This is the accessible text file for GAO report number GAO-04-882R entitled 'Better Information Sharing Among Financial Services Regulators Could Improve Protections for Consumers' which was released on July 29, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office: Washington, DC 20548: June 29, 2004: The Honorable Michael G. Oxley Chairman Committee on Financial Services House of Representatives: Subject: Better Information Sharing Among Financial Services Regulators Could Improve Protections for Consumers: Dear Mr. Chairman: GAO has long held the position that financial regulators can benefit from improved information sharing.[Footnote 1] As regulators are faced with the challenges of overseeing a myriad of financial products, along with the individuals and organizations that develop and sell them, information sharing among regulators serves as a key defense against fraud and market abuses. However, our system of financial regulation is fragmented and, in many cases, isolated among numerous federal and state financial regulators overseeing the securities, insurance, and banking industries. While there has been a greater effort to improve communication in recent years, the routine sharing of information between the regulators of the three major financial industries-- securities, insurance, and banking--continues to be a source of concern. At this Committee's request, we have issued reports and testimonies in recent years discussing the benefits of improved sharing of criminal and regulatory information and the consequences of failing to adequately share such information. This report focuses on three areas where greater attention is needed to improve information-sharing capabilities among financial services regulators. First, we highlight the need for insurance regulators to have more consistent access to the Federal Bureau of Investigation (FBI) nationwide criminal history data. Second, we discuss the importance of sharing regulatory enforcement data as a tool to prevent the migration of undesirable people, or rogues, from one industry to another. Third, we present the results of new work assessing the regulatory oversight structures for certain hybrid financial products and the extent to which regulators share consumer complaint data that may be relevant to multiple regulators in a routine, systematic fashion.[Footnote 2] Finally, we highlight challenges to improving information sharing among financial regulators. We conducted our work in accordance with generally accepted government auditing standards. For our work related to the first two objectives concerning access to criminal and regulatory history data, respectively, we relied primarily on previous GAO work. To address the third objective, we conducted new work related to regulatory oversight and information sharing associated with hybrid financial products. For more information concerning the scope and methodology of this recent work, please see enclosure I. Results In Brief: Financial regulators face challenges in accessing and sharing information relevant to their oversight responsibilities, including information related to criminal history data, regulatory enforcement actions, and consumer complaints. Specifically, we found that many state insurance regulators, unlike their counterparts in the banking, securities, and futures industries, continue to lack the legal authority to access the FBI's nationwide criminal history data. According to information obtained from state regulators and the FBI, fewer than one-third of the states have taken actions that current federal law requires for them to have such authority. Consequently, regulators in other states cannot be sure that they are protecting insurance consumers from fraud by keeping individuals previously convicted of serious criminal behavior out of the business of insurance. We also found that financial regulators generally did not have ready access to all relevant data related to regulatory enforcement actions taken against individuals or firms. Regulatory data are maintained by the various financial regulators on separate information systems and are not always readily accessible by one another, particularly by regulators across different financial industries. If the regulatory history of applicants cannot be readily accessed, financial regulators are hampered in their ability to detect and prevent an unsuitable individual, or rogue, from migrating from one financial services industry to another. Similarly, our recent work shows that many financial regulators do not share relevant consumer complaint data among themselves on certain hybrid products (i.e., products with features and characteristics both of insurance and securities) in a routine, systematic fashion. The different regulatory structures that are involved in the oversight of hybrid products and the array of systems used to capture complaints about them create challenges for regulators and consumers for resolving problems that can arise in the marketplace. We found that the regulatory oversight structure associated with certain hybrid financial products can vary considerably, depending on the product and where it is sold. Moreover, the regulatory structure can change over time. Often multiple regulators can have an oversight interest in a particular hybrid financial product. In such an environment, it can be difficult for consumers to determine which organization should receive a complaint. Furthermore, once a complaint is received, it may be relevant to another regulator, either because it may not have reached the most appropriate regulator or because the complaint information could be of interest to multiple regulators. However, many financial regulators do not share consumer complaint data with one another in a routine, systematic fashion. Consequently, particularly in the case of hybrid financial products, regulators may be unable to resolve individual complaints because complaints have been directed to the "wrong" regulator, or, because of a lack of complete information, an individual regulator may not be able to fully assess the magnitude of problems affecting certain companies or products. While financial regulators generally support better sharing of regulatory information, they also cited some concerns and barriers. These generally centered around protecting confidential regulatory information from public disclosure, as opposed to technological issues. Consequently, options or proposals for improving information-sharing capabilities or tools among financial regulators need to address concerns about sharing and protecting different types of regulatory data that have varying degrees of sensitivity. We encourage efforts to achieve improved information sharing, balancing a regulator's "need to know" with the appropriate protections on the information, so that financial regulators can better prevent the migration of rogues and respond more effectively to problems that may surface in the marketplace. Most State Insurance Regulators Still Cannot Access Nationwide Criminal History Data: Many state insurance regulators continue to lack the appropriate authority to perform thorough criminal history checks on individuals trying to enter the business of insurance.[Footnote 3] One of the important functions of a financial regulator is licensing or approving the people who apply to work in the industry. The first line of defense against fraud is to keep known criminals and other inappropriate individuals out of the business--particularly when that business is handling other peoples' money. However, in previous work, we reported that many state insurance regulators, unlike their counterparts in the banking, securities, and futures industries, do not have the authority to obtain FBI nationwide criminal history data.[Footnote 4] Today, the situation remains much the same. According to officials from the FBI and the National Association of Insurance Commissioners (NAIC),[Footnote 5] of the 50 states and the District of Columbia, only 16 state insurance departments have the authority under current federal law to access nationwide criminal history data maintained by the FBI. NAIC has developed model state legislation for states to gain access to the FBI data for purposes of conducting criminal history checks on industry applicants. However, NAIC also maintains that the fastest way to grant state insurance departments access to the FBI's fingerprint database in a uniform fashion is by federal statute without the need for subsequent state legislative action. One mission of financial regulators is to protect the public by ensuring that people with a history of dishonest behavior are not allowed the opportunity to continue such behavior as representatives of banks, securities firms, or insurance companies. In our previous report, which described an insurance investment scam perpetrated by Martin Frankel, who masterminded the theft of over $200 million from several insurance companies during an 8-year period, we pointed out that most state insurance departments lacked the regulatory tools to access the FBI's criminal history databases. We reported that most state insurance commissioners do not have the means to conduct nationwide criminal history background checks on individuals to decide whether certain convicted felons should be permitted to engage in the business of insurance. We also recommended that the United States Attorney General, the president of NAIC, and state insurance commissioners work together to establish a mechanism by which state regulators can perform criminal background checks on individuals to facilitate enforcement of the federal insurance fraud prevention provision, 18 U.S.C. sec. 1033.[Footnote 6] We reiterated and amplified our discussion of this problem in subsequent work. In testimony before two Subcommittees of this Committee in March 2001, we noted that among all financial regulators, only those regulating insurance lacked the ability to routinely access national criminal history data for the purpose of screening potential industry entrants.[Footnote 7] Then, in June 2002, in the context of states' compliance with provisions of the Gramm-Leach-Bliley Act (GLBA),[Footnote 8] we reported that some states' insurance regulators do not conduct criminal history background checks as part of their producer licensing requirements.[Footnote 9] As a result, other states that did require applicant fingerprints and a criminal history screening were reluctant to grant reciprocity to agents that had not previously met these requirements. We noted that some state insurance departments in relatively large markets were not willing to lower their standards on certain licensing requirements, such as criminal history checks using fingerprint identification. We concluded that in-depth criminal background checks through fingerprinting strengthened consumer protections and endorsed efforts to achieve uniformity among state regulators using such requirements. In light of our findings, we have recommended that state insurance regulators be granted access to the nationwide criminal history data that FBI maintains. To properly screen industry applicants who desire to enter the insurance industry, insurance regulators need the appropriate authority to access nationwide criminal history information on individuals. If all state insurance regulators had the authority to access this criminal history data, this would put them on more equal par with other financial regulators in the banking, securities, and futures industries. Regulators Lack Ready Access to Each Other's Enforcement Data: Information on regulatory enforcement activities, in addition to criminal history data, is vital to effective oversight, but is not always readily accessible among financial regulators across different industries. Criminal behavior is not the only reason for a regulator to bar an individual from participating in a regulated industry. Regulators also take disciplinary actions against individuals who have been found responsible for breaking rules or regulations that are in place to protect customers. In these instances, enforcement actions can result in individuals being banned from returning to work in the industry or state where they broke the rules. Such enforcement history would be critical to a regulator in a different financial services industry or state if one of these individuals sought a license to operate in a different industry or location. But, if regulatory information about an individual is not widely known or made available/ distributed, little prevents a rogue from moving to a different financial industry or state, lying on an application, and beginning again to engage in unscrupulous activities. The only way to detect and prevent this "rogue migration" is good regulatory information, widely shared. Financial regulators have taken some steps to improve information sharing among themselves and between industries, but generally they do not have direct, ready access to each other's regulatory information. Each regulator faces the challenge of ensuring that individuals who have been involved in improper activities in one state or financial industry are unsuccessful in attempting to move to another. Accordingly, financial services regulators generally maintain background and disciplinary data on individuals and entities in their particular financial industry.[Footnote 10] Within the insurance, securities, and futures industries, where regulators have authority to license or register individuals to sell financial products, this information is largely centralized on an industrywide basis. Therefore, different regulators in each of these industries can access systems and databases that provide background information on individuals and entities, consumer complaints, and disciplinary records within that industry. In the banking industry, where regulators do not license or register individuals, we found that regulators also entered and maintained background, regulatory history, lending practice, and complaint data on entities and some individuals. Such systems and databases are decentralized among the separate banking regulators. Therefore, unlike the "one-stop shopping" search capabilities available in other financial industries, a search on an individual's regulatory history in the banking industry could necessitate separate inquiries of the five regulators' systems, though these queries are facilitated through Web-based applications.[Footnote 11] Different financial regulators have taken some steps to improve information sharing between industries. For instance, state insurance regulators, represented by NAIC, and state securities regulators, represented by the North American Securities Administrators Association (NASAA),[Footnote 12] have formed a working group to familiarize one another with the regulatory systems and tools available in their respective industries. In May 2004, NAIC and NASAA hosted a joint educational seminar to facilitate this effort. We also observed examples where state securities and insurance regulators have developed procedures for requesting each other's regulatory information or providing limited access to such data. Moreover, many regulators, recognizing the need to share regulatory data with other financial regulators, have established bilateral information-sharing agreements to access external regulatory information. Financial regulators collect and maintain several types of regulatory data with varying degrees of sensitivity that merit consideration of how such data should be shared. In previous testimony before this Committee, we noted discussions with financial regulators and Committee staff that have identified several types of data, aside from those related to licensing and employment history, that could be useful to regulators in detecting fraud and limiting its spread from one financial industry to another. These data types include 1) completed disciplinary or enforcement actions, 2) consumer complaints, 3) ongoing regulatory investigations, and 4) reports of suspicious or unverified activity that merit regulatory attention, but may not yet rise to the level of a formal investigation. Generally, regulators are more comfortable with sharing regulatory information on closed, adjudicated enforcement actions and less comfortable sharing data that may be unsubstantiated. While some of these data types may not be sufficient by themselves to support a regulatory action, such as a disqualification for registration or a license, if regulators were to have the information available, it could prompt them to ask more probing questions or conduct further checks to ensure the fitness of industry applicants. In the Frankel case, although Frankel himself reportedly used aliases and fronts to perpetrate an insurance investment scam, one of the individuals who appeared to have provided funds to purchase the first insurance company in this scam, which was subsequently looted of its assets, had a disclosure item involving complaints and settlements in the securities industry. If regulators had interviewed that individual to discuss past regulatory incidents and probed further, they may have uncovered the scam before any assets were stolen. While each regulator keeps data on miscreants identified in its own regulated institutions or industry, financial regulators generally do not have ready access to enforcement data maintained by regulators in other financial industries. Moreover, as highlighted earlier, financial regulators maintain their enforcement data on separate information systems within different industries. Generally, access to regulatory data can be accomplished on an information request basis, but direct, ready access to regulatory data on separate information systems in different industries is generally not available. For instance, NAIC maintains centralized data on disciplinary actions regarding companies and individuals that can be accessed by insurance regulators and industry producers, but financial regulators in other industries generally do not have direct access to this information. Some financial regulators do provide public access to names of individuals and/or firms that have had enforcement action(s) taken against them while others do not. Therefore, in the absence of a means to link or search the various financial regulators' information systems, a comprehensive regulatory background check on an individual would require separate queries for information on numerous systems, some publicly available and some not. Consequently, accomplishing routine, comprehensive regulatory background searches on individuals throughout all the financial services industries and regulatory entities remains difficult and impractical. At the same time, through the Sarbanes-Oxley Act,[Footnote 13] Congress has provided more explicit authority for financial regulators to consider and take actions based on the regulatory history of industry applicants. However, without an effective way of routinely checking the regulatory records of multiple industries and agencies throughout the financial services sector, some individuals who self report false information on licensing and chartering applications are more likely able to avoid being detected by regulators. Varied Oversight Structures for Hybrid Products and Lack of Information Sharing Hinder Consumer Protection: The multiplicity of regulators that are often involved in the oversight of hybrid products and the array of information systems that can capture complaint data create challenges for regulators and consumers to resolve market problems that may arise. In our current work on regulatory oversight and information sharing associated with hybrid financial products (i.e., products with features and characteristics both of insurance and securities), we found that the regulatory structures for such products can vary considerably. Often, multiple financial regulators can have an oversight interest in the creation and sale of hybrid products and the mix of regulators involved can vary depending on the product and where it is sold. Additionally, the manner in which consumer complaint data are collected and stored also varies considerably among the financial regulators and industries. When a consumer has a problem with one of these products, commonly complex and risky by nature, he/she may find it difficult to determine where to send the complaint. Once complaints are received, financial regulators are hindered in their ability to fully understand the extent of known problems with a particular financial product because they lack the ability to access and analyze relevant data from each other's complaint systems in a routine, systematic fashion. In an environment where several regulators can have an oversight interest in a product, we found numerous examples of complaints received by one regulator that perhaps should have gone to another, or which, at the least, would have been of interest to another regulator(s). At the same time, we also observed that financial regulators have limited means for sharing relevant complaint data with one another. Oversight of Hybrid Products and the Regulatory Systems Used to Track Complaints Vary: The regulatory oversight of hybrid financial products can vary considerably depending on the type of product and where it is sold. In our review of variable annuities, equity-indexed annuities, and viatical settlements, we found that multiple regulators from the securities and insurance industries can have oversight responsibilities and overlapping interests in a particular hybrid product. Moreover, the oversight structure can differ from state to state and can change over time, reflecting continued differences among regulators and industry participants over how such products should be regulated.[Footnote 14] Figure 1 highlights differences in how these three types of hybrid products are generally regulated. Figure 1: Regulatory Oversight of Hybrid Products Varies Depending on the Type of Product and the State Where It Is Sold: [See PDF for image] Notes: Equity-indexed annuities and viatical settlements are generally not registered as securities with SEC, though SEC can assert oversight based on the unique facts and circumstances of a particular product. [End of figure] Some state insurance and securities regulators have statutory authority to regulate viatical settlements. Additionally, in states where securities regulators do not have explicit statutory authority on viatical settlements, most securities regulators have taken the position that investments in such products are investment contracts and believe they should be treated as securities. Different regulators bring different oversight roles and functions to the table in the regulation of hybrid financial products--differences that are important when a consumer needs help to resolve a problem with a hybrid product. For example, a hybrid product that is considered to be a security by federal securities regulators must be registered with the SEC, which ensures that the product's literature contains the appropriate disclosures to inform the investor of the product's potential risks. However, SEC generally delegates its oversight of broker-dealer firms and the sales practices of individual brokers to several industry organizations and financial exchanges. These are known as self-regulatory organizations (SROs) and include NASD (formerly the National Association of Securities Dealers) and the New York Stock Exchange (NYSE), which regulate the sales practices of their member firms and individual sales agents. State financial regulators--banking, insurance, and securities--also play an important role, augmenting the oversight provided by federal regulators or national SROs. Variable annuity products are regulated as securities by the federal government but also fall under the authority of state insurance and securities regulators. Variable annuities combine traditional life insurance annuity contracts with an investment component that is nonguaranteed and can fluctuate with market-based earnings (or losses).[Footnote 15] At the federal level, the SEC regulates the registration of variable annuity products. Under federal law, variable annuity products registered by the SEC are generally exempt from registration with state securities regulators. In addition, NASD regulates the sale of these products by broker-dealers. At the state level, the insurance companies that offer variable annuities generally fall under the jurisdiction of insurance regulators, though sales of such products can also fall under the jurisdiction of state securities regulators, or some combination of both regulators, depending on the state. In contrast with variable products, equity-indexed annuities are generally not subject to federal oversight and thus are typically regulated by state insurance regulators. While equity-indexed annuity products also encompass a market-based investment component, they provide a guarantee on earnings, often in return for less participation in market gains, to ensure that the purchaser will not incur losses on the investment in a market downturn.[Footnote 16] Although SEC has previously solicited comments on whether or not to regulate such products as securities, it has generally not asserted jurisdiction over such products.[Footnote 17] However, SEC officials explained that oversight could be asserted based on the facts and circumstances of an individual product. NASD does not oversee sales of equity-indexed annuities, but does offer investor information about these products while referring consumers to state insurance regulators for questions concerning these products. The regulatory structure for viatical settlements, involving the purchase and sale of insurance policies where terminally ill policyholders redesignate investors as beneficiaries on their policies in return for a reduced cash benefit prior to their death, has evolved in response to market abuses.[Footnote 18] When viatical settlements were initially introduced in the late 1980s, financial regulators generally did not have explicit authority to regulate them. As widespread sales practice abuses later surfaced in connection with sales of viatical settlements, different federal and state financial regulators sought increased authority to address the apparent regulatory gap by seeking explicit authority over such products. For instance, the Federal Circuit Court for the District of Columbia has held that viatical settlements are not securities under federal law and, therefore, are not subject to SEC jurisdiction.[Footnote 19] However, similar to equity-indexed annuities, while such products are generally not registered with SEC, the SEC has told us that it may assert oversight on a case-by-case basis depending on the facts and circumstances of a particular product or situation. At the state level, the oversight structure for viatical settlement products changed over time from that of little effective regulation to that where most states have taken some legislative or regulatory action to strengthen their regulatory tools and oversight of such products. However, substantial variation still exists. Information from state insurance and securities regulators shows that states now regulate such products either through their insurance departments, securities departments, or some combination of both. However, a handful of states still do not specifically address the regulation of viatical settlements. Moreover, even in states with a regulatory structure in place, the fraudulent sale of these products continues to harm consumers in the marketplace, as evidenced by the recent uncovering of a widespread viatical-related scam, where investors reportedly may have lost up to $1 billion.[Footnote 20] A number of regulators collect consumer complaint data about securities and insurance products, including hybrid products, but once complaints are received, they are handled differently. Within the securities industry, regulators at the state and federal levels collect complaints using their own separate information systems, but not all complaint data are shared in a systematic fashion. For example, according to NASAA officials, state securities regulators use their own systems for tracking complaints they receive. NASAA officials also explained that complaint data collected by state securities regulators vary in the level of detail, and only the number of complaints are aggregated on a nationwide basis.[Footnote 21] Some consumer complaints that result in settlements or arbitrations above a certain dollar threshold are entered into the Central Registration Depository (CRD), a system with information on broker-dealer firms and individuals, including disciplinary data related to enforcement actions, that is jointly maintained and operated by NASD and NASAA. Meanwhile, SROs such as NASD and NYSE do consolidate complaint data on a nationwide basis, requiring their member firms to enter records of consumer complaints received into an information system maintained by the SRO. Within the insurance industry, both state regulators and insurance firms also record information on consumer complaints but, again, all the available data are not shared with other regulators. State insurance regulators receive and record consumer complaint data on their own systems. However, in contrast with their state counterparts in the securities industry, state insurance regulators have developed a mechanism for consolidating records of closed consumer complaints on a nationwide basis within NAIC's Complaints Database System (CDS). State insurance departments periodically send data on closed consumer complaints to NAIC, which consolidates them into CDS. However, NAIC officials acknowledged that complaint submissions to CDS are voluntary and that not all states that participate are consistent in reporting their complaints information to NAIC for inclusion in CDS. Furthermore, the complaint data in CDS is only accessible by insurance regulators and is not shared with securities regulators in a routine, systematic fashion.[Footnote 22] Also, insurance regulators do not have a system for collecting and consolidating complaints made to insurance firms on a nationwide basis, in contrast to the SROs in the securities industry. Thus, because of the varying ways that complaint data are collected, the available consumer complaint data is not complete, accessible, nor shared fully, either within or between industries. Different Regulatory Systems and the Absence of a Capability to Share Relevant Complaint data Create Challenges for Consumers and Regulators: The varied regulatory oversight structures associated with hybrid products and the lack of a systematic means for sharing relevant complaint data pose challenges for consumers and regulators as problems in the marketplace arise. As noted earlier, the mix of regulatory entities with an oversight interest can vary depending on the type of product and the state. The regulatory structure may also change over time as financial regulators differ over which regulator is best suited for a given oversight function. Given this complexity, a consumer's dilemma about where to send a complaint can be very challenging. For example, a complaint regarding a fixed annuity that is sent to an NASD member firm may not be forwarded to the appropriate regulator. Regulators also face challenges because many do not have a capability for consistently and routinely sharing complaints they receive that might be relevant to the oversight interests of other regulators-- either because another regulator has authority to resolve the complaint or because the complaint is of general interest to multiple regulators. Regulators in the securities and insurance industries generally have systems for ensuring that consumer complaints are received, investigated, and, where possible, resolved. However, consumer complaints associated with a particular type of product are collected in various ways among different regulators and systems. We found that many financial regulators lacked the ability to share consumer complaints with other regulators within the insurance or securities industries, or with other regulators between industries, in a routine, systematic fashion. Consequently, some consumer complaints may never reach the appropriate regulator. Similarly, those complaints received by the appropriate regulator for resolution may also be relevant to, but not shared with, another regulator(s) that has some oversight responsibility. This can hamper the ability of a given regulator to see "the big picture" and to fully understand the magnitude of a problem associated with a given company or product. With the continued growth of hybrid products, the likelihood increases that regulators will receive complaints that could be of interest to other regulators. The most appropriate regulator for a consumer who has a problem with a hybrid product will depend on the type of product and where it was sold. For instance, a consumer who has a problem with a variable annuity would need to determine which regulator oversees the product and where to send a complaint for resolution--to the regulator or to the broker that sold them the annuity. While SEC and NASD regulate the registration and sale, respectively, of variable annuities at the federal level, oversight of sales practices at the state level may fall under the jurisdiction of either the insurance department or the securities department, depending on the state. Accordingly, consumers would then have to decide where to go for help--SEC, NASD, the state insurance department, the state securities department, the broker- dealer firm itself, or perhaps some combination of these. The scenario could be further complicated if the product were purchased in a banking institution that also offered financial products through an affiliated securities or insurance operation, because the consumer would then also have the option of going to a banking regulator. Finally, other organizations such as the states' Attorney General offices may also receive complaints from their citizens. Figure 2 illustrates the potential confusion facing a consumer trying to decide which regulator or organization to contact with a complaint about some type of hybrid product. Figure 2: A Consumer Can Face a Dilemma over Where to Send a Complaint for a Particular Hybrid Financial Product: [See PDF for image] [End of figure] While the focus of our work was not to assess the effectiveness or the quality of the complaints systems of the various regulators, our review of nationwide complaint data collected in both the securities and insurance industries identified numerous examples where complaints received by one regulator also appeared relevant to other regulators. For example, we reviewed data from the complaints system utilized by NASD and its member firms, commonly referred to as NASD's 3070 system.[Footnote 23] In 2002, more than one-third of the complaints recorded in the system were related to annuities or other insurance products, as shown in table 1. NASD indicated that the data on the system captured complaints on variable insurance products as well as fixed insurance products. Oversight of variable life and annuity insurance products falls under the jurisdiction of federal securities regulators (SEC and SROs such as NASD and NYSE) and also typically falls under the jurisdiction of insurance regulators at the state level. Fixed life and annuity insurance products generally fall under the jurisdiction of state insurance regulators. While state insurance regulators may have an oversight interest in some of NASD's 3070 complaint data, such as understanding the nature of the complaints originating from consumers in their states, they do not have access to the system. NASD officials told us that data reported by member firms under Rule 3070 is generally not shared with insurance regulators, nor is there a requirement to do so.[Footnote 24] Consequently, complaints on products in this system that do not fall under NASD's jurisdiction, such as fixed annuities, are not forwarded to the appropriate regulator.[Footnote 25] State securities regulators we spoke to also mentioned that the 3070 system data is not regularly shared with them. Table 1: Number of Complaints Recorded in NASD's Rule 3070 System, by Product Type (2000-2002): Product Type: Annuities; 2000: 2,743; 2001: 4,936; 2002: 5,579. Product Type: Certificates of deposit; 2000: 7; 2001: 86; 2002: 53. Product Type: Commodities/futures; 2000: 4; 2001: 6; 2002: 10. Product Type: Commodity options; 2000: 10; 2001: 9; 2002: 2. Product Type: Debt - asset backed; 2000: 62; 2001: 49; 2002: 61. Product Type: Debt - corporate; 2000: 239; 2001: 276; 2002: 287. Product Type: Debt - foreign; 2000: 10; 2001: 9; 2002: 31. Product Type: Debt - municipal; 2000: 282; 2001: 220; 2002: 193. Product Type: Debt - U.S; 2000: 189; 2001: 130; 2002: 139. Product Type: Deposit notes; 2000: 0; 2001: 1; 2002: 4. Product Type: Direct investments; 2000: 242; 2001: 230; 2002: 162. Product Type: Employee/employer stock option plans; 2000: 12; 2001: 14; 2002: 12. Product Type: Equity - foreign; 2000: 49; 2001: 42; 2002: 44. Product Type: Equity - listed; 2000: 4,215; 2001: 3,027; 2002: 2,810. Product Type: Equity - OTC; 2000: 6,149; 2001: 3,831; 2002: 2,582. Product Type: Financial futures; 2000: 14; 2001: 2; 2002: 2. Product Type: Index options; 2000: 55; 2001: 37; 2002: 44. Product Type: Insurance; 2000: 6,493; 2001: 6,119; 2002: 7,946. Product Type: Managed/wrap accounts; 2000: 17; 2001: 78; 2002: 128. Product Type: Miscellaneous; 2000: 3,013; 2001: 3,199; 2002: 3,369. Product Type: Money markets; 2000: 899; 2001: 381; 2002: 316. Product Type: Mutual funds; 2000: 5,227; 2001: 5,835; 2002: 5,945. Product Type: No product identified; 2000: 5,666; 2001: 5,721; 2002: 6,460. Product Type: Options; 2000: 1055; 2001: 532; 2002: 429. Product Type: REITs; 2000: 24; 2001: 43; 2002: 21. Product Type: Unit investment trusts; 2000: 109; 2001: 97; 2002: 105. Product Type: Warrants/rights; 2000: 25; 2001: 21; 2002: 24. Product Type: Wrap accounts; 2000: 335; 2001: 217; 2002: 247. Product Type: Grand count; 2000: 37,145; 2001: 35,148; 2002: 37,005. Percent insurance-related[A]; 2000: 25%; 2001: 31%; 2002: 37%. [A] For each year, the Percent Insurance-Related is the sum of the Annuities and Insurance categories divided by the Grand Count. [End of table] We also reviewed nationwide complaint data available in the insurance industry and again found many complaints that could also be relevant to securities regulators. During our review of the available data in CDS maintained by NAIC, we observed examples of complaints on variable life and annuity products that also appeared relevant to securities regulators that have primary jurisdiction over such products. However, because of confidentiality concerns, financial regulators other than state insurance regulators do not have direct access to CDS, though some aggregate data by company is publicly available, as previously mentioned. NAIC officials indicated that the complaint data in CDS is not shared with securities regulators in a routine, systematic fashion. Challenges to Improve Regulatory Information Sharing Include the Protection of Sensitive Data: As we reported in previous work, generally speaking the concerns that financial regulators expressed to us about sharing more regulatory information with one another were not technological in nature; rather, they centered around the need to protect sensitive data. In particular, in providing comments on proposals for an information-sharing network, regulators expressed concern over what specific regulatory information might be appropriate to share, the types of entities that would have access to such data, and liability issues surrounding the release of unsubstantiated information. Financial regulators generally did not express concern about sharing basic regulatory history data on closed disciplinary or enforcement actions. The majority of such information is already publicly available, although not necessarily easily accessible. Such information could convey whether an individual was registered in a particular financial industry and any closed regulatory actions tied to the individual's activities in that industry. The threshold of concern rises as the sensitivity of the regulatory data rises, particularly when the information has not been substantiated or pertains to an ongoing investigation. For example, in previous work, several financial regulators pointed out that the untimely release of information on an open investigation could jeopardize that investigation and existing sources of information. Regulators were also concerned about the release of regulatory data to entities or individuals who do not have regulatory authority. In previous testimony, we reported that financial regulators in both the banking and securities industry believed that NAIC's status as a nonregulatory entity was a barrier to releasing regulatory data to it, even though NAIC is comprised of, and operates on behalf of, state insurance regulators. Also, some financial regulators expressed concern over the varying degrees to which individual states are obligated to protect regulatory information and, thus, the different degrees of protection that could result as such information is released among state regulators. Additionally, regulators brought up concerns about the potential liability associated with disclosing some of the information maintained in their databases. Financial regulators noted that some of their regulatory data are self-reported or otherwise unsubstantiated. Release of unsubstantiated information, particularly with regard to customer complaints and open investigations, raised liability concerns for some regulators. Regulators noted that the appropriate sharing and use of this sensitive data must be considered because of its highly prejudicial nature and the potential detriment to the party in question. Some regulators also questioned whether a proposed system or mechanism for sharing each other's regulatory information would violate the Privacy Act's prohibition against the nonconsensual disclosure of personal information contained in records maintained by federal agencies. While there are numerous exemptions to this prohibition, including the "routine use" exemption,[Footnote 26] regulators cautioned that the Privacy Act and its goal of safeguarding individual privacy should receive due consideration. While the extent of regulatory information that should be shared remains an open question, the regulators we previously contacted generally agreed that some degree of information-sharing capability would be useful. From our past work, most generally supported an approach whereby they would share some basic regulatory information on individuals, such as whether or not they were registered in another financial industry and had a disciplinary record. Previously, we suggested that a needs assessment be conducted to determine the data elements most useful to each of the financial regulators and the extent to which each regulatory authority would be obligated to safeguard the data it collects from its industry. A key issue related to such an assessment is balancing one regulator's "need to know" with another's need to safeguard or restrict confidential or sensitive regulatory information. Additionally, from our previous work, financial regulators emphasized that maintaining a centralized database containing all of the regulatory data of each financial industry may be costly and difficult to maintain. They pointed out that the vast majority of applicants were not likely to be carrying a blemished regulatory history from another financial services industry. Nevertheless, most financial regulators appeared to support the concept of an information- sharing approach that allows access to basic regulatory information to flag problems disclosed by regulators in connection with an individual's activities in other financial services industries. Observations: Effective regulation depends on many factors. However, one of the most important is the extent to which regulators have access to complete and correct information. Financial regulators face challenges in accessing and sharing information relevant to their oversight responsibilities, including criminal history, regulatory enforcement, and consumer complaint data. We have previously suggested that insurance regulators were at a considerable disadvantage relative to regulators in other financial industries because of their lack of access to FBI criminal history data. This disadvantage continues to be a problem today. Similarly, in today's world of technological innovation and converging financial markets, better information sharing of both regulatory enforcement and consumer complaint data within and between financial industries would improve the ability of financial regulators to protect both individual consumers and the public at large. In particular, regulators would be better positioned to recognize and reduce the movement of rogues from one industry to another. Furthermore, improving financial regulators' ability to readily access or share relevant consumer complaints in a coordinated, systematic fashion would not only improve their ability to resolve those complaints, but also help them ascertain the overall magnitude of market problems with a given product or company. Moreover, better and more consistent information sharing may facilitate joint efforts to investigate and prosecute fraudulent behavior in the financial services industries. GAO has long advocated better information sharing among financial regulators but recognizes regulators' legitimate concerns in connection with the sharing of sensitive data. Legislative actions will be needed to address issues related to the sharing of sensitive information. Ultimately, the successful implementation of expanded or new information-sharing capabilities or tools will depend on the extent to which protections are in place to make financial regulators feel comfortable in sharing sensitive regulatory information with one another. Difficult issues must be addressed in order to make this a reality, and regulators will have to overcome some level of inertia and resistance to change. The Committee's continued endorsement and encouragement for improvement in the interindustry sharing of criminal and regulatory information should provide an important impetus to succeed. Agency Comments: We requested comments on a draft of this correspondence from SEC, NASD, NASAA, and NAIC. We received general comments and technical suggestions from the Associate Director of the Division of Investment Management of SEC, the Associate Vice President for Government Affairs of NASD, the Director of Policy of NASAA, and the Executive Vice President and Chief Executive Officer of NAIC. Officials from these organizations responded that they generally concurred with the report's findings and message and offered technical suggestions that we incorporated where appropriate. As agreed with your office, unless you publicly release its contents earlier, we plan no further distribution of this correspondence until 30 days from its issuance date. At that time we will send copies to the Ranking Minority Member of the Committee on Financial Services and to other interested congressional members and committees. We will also make copies available to others upon request. In addition, this report will also be available at no charge on GAO's Web site, http:// www.gao.gov. Please contact me or Lawrence D. Cluff at (202) 512-8678 if you or your staff have any questions about this report. Major contributors to this report were Barry Kirby, Tarek Mahmassani, Angela Pun, Barbara Roesmann, and Paul Thompson. Sincerely yours, Signed by: Richard J. Hillman Director, Financial Markets and Community Investment: [End of section] Enclosure I: In conducting our work, we reviewed the regulatory oversight structure for different hybrid financial products and also collected and assessed the nature of complaint data received by various financial regulators. To understand the different regulatory entities that could have an oversight interest in a particular hybrid product, we compared and contrasted the regulatory oversight structures associated with three different hybrid financial products--variable annuities, equity- indexed annuities, and viatical settlements. To assess the extent and nature of regulatory information sharing that occurred between financial regulators, we reviewed how different regulators collected and consolidated consumer complaint data, and highlighted examples where consumer complaints appeared relevant to other regulator(s). The focus of our review was not to assess the quality of the complaint systems data from regulators, though we did collect some basic information related to data quality and known reliability issues, but rather to generally understand the manner in which such data are shared among regulators. During our work we interviewed and collected information or regulatory data from officials at the National Association of Insurance Commissioners, state insurance regulators, the Securities and Exchange Commission, NASD (formerly the National Association of Securities Dealers), the New York Stock Exchange, the North American Securities Administrators Association, state securities regulators, the National Futures Association, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Federal Deposit Insurance Corporation. We conducted our work between November 2002 and May 2004 in accordance with generally accepted government auditing standards. FOOTNOTES [1] In this report, financial regulators are the regulators of the financial services industries. [2] In this report, hybrid financial products refer to those products having both insurance-and securities-related features. [3] The FBI and the National Association of Insurance Commissioners provided information on the state insurance departments authorized to obtain FBI criminal history information. [4] U.S. General Accounting Office, Insurance Regulation: Scandal Highlights Need for Strengthened Regulatory Oversight, GAO/GGD-00-198 (Washington, D.C; Sept. 19, 2000); Insurance Regulation: Scandal Highlights Need for Strengthened Regulatory Oversight, GAO/ T-GGD-00-209 (Washington, D.C; Sept. 19, 2000); U.S. General Accounting Office, Financial Services Regulators: Better Information Sharing Could Reduce Fraud, GAO-01-478T (Washington D.C; Mar. 6, 2001). [5] NAIC, formed in 1871, is a voluntary organization of the chief insurance regulatory officials of the 50 states, the District of Columbia, and four U.S. territories. It does not have regulatory authority over the state insurance departments. NAIC provides a forum for the development of uniform policy when uniformity is deemed appropriate. It assists state insurance regulators by offering financial, actuarial, legal, computer, research, market conduct, and economic expertise to carry out financial and consumer protection oversight functions. [6] Under 18 U.S.C. § 1033, a person who has been convicted of any criminal felony involving dishonesty or a breach of trust or any offense described in the section may engage in the business of insurance only through the written consent of an insurance regulatory official authorized to regulate the insurer. [7] GAO-01-478T. [8] Pub. L. No. 106-102 (1999). In Subtitle C of Title III, GLBA called for a majority of states to either adopt uniform producer licensing laws or reciprocate with other states in the licensing process by November 2002 to avoid the establishment of a body, the National Association of Registered Agents and Brokers, which would take over producer licensing functions from the states. In 2002, NAIC certified that the majority of states satisfied the provisions in GLBA by reciprocating with other states in the licensing process. However, some states did not reciprocate at the time because they were reluctant to accept industry applicants who were licensed in other states that use less stringent licensing standards. [9] U.S. General Accounting Office, State Insurance Regulation: Efforts to Streamline Key Licensing and Approval Processes Face Challenges, GAO-02-842T (Washington D.C.: June 18, 2002). [10] Regulatory background information would, among other things, include the licensing or registration status and employment history of an individual. [11] For the purposes of this report, the term "federal banking regulators" includes the Federal Reserve Board, Office of the Comptroller of the Currency, Office of Thrift Supervision, Federal Deposit Insurance Corporation, and National Credit Union Administration. [12] NASAA, organized in 1919, is a voluntary association whose membership consists of 66 state, provincial, and territorial securities administrators in the 50 states, the District of Columbia, Puerto Rico, Canada, and Mexico. In the United States, NASAA represents the 50 state securities agencies and provides information and expertise related to capital formation and investor protection. [13] Under section 604 of the Sarbanes-Oxley Act, Pub. L. No. 107-204 (2002), SEC may consider the regulatory history of an individual in deciding on the individual's fitness for registration as a broker, dealer or investment advisor. Specifically, the SEC is authorized to limit, suspend, or revocate the registration of persons who have been barred or subjected to sanctions by a state securities, banking, or insurance regulator because of fraudulent, manipulative, or deceptive conduct. See 15 U.S.C. § 78o (b)(4)(H) (2000 & 2003 Supp.). [14] Regulatory oversight of some hybrid products could change over time, as debates continue over which regulatory entity is best suited for a particular product. For instance, a key debate among financial regulators is whether or not sales of variable life and annuity products should be regulated as insurance or securities products at the state level. State securities regulators have argued that they have greater securities-related expertise and more comprehensive oversight to help ensure that sales of such products are suitable for the investor as compared to their insurance counterparts. Securities regulators also maintain that they have more enforcement authority and tools to pursue cases of sales practice abuse tied to variable products. In contrast, insurance regulators and industry representatives maintain that oversight of variable products as securities at the federal level coupled with oversight as insurance at the state level is sufficient. Parties opposed to state securities oversight of variable product sales argue that such a regulatory framework would create "four layers" of regulatory oversight--SEC, NASD, state insurance departments, and state securities departments-- resulting in greater costs and duplicative regulatory functions. Recently, both securities and insurance regulators have each developed legislative proposals to help strengthen their regulatory authority over sales practices tied to sales of variable insurance products. [15] Variable annuities were first introduced in the 1950s and are a multibillion dollar business in the United States, with sales of variable products exceeding $94 billion through the first three quarters of 2003. Variable annuities are designed to provide tax deferral benefits of annuities. Under an annuity contract, an insurer agrees to make a series of payments for a specified period or for the life of the contract holder, providing insurance against the possibility that the contract holder will outlive his or her assets during the period covered under the contract. The payments are either fixed or may vary from payment to payment. The cash value of the contract is invested in an insurer account, which offers the contract holder a number of investment options. The contract holder's premiums are typically allocated to mutual funds that invest in stocks, bonds, money market instruments, or some combination thereof. The values of the investment and the periodic payments vary, much like a securities product, depending on the performance of the chosen investment option. Variable annuities also have a death benefit. If a contract holder dies before the insurer has started to make payments, a designated beneficiary is guaranteed to receive a specified amount of money. [16] Equity-indexed products are annuities or life insurance contracts on which the returns from the annuities are credited to contract holders using a fixed formula based on changes in an equity index such as the S&P 500. Equity-indexed annuities are different from fixed annuities because they credit interest using a formula based on changes in the index to which the annuity is linked. However, equity-indexed annuities are similar to fixed annuities in that they guarantee a minimum interest rate. The annuities are designed to protect holders against severe downturns in the market. Total sales of equity-indexed annuities during 2002 reached approximately $13 billion. [17] On August 20, 1997, SEC solicited comments on a Concept Release concerning the structure of equity index insurance products, the manner in which they are marketed, and other matters of consideration in addressing federal securities law issues raised by equity index insurance products (Release No. 33-7438; File No. S7-22-97). [18] Viatical settlements are a more recent hybrid product, developed in the late 1980s. Sales of viatical settlements have grown from $90 million in 1991 to approximately $1 billion in 2000. Viatical settlements are contracts under which investors purchase an interest in the life insurance policies of terminally ill individuals. When the insured individuals die, the investors receive the benefit of the insurance. More specifically, investors purchase policies (or parts of policies) at prices below the value of the death benefits. Because of uncertainties in predicting when someone will die, these investments are extremely speculative. If the seller dies sooner than expected, an investor may receive a higher return. But if the seller lives longer than expected, the return will be lower. An investor can lose part of or all of his/her principal investment if the person lives long enough that the investor has to pay additional premiums to maintain the policy. This element of risk is a securities feature of viatical investments. [19] Securities and Exchange Commission v. Life Partners, Inc., 87 F.3d 536 (D.C. Cir. 1996), reh'g denied, 102 F.3d 587 (D.C. Cir. 1996). The SEC has taken action for fraud against enterprises that sell securities backed by viatical settlements, however. See. SEC Litigation Rel. No. 18346 (Sept. 11, 2003). [20] In May 2004, SEC and other federal and state regulators shut down the operations of Mutual Benefits Corp. in Florida to halt an alleged billion dollar fraudulent securities offering. Regulators are attempting to recover what is left of the $1 billion on behalf of investors in this scandal, which follows several other scandals in the viatical industry in recent years. In February 2002, the House Financial Services Committee held a hearing on fraudulent activities taking place in conjunction with viatical sales in the marketplace. [21] NASAA officials indicated that they send their members an annual survey focusing on completed enforcement actions. In addition, from time to time, NASAA surveys its members on a variety of specific issues, often in response to requests for information from congressional committees. NASAA officials also mentioned that the last two surveys included a question designed to gather information on the number of complaints received. [22] NAIC has implemented the Consumer Information Source (CIS), an application available from its Web site, with public disclosure of aggregate complaint data by company on a state-by-state basis. Consumers may access the following from CIS: (1) the total number of complaints for a selected company in each state, (2) the total number of complaints by type of coverage, (3) the reason the complaint was filed and disposition of the complaint, (4) the ratio of a company's market share of complaints compared to the company's market share of premiums for a specific policy type, and (5) the total complaint counts by year with the percent change of counts between years. [23] NASD Rule 3070 requires that member firms record certain information on consumer complaints received for statistical and regulatory oversight purposes. [24] NASD does refer insurance-related complaints to insurance regulators that are received directly from investors. [25] Individual sales agents are often dually registered as broker- dealers as well as insurance agents, allowing them to engage in sales of products regulated as securities by SEC and NASD (e.g., variable annuities), as well as products generally regulated solely as insurance by state insurance regulators (e.g., fixed annuities). [26]The routine use exemption permits nonconsensual disclosure of personal information when the internal use of the information that is disclosed is compatible with the purpose for which it was originally collected. GAO's Mission: The General Accounting Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site (www.gao.gov) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: