[Federal Register Volume 79, Number 141 (Wednesday, July 23, 2014)]
[Notices]
[Pages 42765-42769]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-17274]


-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

[Docket No. CFPB-2014-0016]


Disclosure of Consumer Complaint Narrative Data

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Notice of proposed policy statement with request for public 
comment.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (``Bureau'') 
currently discloses certain complaint data it receives regarding 
consumer financial products and services via its web-based, public-
facing database (``Consumer Complaint Database''). The Bureau proposes 
to expand that disclosure to include unstructured consumer complaint 
narrative data (``narratives''). Only those narratives for which opt-in 
consumer consent had been obtained and a robust personal information 
scrubbing standard and methodology applied would be subject to 
disclosure. The proposed policy (``Proposed Policy Statement'') would 
supplement the Bureau's existing Policy Statements establishing and 
expanding the Consumer Complaint Database.

DATES: Comments regarding the Proposed Policy Statement are due on or 
before August 22, 2014.

ADDRESSES: You may submit comments regarding the Proposed Policy 
Statement, identified by Docket No. CFPB-2014-0016, by any of the 
following methods:
     Electronic: http://www.regulations.gov. Follow the 
instructions for submitting comments.
     Mail: Monica Jackson, Office of the Executive Secretary, 
Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 
20552.
     Hand Delivery/Courier: Monica Jackson, Office of the 
Executive Secretary, Consumer Financial Protection Bureau, 1275 First 
Street NE., Washington, DC 20002.
    Instructions: The Bureau encourages the early submission of 
information and other comments. Because paper mail in the Washington, 
DC area and at the Bureau is subject to delay, commenters are 
encouraged to submit comments electronically. In general, all 
submissions received will be posted without change to http://www.regulations.gov. In addition, submissions will be available for 
public inspection and copying at 1275 First Street NE., Washington, DC 
20002, on official business days between the hours of 10 a.m. and 5 
p.m. Eastern Standard Time. You can make an appointment to inspect the 
documents by telephoning (202) 435-7275.
    All submissions, including attachments and other supporting 
materials, will become part of the public record and will be subject to 
public disclosure. Do not include sensitive personal information, such 
as account numbers or Social Security numbers. Comments will not be 
edited to remove any identifying or contact information, such as name 
and address information, email addresses, or telephone numbers.

FOR FURTHER INFORMATION CONTACT: Scott Pluta, Assistant Director, 
Office of Consumer Response, Bureau of Consumer Financial Protection, 
at (202) 435-7306.

    Authority: 12 U.S.C. 5492(a), 5493(b)(3)(C), 5496(c)(4), 
5511(b)(1), (5), 5512(c)(3)(B).

SUPPLEMENTARY INFORMATION: 

[[Page 42766]]

I. Background

A. Previous Policy Statements Regarding the Consumer Complaint Database

    On December 8, 2011, the Bureau published in the Federal Register a 
proposed policy statement describing its plans to disclose certain data 
about the credit card complaints that consumers submit to the Bureau 
(``December 2011 Proposed Policy Statement'').\1\ After receiving and 
considering a number of comments, the Bureau finalized its plans for 
publically disclosing data from consumer credit card complaints and 
published the final policy statement on June 22, 2012 (``June 2012 
Policy Statement'').\2\
---------------------------------------------------------------------------

    \1\ 76 FR 76628, Dec. 8, 2011.
    \2\ 77 FR 37616, June 22, 2012.
---------------------------------------------------------------------------

    Also on June 22, 2012, the Bureau concurrently published in the 
Federal Register a proposed policy statement describing its plans to 
disclose data from consumer complaints about financial products and 
services other than credit cards (``June 2012 Proposed Policy 
Statement'').\3\ After receiving and considering a number of comments, 
the Bureau published the final policy statement on March 25, 2013 
(``March 2013 Policy Statement'').\4\ In the June 2012 Proposed Policy 
Statement, the Bureau did not propose including narratives in the 
Consumer Complaint Database. Notwithstanding this, the Bureau received 
a significant number of comments specific to narrative disclosure. 
Consumer, civil rights, and open government groups supported disclosure 
on the grounds that disclosing narratives would provide consumers with 
more useful information on which to base financial decisions and would 
allow reviewers to assess the validity of the complaints. Two privacy 
groups, while acknowledging privacy risk stemming from publication of 
``non-identifiable'' data and calling for further study, supported 
disclosure on an opt-in basis. Trade groups and industry commenters 
nearly uniformly opposed disclosure of consumer complaint narratives. 
In the March 2013 Policy Statement, the Bureau noted that it would not 
post narratives to the Consumer Complaint Database at least until it 
could assess whether there were practical ways to disclose narrative 
data submitted by consumers without undermining consumer privacy.
---------------------------------------------------------------------------

    \3\ 77 FR 37616, June 22, 2012.
    \4\ 78 FR 21218, April 10, 2013.
---------------------------------------------------------------------------

B. Policy Considerations of Disclosing Narratives

    The purpose of the Consumer Complaint Database, as stated in the 
Bureau's two previous policy statements, is to provide consumers with 
timely and understandable information about consumer financial products 
and services, and improve the functioning, transparency, and efficiency 
of markets for such products and services. As a general matter, the 
Bureau believes that adding additional information to the Consumer 
Complaint Database, such as narratives, is consistent with and promotes 
this purpose.
    In specifically examining the incremental benefits and risks of 
disclosing narratives, the Bureau focused on the direct and indirect 
benefits to consumers, the benefit to the Bureau, and the advancement 
of open government principles.
    In terms of the direct benefit provided to consumers, for some 
consumers a primary reason for submitting a complaint may be to share 
their experience with other consumers. Complainants may desire to do so 
as a means of providing information they deem useful to others who may 
be considering doing business with a particular financial institution 
or as a means of letting others who may be experiencing a similar 
situation know that they are not alone. These needs cannot be served by 
the Bureau simply by disclosing the non-narrative portions of the 
complaint. Indeed, some consumers may choose to submit a complaint only 
if they will have the opportunity to share their story and other 
consumers may overcome their reticence to submit a complaint by reading 
the experiences of others. By increasing the direct benefits to 
consumers of submitting a complaint, publishing complaint narratives 
may expand the number of complaints submitted to the Bureau and thereby 
enhance the value of the Consumer Complaint Database.
    Indirect benefits to consumers and the marketplace would include 
the effect narratives can have on consumer purchasing decisions. 
Research has shown that consumer word of mouth (which includes consumer 
reviews and complaints) is a reliable signal of product quality that 
consumers consult and act upon when making purchasing decisions. 
Companies, responsive to the effect word of mouth can have on sales, 
adjust prices to match product quality and improve customer service in 
order to remain competitive.
    Publishing narratives would also be impactful by making the 
complaint data personal (the powerful first person voice of the 
consumer talking about their experience), local (the ability for local 
stakeholders to highlight consumer experiences in their community), and 
empowering (by encouraging similarly situated consumers to speak up and 
be heard).
    The Bureau believes that the utility of the overall Consumer 
Complaint Database would greatly increase with the inclusion of 
narratives. This could lead to increased use by advocates, academics, 
the press, and entrepreneurs, which itself would lead to increased 
consumer contacts with the Bureau.
    The Bureau believes that the aforementioned increase in benefits 
and utility would lead to an increase in consumer contacts, which would 
have a positive effect on Bureau operations. As a critical mass of 
complaint data is achieved and exceeded, the representativeness of 
Bureau complaint data increases. Thus, narratives would not only 
enhance the above consumer benefits but also the many Bureau functions 
that rely, in part, on complaint data to perform their respective 
missions including the Offices of Supervision, Enforcement, and Fair 
Lending, Consumer Education and Engagement, and Research, Markets, and 
Rulemaking.
    The Bureau also would benefit by further establishing itself as a 
leader in the realm of open government and open data. On December 8, 
2009, the Office of Management and Budget (``OMB'') issued its Open 
Government Directive requiring agencies to ``take prompt steps to 
expand access to information by making it available online.'' \5\ 
Although agencies have historically withheld data from the public due 
to privacy and cost controls, with new technology comes new 
opportunities for openness without significant increases to privacy 
risk and costs. Moving forward ``the presumption shall be in favor of 
openness.'' \6\ While there is no requirement to publish ``all'' 
information, as a matter of policy and ``to the extent permitted by law 
and subject to valid privacy, confidentiality, security, or other 
restrictions,'' agencies should ``proactively use modern technology to 
disseminate useful information, rather than waiting for specific 
requests under FOIA.'' \7\
---------------------------------------------------------------------------

    \5\ Peter Orszag, Director, Office of Management & Budget, Open 
Government Directive, Dec. 8, 2009.
    \6\ Id.
    \7\ Id.
---------------------------------------------------------------------------

    Although an independent agency, the Bureau shares OMB's commitment 
to open and transparent government. The

[[Page 42767]]

``presumption of openness'' is quickly becoming a governmental best 
practice. Agencies from the Department of Health and Human Services 
(``HHS''), to the Federal Trade Commission (``FTC'') are moving quickly 
to expand open data offerings. Projects like HealthData.gov, 
Regulations.gov, and the Green Button form a new vanguard of government 
engagement with the public and the marketplace through open data.
    OMB Memorandum M-13-13, Open Data Policy--Managing Information as 
an Asset, usefully grounds the ``presumption of openness'' in 
utilitarian and economic terms. It describes information as ``a 
valuable national resource and a strategic asset to the Federal 
Government, its partners, and the public,'' and points out that 
``[m]aking information resources accessible, discoverable, and usable 
by the public can help fuel entrepreneurship, innovation, and 
scientific discovery--all of which improve Americans' lives and 
contribute significantly to job creation.'' Always subject to legal 
obligations such as those to protect privacy and confidentiality, the 
government can treat information as a public asset which, when made 
available to its public owners, creates public value.
    Publishing narratives, however, is not without risks. A principal 
risk of publishing narratives is the potential harm associated with the 
possible re-identification of actual consumers within the Consumer 
Complaint Database. To de-identify data is to remove personal 
information from a dataset, thereby obscuring individual identities. 
Re-identification generally occurs when separate datasets are combined 
to reestablish some number of individual identities. Individuals with 
personal knowledge of events described in a narrative may also be able 
to identify consumers using de-identified narratives. Some within the 
research community question the sufficiency of de-identification and 
suggest that the risks generally outweigh the benefits of sharing 
data.\8\
---------------------------------------------------------------------------

    \8\ Paul Ohm, Broken Promises of Privacy: Responding To The 
Surprising Failure Of Anonymization, 57 UCLA L. Rev. 1701 (2010).
---------------------------------------------------------------------------

    On the other hand, many researchers espouse the sufficiency of de-
identification and highlight the extremely low risk of actual re-
identification and potential harm--suggesting a cost-benefit analysis 
where the benefits outweigh this risk. In support of de-identification, 
supporters make a number of arguments, including that modern scrubbing 
standards such as the Health Insurance Portability and Accountability 
Act (``HIPAA'') Privacy Rule (which forms the basis of the Bureau's 
narrative scrubbing standard) decrease re-identification risk to 
acceptable levels and the number of known, successful attempts to re-
identify publicly available datasets are de minimus.
    There is a second major risk associated with publishing narratives 
which arises from the fact that the narratives may contain factually 
incorrect information as a result of, for example, a complainant's 
misunderstanding or misrecollection of what happened. If consumers were 
to rely without question on all narrative data, it is possible that 
subsequent purchasing decisions may be based on misinformation. To the 
extent this risk may be realized, both consumers and the financial 
institutions that lose business due to misinformation would be 
disserved. Indeed, even absent any effect on consumer decision-making, 
there is a risk that financial institutions could incur intangible 
reputational damage as a result of the dissemination of complaint 
narratives.
    To a large extent, this risk is inherent in any release of 
complaint data. In deciding to release the structured complaint data, 
the Bureau addressed this concern and concluded that, while there is 
always a risk that market participants will draw erroneous conclusions 
from available data, the Bureau was persuaded that the marketplace of 
ideas would be able to determine what the data shows. The Bureau 
believes that is true, as well, with respect to complaint narratives. 
Furthermore, to mitigate this risk, the Bureau's proposed policy 
provides for the public release of the company's response, side-by-side 
and scrubbed of any personal information, to the consumer's complaint. 
This process will assure that, to the extent there are factual 
disputes, both sides of the dispute can be made public.

C. Operational Feasibility of Disclosing Narratives

    In deciding to release certain structured data, the Bureau stated 
that it would not disclose narratives unless it is operationally 
feasible to do so without compromising consumer privacy. In November 
2013, Consumer Response began piloting a comprehensive program to scrub 
all personal information from copied narratives using a scrubbing 
standard based on government best practices (discussed in detail 
below). This pilot is ongoing and the scrubbing standard is continually 
improved as lessons are learned and implemented.
    The Bureau is currently conducting a study to further verify that 
the proposed scrubbing standard and methodology will sufficiently 
address concerns related to the FOIA, the Privacy Act, the Dodd-Frank 
Act, and the Bureau's confidentiality regulations where (1) consent for 
publication is obtained from the consumer; (2) narratives are scrubbed 
of consumer personal information consistent with a robust standard and 
methodology: (a) that substantially meets government best practices for 
re-identification risk; (b) as written, results in a low risk of re-
identification; (c) as applied, maintains a low rate of operational 
error; and (3) an independent, third party privacy expert conducts a 
review and operational test of the standard and methodology in support 
of the above conditions.
    The Bureau is cognizant that other federal agencies have thought 
about these issues and have successfully adopted a variety of 
approaches. For example, the Consumer Product Safety Commission 
(``CPSC'') proactively publishes narrative consumer reports of harm on 
its Web site, which include consented-to-consumer and industry 
narratives. And the FTC routinely releases consumer complaints, 
including the narratives (up to a given quantity), when requested 
through the FOIA.

II. Proposed Policy Statement Regarding Disclosure of Unstructured 
Narrative Data From Consumer Complaints and Company Responses

    The Bureau hears directly from the American public about their 
experiences with the nation's consumer financial marketplace. An 
important element of the Bureau's mission is the handling of individual 
consumer complaints regarding financial products and services. Indeed, 
``collecting, investigating, and responding to consumer complaints'' is 
one of only six statutory ``primary functions'' of the Bureau.\9\
---------------------------------------------------------------------------

    \9\ 12 U.S.C. 5511(c) (2012).
---------------------------------------------------------------------------

    In June 2012, the Bureau began making de-identified individual-
level complaint data available via its web-based, public facing 
database (the ``Consumer Complaint Database''). Since launch, the 
Consumer Complaint Database has been expanded multiple times to include 
additional financial products and data fields. Consistent with its 
strategic vision, the Bureau is committed to the continued expansion of 
the Consumer Complaint Database in both the number of complaints and 
fields of data made publicly available,

[[Page 42768]]

while still protecting privacy and incorporating the appropriate 
security controls.

A. Consumer Narratives

    The Bureau will provide consumers the opportunity to share their 
individual stories with other consumers and the marketplace by 
including consumer complaint narratives in the Consumer Complaint 
Database where consent for publication is first obtained from the 
consumer.

B. Consumer Consent To Disclose Narratives

    The Bureau will only disclose narratives (1) for which informed 
consumer consent has been obtained and (2) that have been scrubbed of 
personal information. Consumers who submit a complaint will be given 
the opportunity to check a consent box giving the Bureau permission to 
publish his or her narrative. The opt-in consent will state, among 
other things, and in plain language, that: (1) whether or not consent 
is given will have no impact on how the Bureau handles the complaint, 
(2) if given, the consumer may thereafter inform the Bureau that she 
withdraws her consent at any time and the narrative will be removed 
from the Consumer Complaint Database, and (3) the Bureau will take 
reasonable steps to remove personal information from the complaint to 
minimize (but not eliminate) the risk of re-identification.

C. Company Response

    Where the consumer provides consent to publish their narrative, the 
related company will be given the opportunity to submit a narrative 
response for inclusion in the Consumer Complaint Database. The company 
will be instructed not to provide direct identifying information in its 
public-facing response, and the Bureau will take reasonable steps to 
remove personal information from the response to minimize (but not 
eliminate) the risk of re-identification. The Company Portal will 
include a data field into which companies have the option to provide 
narrative text that would appear next to a consumer's narrative in the 
Consumer Complaint Database.

D. Personal Information Scrubbing Standard and Methodology

    Sharing data containing personal information presents a tension 
between data utility and individual privacy. As a particular personal 
information-scrubbing standard becomes more or less stringent, the 
utility of a given de-identified dataset becomes respectively less or 
more useful. The publication of narratives involves risks, including 
the potential harm associated with the re-identification of actual 
consumers within the Consumer Complaint Database.
    In order to minimize the risk of re-identification, the Bureau will 
apply to all publically-disclosed narratives, a robust personal 
information scrubbing standard and methodology. The Bureau recognizes 
that mitigating privacy risks in complaint level data disclosed to the 
public may decrease the utility of the data to users. The Bureau will, 
exercising discretion, modify data when privacy risks clearly and 
substantially outweigh the benefits of disclosure. By taking these 
steps to minimize the impact, the Bureau believes that publicly 
releasing redacted narratives, subject to consumer consent, will best 
protect all consumers without harming the protected privacy interests 
of any individual consumer.
    In designing its proposed scrubbing standard, the Bureau relied 
heavily on guidance by the Department of Health and Human Services 
(``HHS'') for de-identification of health data outlined in the Health 
Insurance Portability and Accountability Act (``HIPAA'') Privacy 
Rule.\10\ HIPAA requires covered entities, e.g., health plans, 
providers, and clearinghouses, to de-identify patient personal 
information such that it no longer provides any reasonable basis to 
ascertain individual identities. Under HIPAA, data may be considered 
de-identified if either of the following conditions holds:
---------------------------------------------------------------------------

    \10\ 45 CFR 164.514.

 Safe Harbor Method--All the identifying information of 18 
different types is entirely removed, and what remains cannot be used to 
identify any individual, or
 Expert Determination Method--An expert applies statistical 
methods to estimate the probability that an individual could be 
identified and determines that the risk of identification is very low.

The HIPAA Safe Harbor Method (``HIPAA De-identification Standard'') 
stipulates the removal of 18 specific identifiers from any disclosed 
datasets, including:

 Names
 All geographic subdivisions smaller than a state, including 
street address, city, county, precinct, ZIP code, and their equivalent 
geocodes, except for certain ZIP code prefixes depending on the 
circumstances
 All elements of dates for dates (except year) that are 
directly related to an individual, including birth date, admission 
date, discharge date, death date, and all ages over 89 and all elements 
of dates indicative of such age, except that such ages and elements may 
be aggregated into a single category of age 90 or older
 Telephone numbers
 Fax numbers
 Email addresses
 Social Security number
 Medical record numbers
 Health plan beneficiary numbers
 Account numbers
 Certificate/license numbers
 Vehicle identifiers and serial numbers, including license 
plate numbers
 Device identifiers and serial numbers
 Web Universal Resource Locators
 Internet Protocol addresses
 Biometric identifiers, including finger and voice prints
 Full-face photographs and any comparable images
 Any other unique identifying number, characteristic, or code

HHS specifically notes that the category ``any other unique identifying 
number, characteristic, or code'' is very broad. It can contain, among 
other identifiers, physical attributes, employer names, positions, 
titles, and other identifying information. HHS does not provide a 
comprehensive list of such categories, but does state that to meet the 
de-identification standard, unstructured text must be free of content 
for which the de-identifying entity has ``actual knowledge that 
residual information could be used to individually identify a 
patient''.
    The Bureau will follow a scrubbing standard with the following 
elements:
     The Bureau scrubbing standard shall include all of the 
HIPAA identifiers at a minimum;
     Where HIPAA identifiers are specific to the health domain, 
the Bureau's scrubbing standard shall include appropriate analogues in 
the consumer financial domain; and
     The Bureau's scrubbing standard shall specifically include 
identifiers (e.g., employer name) which the Bureau knows (1) appear in 
complaints and (2) could reasonably be used to identify individuals.

Generally, the scrubbing methodology will include a computer-based 
automated step and a quality assurance step performed by human 
reviewers.

III. Scope of the Proposed Policy Statement

    In the June 2012 Policy Statement and the March 2013 Policy 
Statement, the Bureau addressed comments received in response to the 
December 2011

[[Page 42769]]

Proposed Policy Statement and the June 2012 Proposed Policy Statement, 
respectively. These comments ranged from the very general, such as the 
Bureau's authority to disclose consumer complaint data of any kind and 
the impact the database would have on consumers and covered persons, to 
the more specific, such as the impact of specific proposed data fields 
(e.g., company disposition) and the inclusion of other data fields 
(e.g., narratives). In both Policy Statements, the Bureau affirmed its 
openness to the inclusion of additional data fields and its willingness 
to work with external stakeholders to address the value of adding such 
fields. Consistent with this commitment, and in response to comments 
urging the disclosure of narratives, the Bureau is today proposing the 
inclusion of narratives in the Consumer Complaint Database.
    Broadly, the Bureau seeks comments that are related to the proposed 
extension of the policies to include complaint narratives. With that 
scope, the Bureau is specifically seeking public comment on:
     Consumer Consent to Disclose Narratives--The Bureau is 
currently in the process of conducting research and user testing to 
inform design decisions regarding the need for any additional 
information to help inform consumer consent, the precise language to 
most effectively communicate with the consumer, at what point in the 
complaint process (at complaint submission or later in the complaint 
handling process) and where on the Bureau Web site the information in 
support of the opt-in consent should be displayed.
     Company Response--The Company Portal will include a data 
field into which companies have the option to provide narrative text 
that would appear next to a consumer's narrative in the Consumer 
Complaint Database. The Bureau is seeking comment on whether this 
public-facing response should be distinct and in addition to the 
response companies send directly to the consumer.
     Personal Information Scrubbing Standard and Methodology--
In Section II.D, above, the Bureau detailed the standard and 
methodology it intends to utilize to scrub personal information from 
the narratives. The Bureau is seeking comment on both the standard and 
methodology, including suggestions of appropriate analogues to the 
HIPAA identifiers in the consumer financial domain, and any other 
identifiers which could reasonably be used to identify individuals. 
Specific to ZIP codes, at this time the Bureau has not yet determined 
whether to continue publishing 5-digit ZIP codes in the Consumer 
Complaint Database alongside redacted narratives. The Bureau seeks 
comment on whether ZIP codes should be redacted consistent with the 
HIPAA standard and if so, the number of digits to provide, e.g., five 
or three, and any relevant population thresholds under which to limit 
ZIP code disclosure, e.g., less than 20,000 or 10,000 individuals in a 
given ZIP code.

The Bureau believes that it has sufficiently addressed comments 
concerning the Consumer Complaint Database generally, as well as 
comments regarding the current data fields, in the June 2012 Policy 
Statement and the March 2013 Policy Statement.

IV. Procedural Requirements

    The CFPB concludes that Proposed Policy Statement constitutes an 
agency statement of general policy exempt from notice and public 
comment pursuant to 5 U.S.C. 553(b).
    Notwithstanding this conclusion, the CFPB invites public comment on 
this proposed Policy Statement.
    Because no notice of proposed rulemaking is required, the 
provisions of the Regulatory Flexibility Act (5 U.S.C. Chapter 6) do 
not apply.

    Dated: July 14, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-17274 Filed 7-22-14; 8:45 am]
BILLING CODE 4810-AM-P