A: Yes, they do include risk management.
United States industry regularly uses personal information for risk management purposes. Financial organizations routinely use information about a person's operational relationship with the institution, including the information about a person's transactions or experience with the organization, to help combat fraud, manage other business risk, or ensure a person's ability to pay or qualify for various services.
In the United States, a bank's affiliated credit card issuer may monitor the bank customer's credit card activity and report to the bank unusual patterns that may signal that the card has been stolen or used fraudulently. Many banks subsequently will telephone the customer directly to confirm the validity of the sudden unusual pattern of charges, thus protecting the customer and the institution from potential losses. Permitting a customer to opt out of having such information sharing could harm the customer and increase losses for the institution.
Information on a customer's mortgage payment activity with a mortgage bank affiliate is an important signal of the customer's capability for making timely payments on a loan from a commercial bank in the same corporate family. Customers who routinely make late mortgage payments might choose to prevent this information from being shared. Permitting high risk customers and fraud perpetrators to opt out of such information sharing would increase the business risk of establishing or maintaining a commercial or financial relationship with the customer. Such self-selection by high risk customers could undermine an organization's profitability and financial integrity and would also undermine the smooth functioning of credit markets generally.
Financial organizations also routinely use this information to identify customers for better pricing on products or services or to be more responsive to customer inquiries. For example, a consumer who keeps a high balance in a non-interest bearing checking account might be directed to a different bank product that has better yield.
With regard to insurance specifically, risk management is the practice of analyzing all noncompetitive exposure to risk (such as health and workplace hazards) or loss (by fortuitous or accidental means) and taking steps to minimize those potential or real losses to levels acceptable to an organization. United States industry regularly uses personal information for risk management purposes. Property and casualty insurers use accident data to evaluate and improve safety standards in homes and the workplace and for automobiles. The insurance industry also uses personal information to detect and track fraud and other criminal activity, such as arson. The detection and reduction of fraudulent and criminal activity directly benefits the public by lessening the impact of such behavior on the costs of insurance.
On the whole, the gathering and use of information is essential to evaluating
a risk at the outset of an insurance transaction, servicing the risk during
the policy period, and determining the extent to which losses can be controlled
following a claim under a policy. Access to relevant personal information
is especially critical in statutorily-mandated areas of coverage, such
as workers' compensation insurance, where state governments have mandated
a benefit delivery system. In these instances, an insurer needs to be able
to access medical information in order to perform functions required by
statute, such as the evaluation of an injured employee's claim, the management
of that employee's medical treatment (which is designed to ensure a swift,
yet safe return to work), and the evaluation of loss data which will assist
employers in reducing the risk of future loss.
*The European Commission is evaluating whether all the risk management activities covered here are related to the public interest.