Background |
Federal Legislation |
Resources |
Related Links
March 31, 2000
Ms. Jennifer Johnson
Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Ave., N.W.
Washington, D.C. 20551
Attention: Docket No. R-1058
Communications Division
Office of the Comptroller of the Currency
250 E. Street, SW
Washington, DC 20219
Attention: Docket No. 00-05
Mr. Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Attention: Comments/OES
Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, NW
Washington, DC 20580
Attention: Gramm-Leach-Bliley Act
Privacy Rule, 16 CFR Part 313--Comment
Manager
Dissemination Branch
Records of Management & Information Policy
Office of Thrift Supervision
1700 G. Street
Washington, DC 20552
Attention: Docket No. 2000-13
Re: Federal Banking Agencies on the Proposed Rules that Implement the Financial Privacy Provisions of the Gramm-Leach-Bliley Act
Dear Sir or Madam:
The Securities Industry Association ("SIA")1 appreciates the opportunity to comment on the proposed rules issued by your agency to implement the financial provisions of the Gramm-Leach-Bliley Act ("GLB Act"). SIA supported the enactment of the GLB Act and we commend the effort to draft rules that are consistent with the goals of the legislation's privacy provisions. Although protecting the privacy of customer financial information has always been of utmost importance to the securities industry, we believe that the GLB Act and the implementing regulations provide extensive protections to customer financial information. SIA has filed a detailed letter commenting on the proposed privacy rule issued by the Securities and Exchange Commission, the primary regulator for our member firms, which include, investment banks, broker dealers and mutual fund companies. A copy of that letter is enclosed herewith.
The purpose of this letter is to highlight concerns of our member firms that are common to all of the privacy regulations issued by the regulatory agencies under the GLB Act. We believe this is important because many of our member firms are now or may become affiliated with institutions subject to your regulations and because the regulatory agencies are required to issue final regulations that are "consistent and comparable." We hope you will consider these comments when drafting your agency's final rule.
Flexibility in Compliance
The rule should allow financial institutions the most flexibility in structuring their compliance efforts. Allowing for such flexibility in the rule's requirements is critical because financial institutions are varied in their kinds and size of operations, personnel, customer base and types of services and products offered. Rapidly advancing technology, which is changing the way financial services firms do business at an ever-expanding clip, also dictates that the rule's requirements be flexible in order to allow institutions to adapt. For these reasons, the rule should allow institutions the utmost flexibility to adopt procedures most suited to their business.
Consistency Across Industries
The final rules adopted by each agency should be harmonized with those adopted by the other agencies. This is required by the GLB Act, which provides that to the extent possible "the regulations prescribed by each agency and authority are consistent and comparable with the regulations prescribed by the other such agencies and authorities." SIA urges the regulatory agencies to coordinate their efforts in drafting final rules. In order to achieve the intent of the GLB Act -- affiliations of securities, banking and insurance firms -- the regulations must be applied consistently and evenly across the financial services industries. Differing approaches and regulations by the various agencies will be burdensome and costly for the industry, confusing for consumers, and act as a disincentive for institutions to form the affiliations contemplated by the GLB Act.
Workable Definition of Nonpublic Personal Information ( §__.3 (n) and (o) )
With regard to the definition of "nonpublic personal information," we urge the adoption of Alternative B. The Alternative A definition is unworkable because it would require financial institutions to maintain records of the source from which publicly available information was initially obtained. Clearly, the source from which a financial institution obtained information should not matter if that information is publicly available. Such an approach has no ill effects because consumers should have no expectation of privacy for information that is publicly available.
In addition, SIA believes that the rule's definition of "personally identifiable financial information" goes far beyond Congress' mandate to protect financial information relating to the consumer. The rule encompasses virtually all personally identifiable information in the possession of a financial institution. The proposal (§___.3(o)(1)) defines nonpublic personal information to include "personally identifiable financial information," which in turn is defined to include "any information (i) provided by a consumer to [the financial institution] to obtain a financial product or service from [the financial institution]; (ii) about a consumer resulting from any transaction involving a financial product or service between [the financial institution] and a consumer; or (iii) [the financial institution] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that customer." We recommend that the rule be amended to clarify, consistent with Congressional intent, that not all information relating to a customer within the possession of a financial institution would necessarily fall within the scope of the rule.
SIA also suggests that the definition of "personally identifiable financial information" should expressly provide that only "personally identifiable" financial information obtained by a financial institution about a consumer would fall within the definition. This would exclude from the definition of nonpublic personal information aggregated information and other data that do not contain any indicators of personal identity. We recognize the privacy concerns relating to information, such as lists, descriptions or groupings of consumers that is derived from personally identifiable financial information if such aggregated information identifies consumers by name or other specific identifier (such as street addresses or telephone numbers). However, such privacy concerns do not exist for aggregated information that does not contain any identifying information. Clearly, Congress did not intend the G-L-B Act to protect aggregated or other "blind" information that could not be identified with particular consumers or customers.
Flexibility in the Timing of Privacy Notices ( §__.4 and __.5 )
The proposed rule requires a financial institution to provide the initial disclosure notice to a consumer "prior to" the time the consumer establishes a customer relationship with the financial institution. As written the requirement will be extremely burdensome, impractical, and confusing for consumers, who will likely receive multiple notices from financial institutions. Moreover, this provision is contrary to the GLB Act, which requires that a financial institution must provide the initial notice "at the time" of establishing a customer relationship. SIA, therefore, recommends that the rule allow for notice to be provided at the same time as other disclosures that are furnished to new accountholders.
We also suggest that the rule clarify that affiliated institutions be permitted to prepare a joint privacy notice when a consumer enters into a customer relationship with any one of the affiliated institutions. In such circumstances, the other affiliated institutions should not be required to deliver the notice again to the customer if the customer enters into subsequent relationships with that institution, as long as the previously provided notice includes the necessary information required for the new customer relationship.
Furthermore, we recommend that the rule permit annual notices to be provided to customers at least once during each calendar year in which the relationship continues rather than during each 12-month period. This will allow institutions, which typically send their annual notices to customers at one time each year, the most flexibility in satisfying the GLB Act's requirement.
Content of Notices Be Limited to Categories of Information ( §__.6 )
SIA is concerned that the proposed rule and the accompanying examples may be interpreted in a way that would convert a requirement to disclose general classes of information collected and shared and categories of affiliates or third parties into a requirement to disclose far more detailed information (e.g., the sources of information collected, the lines of business engaged in by entities to whom information is disclosed, and illustrative examples of the information collected from each source). As a result, even the disclosure of a readily understood category (such as information from the customer's own "application") might be interpreted as inadequate unless accompanied by examples (such as "name, address and Social Security number"). Financial institutions should be permitted to use broad-based descriptions of the categories of non-public information disclosed and categories of institutions to which such information may be disclosed. Furthermore, the more detailed the categories are, the less likely large financial institutions will be able to provide one consistent and clear disclosure to customers. Consequently, customers would receive multiple and partly redundant disclosures. In fact, an overly detailed privacy notice may actually be counterproductive to the privacy interest of customers and consumers because they will be less likely to read numerous lengthy and detailed statements of privacy policies received from multiple financial institutions.
Control Over Method of Opt-Out ( §__.8 )
SIA requests that the proposed rule be revised to reflect that a financial institution may determine the procedures its customers and consumers may use to opt out of information sharing, and that an institution would not be obligated to process an opt-out request that does not conform to its procedures (e.g., a list of names collected by a third party that does not include account numbers or other identifiers needed by the firm to process the request). We also suggest that the regulations provide that opt-out notices should only be effective if given directly to the institution by the consumer or customer.
Grandfathering of Existing Joint Marketing and Service Agreements ( §__.9 )
SIA also suggests that all joint marketing and servicing agreements executed between financial institutions and their vendors as of November 12, 1999 be grandfathered. Many institutions currently have agreements in place that require their contracting partner service providers or joint marketers generally to ensure the confidentiality of customer information provided under the agreement. Unless existing agreements are grandfathered, institutions would be required to conduct detailed reviews of all service provider or joint marketing agreements currently in force (and expired agreements, to the extent that vendors may still possess the firm's customer information) to ensure that the agreements require the vendor to treat the consumer information according to the financial institution's standards. However, the cost of such a review would exceed any relative benefit that could be obtained. Therefore, the rule should not apply retroactively, and existing agreements would be grandfathered. Alternatively, the rule should establish by example that institutions may comply with respect to existing contractual relationships by sending a notice to all vendors informing them of the G-L-B Act and the rule's requirements, and clearly establishing that the agreement and performance thereunder are governed by such requirements.
Clarify When Disclosure of Account Numbers is Permissible ( §__.13 )
SIA requests that the rule clarify that the prohibition under rule §__.13 applies only to disclosing account numbers and passwords to nonaffiliated third parties who are not subject to one of the exceptions under rules §__.9, §__.10, and §__.11. While SIA recognizes the sensitivity of customer account numbers and passwords, we nevertheless believe that the rule should include a limited exception for disclosure with customer consent even when the nonaffiliated third party does not fall within rules §__.9, §__.10, and §__.11. Comment was invited on whether the proposed rule should permit the disclosure of encrypted account numbers if the financial institution does not provide the marketer the key to decrypt the number. The SIA urges that the rule be revised to specifically permit the sharing of encrypted or truncated numbers.
Reconsider The Effective Date
We strongly urge that the effective date be extended, as agencies are authorized to do under the GLB Act, at least until May 14, 2001. This is vital in order to provide an orderly transition and to allow financial institutions the necessary time to implement firm wide operational changes throughout all of their systems. SIA believes that an effective date of November 13, 2000, would result in the mailing of millions of notices to consumers in December, the peak of the holiday season, which would be ill-timed for consumers, financial institutions and the U.S. mail system. Indeed, consumers may not be able to focus on these notices in the midst of the holiday mail deluge.
We respectfully suggest that the November date be considered as the beginning of a voluntary compliance period that would end on May 14, 2001, when mandatory compliance would begin. The establishment of a voluntary compliance period would enable financial institutions to use first quarter account statement mailers as a means to satisfy the initial notice requirement. In light of the regulatory and consumer focus on privacy issues, we believe that as a competitive matter, firms will have an incentive to comply fully with the regulation as early as possible.
Additional time is crucial to enable institutions to fully implement operational changes necessary to comply with obligations. All financial institutions will need to (1) establish and implement new procedures and train associates with regard to the delivery of the notice and customer questions that may ensue; (2) implement new procedures for providing opt-out methods to the customers; (3) hire and train staff for receiving and handling any opt-outs from customers; and (4) evaluate arrangements with nonaffiliated third parties to determine what additional obligations must be imposed. Only after all these procedures have been addressed, will firms have sufficient information to request computer system enhancements, which will take significant lead time, resources and money to implement. Moreover, completing these changes in a hasty manner, given the broad scope of the changes, will likely result in mistakes or confusion on the part of the firm, associates and customers alike.
Conclusion
SIA applauds the regulatory agencies for proposing rules that attempt to balance the privacy needs of consumers with the regulatory burdens imposed on financial institutions. We hope that our comments are helpful. If we can provide any further information, please contact Alan E. Sorcher, Assistant Vice President and Assistant General Counsel at (202) 296-9410.
Sincerely,
Stuart J. Kaswell
Senior Vice President and General Counsel
Footnotes:
1. The Securities Industry Association brings together the shared interests of more than 740 securities firms throughout North America to accomplish common goals. SIA member firms (including investment banks, broker-dealers, and mutual fund companies) are active in U.S. and foreign markets and in all phases of corporate and public finance. The U.S. securities industry manages the accounts of more than 50-million investors directly and tens of millions of investors indirectly through corporate, thrift and pension plans. The industry generates more than $300 billion of revenues yearly in the U.S. economy and employs more than 600,000 individuals.
