or requests related to these products.  Use of social security numbers also enables financial institutions to provide more seamless administrative service, e.g., by allowing a life insurer to more easily verify the identity of an individual seeking to change a beneficiary under a life insurance policy. The FSCC's concern is that a broad restriction on the sale or use of social security numbers, however well-intended, could seriously impede the delivery of such important services by driving up processing costs and impairing decision-making.  
• Increased Risk of Fraud and Identity Theft. Social security numbers are critical for fraud detection. Banks, insurance companies, and securities firms rely on information available from both public and private sources – with embedded social security numbers to ensure correct identification – to check for "inconsistencies" that may suggest the occurrence of fraud or identity theft.  The use of these numbers also helps financial institutions verify credit and make sound underwriting decisions that minimize losses. The sophisticated processes used for these purposes rely fundamentally on social security numbers as the common unique identifier to assemble accurate and verifiable information for a given individual.  Put another way, without a unique common identifier such as a social security number, we believe it would be easier, not harder, for an individual's identity to be stolen. Thus, to reiterate, we believe that Congress should exercise great caution in restricting the use of social security numbers so as not to risk an increase in consumer fraud or identity theft -- a result that would be squarely at odds with the intended purpose of such restrictions. ⁵  
• Market Disruption. A prohibition on the sale of social security numbers could be construed to restrict such activities as the sale of assets among financial institutions.  This is so because financial institution assets (e.g., mortgage servicing accounts, credit card accounts, and traditional bank accounts) often use social security numbers as the basis for account identification. When it sells such an asset, a financial institution could be viewed as technically "selling" the embedded social security number as well. Thus, legislative efforts that "directly or indirectly" limit the transfer of social security numbers could effectively preclude such plainly legitimate transactions. To address this problem, businesses would need to rework their internal systems completely to eliminate the reliance on such numbers – a massive and needless expense. Accordingly, we believe that any legislative proposal must be crafted to avoid such a significant unintended consequence.  

The Protections of the Gramm-Leach-Bliley Act

The FSCC believes there is no need to further restrict the use of social security numbers by financial institutions in light of the strong social security number restrictions that apply to such institutions under the Gramm-Leach-Bliley Act ("GLB Act"). The GLB Act and its implementing regulations treat a financial institution consumer's social security number as protected "nonpublic personal information." ⁶   As a result, each financial institution consumer has the right to block a financial institution from selling or transferring his or her social security number to a nonaffiliated third party or the general public.

There are exceptions to this general rule for legitimate transfers of social security numbers, such as ones that are necessary to carry out a transaction requested by the consumer; to protect against fraud; to provide necessary identifying information to a credit bureaus, etc. However, even with respect to such legitimate transfers of social security numbers, the consumer remains protected because the recipient of the number is prohibited by law from re-using or re-disclosing the number -- it may do so only as necessary to carry out the purpose of the exception under which the number was received from the financial institution. Indeed, this unprecedented restriction on the re-use and re-disclosure of consumer information, including social security numbers, was recently upheld by the federal district court of the District of Columbia. ⁷  

In short, as the result of the GLB Act's carefully-targeted restrictions, a financial institution consumer is fully protected with respect to a financial institution's transfer of social security numbers, yet legitimate and important uses of these numbers remain permissible. In light of these restrictions, no additional restrictions on use of SSNs by financial institutions are warranted.

Concerns Over Restrictions On Access to Public Records

Finally, some concerns have also been expressed regarding the inappropriate use of social security numbers available in the public record.  The FSCC believes it is important to remember that a wide range of private sector enterprises – including banks, insurance companies, and securities firms – rely on such records to conduct a broad range of legitimate business activities. For example, financial institutions use public records to:

• Uncover fraud and identity theft;  
• Make sound credit and other financial product determinations;  
• Verify identities of the customer at the account opening phase;  
• Assist in internal security operations (e.g., employee background checks); and  
• Otherwise verify identities in order to conduct a broad range of business transactions. 

Business reliance upon such records facilitates the efficient operation of the financial and credit markets, limits mistakes, and ensures that consumers receive prompt and lower-cost service.  It also helps protect the customer from fraud. 

More specifically, to achieve the purposes described above, financial institutions directly use court bankruptcy records; public records involving liens on real estate; criminal records and fraud detection databases; and similar types of public records. Financial institutions also indirectly use such records for the same purposes by relying on databases developed by third parties that themselves rely on information from public records.  Importantly, SSN identifiers are central to ensuring that the information included in these records matches the correct individual.  This allows banks, for example, to verify the identity of a person so that a direction from a customer to transfer funds to a third party can be executed without mistake, as well as to check important credit-related characteristics of loan applicants (such as pending bankruptcies, tax liens, or other credit problems). 

Moreover, financial institutions employ sophisticated programs that cross-check public information against information supplied by an applicant in order to uncover fraud.  For example, if the age information provided by an applicant posing as another individual were inconsistent with other information known about that individual from public records made available through SSN identification, a "red flag" would be raised, which would trigger further checking to uncover the identity theft.

Thus, overly-broad limits on access to public record information would compromise a financial institution's ability to make sound business decisions and protect its customers. Such limits could also greatly slow the decision-making process of U.S. businesses, to the detriment of consumers and the economy.

Finally, even if financial institutions were exempted from restrictions on access to public records containing social security numbers, such restrictions could still create indirect problems for financial institutions and their customers.  For example, if a social security number were stricken from a public record, it is possible that the ability to use that record for legitimate purposes would become impossible because of the expense involved in verifying the identity of the person covered by that record. The consequences could be delayed loan approvals, increased consumer costs for products and services, and limits on an institution's ability to discover identity theft on a timely basis.

Even if public entities could still retain social security numbers in their internal nonpublic files, the cost and delays in efficiently accessing such files would be significant. Ultimately, the cost efficiencies and speed of delivery inherent in our current market system would be compromised.  The effect could be the same as denying financial institutions access to such records.

Conclusion

The benefits to society from the legitimate and responsible use of social security numbers are real and substantial.  As a result, the FSCC believes that policymakers should look carefully at the unintended consequences that could occur with any proposal that would restrict the use of these numbers. And, because of the GLB Act's restrictions on financial institution disclosure of social security numbers, we believe that no new SSN restrictions are required for the financial services industry.

____________________

ATTACHMENT A

ACTIVITIES POTENTIALLY IMPAIRED BY
RESTRICTIONS ON SOCIAL SECURITY NUMBERS

As noted above, a wide range of legitimate activities conducted by financial institutions would be affected by broad restrictions on the use of social security numbers. Set forth below are examples of such activities, grouped by the respective industries represented by the FSCC.

I. Banking Industry Uses

A. General Uses of Social Security Numbers

• To assist in account administration and better respond to customer requests. Financial institutions must use shared information to create central databases that then permit institutions to better respond to customer requests or needs (e.g., provide account balances, correct inaccuracies, process loan requests, etc.). To do this, many institutions use social security numbers as a unique identifier to ensure more accurate records.  
• To combat fraud and identity theft. Financial institutions rely on third-party databases to investigate claims of fraud and identity theft. These third-party databases in turn rely on social security numbers as the common unique identifier that is used by a variety of data sources.  Without such common unique identifiers, there would be no way to ensure that particular information is associated with a particular individual, and not with someone posing as that individual.  Thus, SSNs are integral mechanisms for accumulating and processing authentic information for both law enforcement officials and financial institutions.  
• To accurately assess risk. Everyday, financial institutions make judgments regarding financial risks. Institutions must rely on information databases to make such judgments, whether they are decisions on loans, insurance products, or other financial services. Social security numbers, when used by internal and third-party data providers as a means of compiling accurate information on an individual, help institutions make prudent decisions on product offerings.  
• To verify the identity of the customer – in person, over the phone, by mail, or over the internet – in the account opening stage. A financial institution uses a social security number as the unique individual identifier when verifying information of a person with whom the institution has had no previous contact.  
• To identify potential terrorist funding and money laundering activities. Institutions use social security numbers as unique identifiers to comply with various government requirements, such as the U.S.A. Patriot Act, Office of Foreign Assets Control (OFAC) verifications or the processing of certain Bank Secrecy Act-related documents (e.g., cash transaction reports).  
• To meet other government safety and soundness requirements. Federal and State bank regulators require banks and savings associations to operate in a safe and sound manner, and require institutions to develop sophisticated internal policies and procedures to that end.  To do so, banks often rely on third-party databases that themselves rely on social security numbers to promote accuracy.  As a result, the use of social security numbers plays a significant role in bank internal risk activities.  
• When providing tax reporting information to the Government (e.g., Forms 1098/1099), as well as to the employee (e.g., W-2s).  
• To facilitate internet banking operations. Many third-party vendors who provide links to such services rely on social security numbers as account identifiers.  
• To assist in internal security operations. Institutions use social security numbers as an employee identifier for purposes of background checks and other activities.  
• To assist in internal benefits tracking. For example, to provide reimbursements to employees incurring business expenses, or to track employee participation in employee retirement funds (e.g., 401(k) plans) .
• To track external payments to vendors for tax reporting purposes. 
• To permit customer access to a wide range of 24-hour banking services via phone or internet. Many banks use social security numbers as the account identifier, both as a convenience to customers and to maintain consistency with other internal processing needs, such as the maintenance of an accurate central database and the subsequent ability to use such numbers when making external credit checks.

B. Type of Institutions that Benefit

To facilitate financial holding company operations of benefit to the company and its customers. Holding companies share customer information (including social security numbers) within their corporate family (i.e., affiliates) for a variety of purposes, including:

• Providing customers with consolidated statements reflecting the status of all of their financial accounts and investments. To do so, companies need to ensure that customer information matches the correct file – e.g., that the "John Smith" on the phone is the John Smith that has two checking accounts, a variable life insurance policy, and holds the securities of four particular companies. Using social security numbers -- the only truly common unique identifier -- to verify this information greatly enhances company accuracy and increases customer confidence.  
• Assisting each affiliate in combating identity theft by giving these affiliates necessary information on the customer so that they may protect the customer's interest.  For example, having accurate, up-to-the-minute customer information allows affiliates to quickly identify inconsistencies or irregular activities in a customer's accounts that may reflect that identity theft is occurring. Again, reliance on social security numbers as the "common" element that permits institutions to cross-check existing customer information with new information helps institutions help their customers. 
• Allowing all aspects of the company to prudently manage risk. When a customer enters a bank, insurance company or securities firm in search of a financial product or service, a financial institution must quickly and accurately gauge its financial risks in providing that product or service.  The institution must rely on a variety of credible internal and external databases, such as those provided by credit bureaus, third-party vendors and other affiliates, for accurate information on the credit standing and financial health of the applicant.  To ensure that these databases are as accurate as possible, such providers must rely upon some form of common identifier that ensures that correct financial history information is associated with the right person. Social security numbers, as the most accurate common identifier available, help ensure the highest available level of accuracy in these databases.  Since a financial institution can then rely on the accuracy of this information in assessing its risk, it can make quick, efficient and prudent decisions regarding the new customer.

B. Securities Industry Uses

• Account identification. Many securities firms' systems rely heavily on social security numbers for identification. In general, account relationships are maintained based on SSN as the sole unique identifier for an individual.  
• Tax reporting. SSNs appear on account opening documentation, primarily for tax reporting purposes.  
• Telephone verification. Firms use SSNs to verify the identity of a client transacting business over the telephone – this enables firms to access an account by keying in the SSN if the customer does not remember his/her account number.  
• Account searches. Firms use SSNs for account searches, thus enabling firms to sort all accounts for a customer under the same SSN.  
• Court Actions/Judicial Process/Subpoenas. Securities firms are often required to provide documents, which would reveal SSNs of a client in responding to a subpoena, court order, or judicial process.  Firms also use SSNs to search for accounts in response to requests from regulators and law enforcement officials.  
• Securities law reporting.  Many of the reports securities firms are required to file with the SEC and self regulatory organizations are based on SSN searches and identify SSNs. For example, certain reports to stock exchanges are based on total positions by related party (i.e., SSN).  
• Institutional risk control/anti-fraud. Firms may use SSNs to perform anti-fraud background checks on potential clients in order to determine whether for example the person has a history of defrauding others.  
• Compliance. SSNs are used to identify certain types of activity that firms are required to conduct surveillance for, such as excessive turnover in accounts.  
• Communications to shareholders. SSNs are used in connection with mutual fund mailings, including the mailing of proxy statements and prospectuses to proprietary fund shareholders. SSNs are also used in connection with dissemination of a company's annual report, quarterly report, or interim report.  
• Escheatment/Abandoned Property. Securities firms are required to provide on an annual basis to individual States the name, last known address, SSN, and other information for purposes of complying with various State escheatment and abandoned property laws, and intangible property tax laws.  
• Transfers of accounts to third parties. SSNs are used to facilitate a customer request to transfer an account to another securities firm, or to satisfy a customer request that a physical stock certificate be transferred from street name into his or her name.  
• Insurance. SSNs may also be disclosed where a client purchases an insurance policy through the securities firm – the securities firms would then have to disclose (through the client's application) information, including SSN, to the insurance company.

C. Insurance Industry Uses:

1. Property/Casualty Insurers' Use of Social Security Numbers

To the extent the p/c insurance industry uses SSNs, that use is confined to legitimate business practices such as underwriting policies, complying with numerous state and federal laws, and verification of identity.
 

A proposal to prohibit or limit the disclosure of SSN could restrict p/c insurers from obtaining necessary information for underwriting and verification purposes. 
 

• For example, auto insurers use motor vehicle records to assess insurance risks, reevaluate risks undertaken, conduct claims fraud investigations and pay injured victims.  Motor vehicle records, which include social security numbers as identifiers, are an essential source of information needed by insurers to comply with state consumer protection laws and existing contracts.  
• Auto insurers may use SSNs obtained from the consumer in order to verify the receipt of proper Department of Motor Vehicle records.
   

Undue restrictions on use of SSNs could also impair the ability of p/c insurers to comply with reporting requirements under current federal and state laws, such as those described below.

• Federal laws require p/c insurers to report certain payments with the claimant's SSN to the IRS.  
• P/C insurers are required under the Federal Welfare Reform Act to report to state welfare agencies certain information, including SSNs, so that the state can seize settlement dollars from non-custodial parents. 
• Under state workers compensation laws, p/c insurers are required to file accident claims (which include the claimant's SSN) with various agencies for those agencies' claims administration purposes.
• States laws require p/c insurers to disclose to state-licensed advisory organizations certain information, which may include a SSN.  The state-licensed advisory organizations perform a critical function in insurance pricing by using the information to conduct actuarial projections of anticipated losses so that state insurance regulators are able to perform their duties and insurance companies can establish rates in accordance with state-approved rating systems.

2. Life, Disability Income, and Long Term Care Insurers' Use of Social Security Numbers

Life, disability income, and long term care insurers are strongly committed to the principle that individuals have a legitimate interest in the proper collection and handling of their personal information and that insurers have an obligation to assure individuals of the confidentiality of that information.  However, in order for insurers to serve their prospective and existing customers, they must use and share nonpublic personal information, including social security numbers, in connection with the origination, administration, and servicing of insurance products and services. These functions are essential to insurers' ability to serve and meet their contractual obligations to their existing and prospective customers. Life, disability income, and long term care insurers also believe that the use and responsible sharing of nonpublic personal information, including social security numbers, generally increases efficiency, reduces costs, and makes it possible to offer economies and innovative products and services to consumers that otherwise would not be available.

a) Underwriting life, disability income, and long-term care insurance policies

Insurers must be able to obtain and use nonpublic personal information, including SSNs, in order to underwrite applications for coverage.  SSNs are used in a number of different ways in connection with this process:

• To obtain verifiable medical information. Insurers sometimes must use proposed insureds' SSNs in order to obtain medical information about them from doctors and hospitals which use SSNs as identification numbers. ,
• To obtain drivers' record information. Insurers sometimes use motor vehicle record information in underwriting.  In some states, insurers are required to use SSNs to obtain this information from the motor vehicle department. 
• To obtain credit report information. Insurers sometimes use information from credit reporting agencies in underwriting, and SSNs are sometimes required to obtain information from consumer reporting agencies.

b) Performance of Essential Insurance Business Functions

Once life, disability income, or long term care insurance policies are issued, insurers use their customers' nonpublic personal information, including their social security numbers, to perform essential, core functions associated with insurance contracts, such as for claims evaluations and policy administration. The ability to use this information for these purposes is crucial to insurers' ability to meet their contractual obligations to their customers and to perform important related service and administrative functions.. They use SSNs to perform a number of these core insurance business functions, which include the following:

• To locate policyholders. SSNs are used by insurers to find missing or lost policyholders to inform them that they are entitled to life insurance proceeds.  
• For customer service. SSNs are used to identify policies owned by an individual who does not have the account or policy number available when a service request is made.  
• For phone call verification. Insurer call centers use SSNs as part of the data requested to authenticate customers who call with requests for service or for product or account information or status.  
• To transfer assets to unaffiliated financial institutions. SSNs are often needed to transfer assets from one financial institution to another, for example, for purposes of transfers between mutual funds or annuities and life insurance.  (Since one financial institution generally does not know an individual's account number at another financial institution, the SSN is needed to identify the client's identity for the two institutions. This reduces delay, error, and misplaced assets in such transfers.)  
• Pension plan administration. Insurers also use SSNs in connection with the administration of pension plans, as identification numbers.  
• For online services. Insurers use SSNs as PIN numbers for customers' use of on-line services.  
• As identification for group insurance plans. Insurers use SSNs in reporting to employer policyholders under employee group insurance plans and in connection with payroll deductions under these plans.

c) Disclosures Pursuant to Regulatory/Legal Mandates or to Achieve Certain Public Policy Goals

In furtherance of public policy goals designed to protect American insurance consumers, life, disability income, and long term care insurers share nonpublic personal information, including SSNs, to:

• State insurance departments to assist them in their general regulatory oversight of insurers, which includes regular market conduct and financial examinations of insurers; 
• Self-regulatory organizations, such as the Insurance Marketplace Standards Association (IMSA), which impose and monitor adherence to requirements with respect to member insurers' conduct in the marketplace; and 
• State insurance guaranty funds, which seek to satisfy policyholder claims in the event of impairment or insolvency of an insurer or to facilitate rehabilitations or liquidations which typically require broad access to policyholder information. 

Any limitation on these disclosures would seem likely to operate counter to the underlying public policy reasons for which they were originally mandated – to protect consumers.

Life, disability income, and long term care insurers are also required to make certain disclosures of information by the federal government.  In addition, they need to (and, in fact, in some states are required to) disclose personal information in order to protect against or to prevent actual or potential fraud. Such disclosures are made to law enforcement agencies and state insurance departments.  Their primary purpose is to reduce the cost of insurance by helping insurers detect (and deter) attempts by insurance applicants to conceal or misrepresent facts. Any limitation on insurers' right to make these disclosures would seem likely to undermine the public policy goal of reducing fraud, the costs of which are ultimately borne by consumers.

Life, disability income, and long term care are required to use SSNs to report to the IRS a variety of payments to insurance consumers, including, but not limited to, interest payments, certain dividends, and policy withdrawals and surrenders. At least one state, Rhode Island, requires that insurers match "deadbeat" parents data before making payments on claims.  SSNs are required for that matching.

d) Ordinary Business Transactions

In the event of a proposed or consummated sale, merger, transfer, or exchange of all or a portion of an insurance company, it is often essential that the insurer be able to disclose company files.  Naturally, these files can contain personal information, including customers' SSNs. Such disclosures are often necessary to the due diligence process that takes place prior to consummation of the deal and are clearly necessary once the deal is completed when the newly-created entity often must use policyholder files in order to conduct business.

Insurers also frequently enter into reinsurance contracts in order to, among other things, increase the amount and volume of coverage they can provide. These arrangements often necessitate the disclosure of personal information, which may include SSNs, by the primary insurer to the reinsurer.

___________________________

Footnotes:

1.   "Social Security – Government and Commercial Use of the Social Security Number is Widespread," February 1999, GAO/HEHS-99-28.

2. Id. at p.4.

3. Id.

4. Id., p.2.

5. Existing law already includes provisions that prohibit identity theft. Stealing someone's identity is punishable by civil and criminal penalties under 18 U.S.C. 1028. Moreover, the Gramm-Leach-Bliley Act bans pretext calling, which is a basic tool of identity thieves. 

6. See, e.g., 12 C.F.R. § 40.3(o), generally defining protected "personally identifiable financial information" to include "any information . . . [t]he bank . . . obtains about a consumer in connection with providing a financial product or service to that consumers" (emphasis added).

7. ISRG v. FTC, C.A. No.: 00-1828 (ESH) (Dist. DC, April 30, 2001).

More Information