Updated as of: January 23, 2003
Staff Responses to Questions about Regulation S-P
The staff of the Division of Investment Management has prepared the following responses to questions about Regulation S-P, which implements the privacy provisions in Title V of the Gramm-Leach-Bliley Act ("GLBA").1 The adopting release for Regulation S-P2 can be found at: www.sec.gov/rules/final/34-42974.htm. These responses represent the views of the staff of the Division of Investment Management. They are not a rule, regulation, or statement of the Securities and Exchange Commission, and the Commission has neither approved nor disapproved this information.
Scope of Regulation S-P
Q: Does Regulation S-P3 apply to a financial institution, such as a "hedge fund," that meets the criteria for exclusion from regulation under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 ("ICA")?
A: No. GLBA authorized the Commission to adopt and enforce rules implementing GLBA with respect to "investment companies" under the ICA.4 A financial institution5 that meets the criteria in sections 3(c)(1) or 3(c)(7) of the ICA is not an "investment company" under that statute, and therefore is not subject to Regulation S-P.6 GLBA gives the Federal Trade Commission regulatory authority for any financial institution that is not subject to the jurisdiction of any other regulator under that Act.7
Consumer and Customer Relationship
Q: Does a wrap account client who has a written contract with the wrap account sponsor, but not with the wrap account's investment adviser, have a customer relationship with the investment adviser?
A: Yes. Regulation S-P defines a customer relationship as a continuing relationship between a consumer and a financial institution.8 Examples of a customer relationship include an individual who has an advisory contract with an investment adviser.9 Division staff has stated that for purposes of the brochure delivery rule under the Investment Advisers Act,10 a contractual relationship exists between a wrap account client and the portfolio manager, even in the absence of a written contract.11 We believe the same analysis applies under the privacy rules, and therefore that a wrap account client has a customer relationship with the portfolio manager for purposes of Regulation S-P.12
Q: Does an investment adviser that has only institutional clients, including pension plans, have customers to whom the adviser must provide privacy notices under Regulation S-P?
A: No. Regulation S-P requires an investment adviser to provide certain privacy notices to its customers and consumers.13 Under the regulation, a "consumer" or a "customer" must be an individual.14 Therefore a client that is not an individual, such as a pension plan, is neither a consumer nor a customer of the adviser.15
Q: Is an individual who purchases investment company ("fund") shares through a broker-dealer a customer of the fund under Regulation S-P even if the fund has no direct contact with the individual?16
A: Yes, if the individual owns the fund shares in his or her own name. The examples in Regulation S-P provide that an individual who is the record holder of fund shares is the fund's customer.17 If the broker-dealer is the record holder of fund shares for the benefit of the individual, the individual would not be a fund customer under Regulation S-P.18
Q: Can an initial or annual privacy notice be incorporated into another document (such as an account statement, annual report, prospectus, trade confirmation, Form ADV, or adviser's brochure)?
A: Regulation S-P does not prohibit financial institutions from combining a privacy notice with another document.19 Any privacy notice, however, must be clear and conspicuous.20 Therefore a privacy notice that is combined with another document must be distinct from and not hidden in other information in the document.21 In addition, a financial institution must deliver a privacy notice to customers each year even if other information in the combined document need not be delivered annually (such as an investment adviser's brochure).22
Q: Regulation S-P permits a financial institution to deliver a single annual privacy notice to multiple customers who share an address ("household") if the notice is in or accompanies a shareholder report or a prospectus delivered under the Commission's householding rules.23 Can a fund satisfy the annual privacy notice requirement by delivering the notice in or with documents that are delivered to multiple shareholders at the same address ("householding"), even if those documents (such as account statements) are not covered by the Commission's householding rules?
A: Yes, if the fund obtained consent to household those types of documents in the manner set forth under the Commission's householding rules.24
Q: Regulation S-P requires that funds deliver: (i) an initial privacy notice to new customers not later than when the customer relationship is established, and (ii) an annual privacy notice to all customers. Regulation S-P also requires, as a one-time phase-in of the initial notice requirement, that funds deliver by July 1, 2001 an initial privacy notice to each individual who is a record owner of fund shares as of that date.25 As noted in the response to question 7 above, funds may include an annual privacy notice in or with certain documents that are householded under Commission rules. Can a fund also household the initial privacy notice that must be sent to existing customers by July 1, 2001?
A: Yes, in certain circumstances. Regulation S-P permits householding of annual privacy notices because the Commission believed that customers whose documents are householded also would consent to having their annual privacy notices householded.26 The Commission was unwilling to make the same assumptions for customers whose documents are not householded.27 The Commission also did not permit broker-dealers, funds, or investment advisers to household initial notices.28 A customer must receive an initial notice no later than when the customer relationship is established, and therefore is likely to receive the initial notice before he or she has notice of householding. The concern that a fund might provide a single initial notice to new customers who are unaware that documents will be householded does not extend, however, to the initial notice provided to existing customers (by July 1, 2001) whose documents are householded. Accordingly, the staff would not recommend enforcement action to the Commission if, prior to July 1, 2001, a fund households initial privacy notices (i) in the manner provided for householding annual privacy notices,29 or (ii) for documents that do not fall under the Commission's householding rules, as provided in the response to question 7 above.
The staff's position would not permit a fund to household an initial notice that is combined with an opt out notice.30 Regulation S-P does not permit financial institutions to household opt out notices. An opt out notice must provide a reasonable means for the consumer (or customer) to opt out,31 and the Commission did not assume that customers whose disclosure documents are householded would consent to householding the means by which the customer must exercise his or her right to opt out.32 Therefore, if a fund is required to deliver opt out notices (because, for example, it shares information with nonaffiliated parties outside of an exception), the fund cannot household delivery of the opt out notices.33
Q: Can a fund deliver to a customer with multiple accounts a single initial or annual privacy notice that applies to all the accounts?
A: An institution must provide privacy notices so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.35 An institution cannot reasonably expect that all its customers will receive actual notice in writing of a privacy notice that is posted at a particular location, whether that location is an advertising site, the institution's premises, or the institution's web site.36 As provided in the examples in Regulation S-P, an institution may reasonably expect that a consumer (or customer) will receive actual notice if, for a consumer (or customer) who conducts transactions electronically, the institution posts the notice on the website and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.37 The examples also provide that an institution may reasonably expect that a customer will receive actual notice of the institution's annual notice, if the customer uses the institution's web site to access financial products and services electronically and agrees to receive notices at the web site, and the institution posts its current privacy notice continuously in a clear and conspicuous manner on the web site.38
Q: Can a fund provide the initial privacy notice to a new customer after the customer invests, when it delivers the fund's prospectus and confirmation?
A: No. GLBA requires a fund to provide an initial notice to customers no later than the time the customer relationship is established. Regulation S-P provides that an individual establishes a customer relationship with a fund when the individual purchases fund shares in his or her own name (i.e., the trade date).39 Thus, an initial privacy notice provided with a prospectus and confirmation would need to be provided to the investor no later than the trade date.
Regulation S-P provides exceptions to this delivery rule in certain circumstances. A fund may provide the initial privacy notice within a reasonable time after it establishes a customer relationship if: (i) establishing the customer relationship is not at the customer's election; (ii) providing notice no later than when the fund establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time; or (iii) a nonaffiliated broker or dealer establishes a customer relationship between the fund and a consumer without the fund's prior knowledge.40
A: GLBA requires a fund to provide an initial privacy notice to customers not later than the time the customer relationship is established. An individual establishes a customer relationship with an insurance company separate account when the individual purchases a variable annuity or variable life contract (i.e., the date the separate account issues the contract).42 Thus, the separate account must provide an initial privacy notice to its customer not later that the time it issues the contract.
Q: If a variable annuity or variable life contract provides for a full refund of the purchase payments upon rescission by a new customer during the "free-look" period,43 can an insurance company separate account provide the initial privacy notice to the customer when it delivers the variable contract before the end of the free-look period?
A: Yes. The release adopting Regulation S-P states that in most circumstances, a fund (including an insurance company separate account) "should give the initial notice at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship."44 If an investor may fully recover investment costs upon rescission of the contract, then, as of the date the variable contract is delivered, the investor still has a meaningful choice as to whether there will be a continuing relationship.45 In those circumstances, the staff would not recommend enforcement action to the Commission if an insurance company separate account provides the initial privacy notice to the investor when it delivers the variable annuity or variable life contract before the end of the free-look period.46
Q: When must a closed-end fund provide an initial privacy notice to new investors who purchase fund shares on the secondary market?
A: Closed-end funds are subject to the same initial privacy notice delivery requirements as open-end funds (see response to question 11 for these requirements). Therefore, if an investor buys shares of a closed-end fund that he or she does not already own through a broker or dealer affiliated with the fund, the fund must provide an initial privacy notice to the investor no later than when the fund establishes the customer relationship (i.e., when the investor purchases fund shares in his or her own name).47 If an investor purchases the shares of a closed-end fund that he or she does not already own through a broker or dealer unaffiliated with the fund, the fund would have a reasonable time to provide an initial notice to the investor after the customer relationship is established.48 Under these circumstances, a "reasonable time after . . . establish[ing] a customer relationship" includes a reasonable time after the fund learns of the customer's purchase of the fund shares.
Exceptions to Opt Out
Q: Must an investment adviser permit its customers to opt out before the adviser shares nonpublic personal information about the customers with (i) a nonaffiliated broker-dealer in order to execute trades on behalf of the customers or (ii) a nonaffiliated custodian that holds securities on behalf of the customers?
A: No. Regulation S-P permits financial institutions in certain circumstances to share nonpublic personal information about consumers (and customers) with nonaffiliated third parties without providing them with notice of and opportunity to opt out.49 These circumstances include sharing information with a nonaffiliate (i) as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, (ii) in connection with processing or servicing a financial product or service a consumer authorizes, and (iii) in connection with maintaining or servicing the consumer's account with the institution.50 Under these exceptions, an investment adviser need not provide a customer the opportunity to opt out before sharing nonpublic personal information about the customer with (i) a nonaffiliated broker-dealer in order to execute trades the customer has authorized and (ii) a nonaffiliated custodian that holds securities on behalf of the customer.
Monitoring Third Parties
Q: Is an investment adviser responsible for the privacy policies of broker-dealers that execute transactions the adviser's clients have authorized, or of funds that the adviser recommends to its clients?
A: No. A financial institution is not responsible under Regulation S-P for the privacy practices of a nonaffiliated third party with whom the institution shares information under an exception listed in sections 248.14 or 248.15 (such as a broker that executes transactions the client has authorized). Regulation S-P limits the ability of these nonaffiliates to use and share information they have received in those circumstances.51 If the nonaffiliate receiving the information under an exception is a broker-dealer, fund, or investment adviser registered with the Commission, the Commission could enforce the provisions of Regulation S-P with respect to the nonaffiliate.52
1 Pub. L. No. 106-102, 113 Stat. 1338, §§ 501-527 (1999) (codified at 15 U.S.C. §§ 6801-6827). The staff responses were first issued on April 9, 2001, and have been updated, as noted above.
2 Privacy of Consumer Financial Information (Regulation S-P), Investment Company Act Release No. 24543 (June 22, 2000) [65 Fed. Reg. 40334 (June 29, 2000)] ("Adopting Release").
3 See 17 CFR Part 248; Adopting Release, supra note 2.
4 See GLBA, supra note 1, §§ 504(a)(1), 505(a)(4). GLBA also gave the Commission regulatory authority under the Securities Exchange Act of 1934 with respect to broker-dealers, and under the Investment Advisers Act of 1940 with respect to investment advisers registered with the Commission. Id. §§ 504(a)(1), 505(a)(3), (5).
5 GLBA defines "financial institution" to mean "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956." Id. § 509(3)(A).
6 See 15 U.S.C. 80a-3(c)(1) (issuer whose outstanding securities are owned by no more than 100 persons and that is not making and does not propose to make a public offering of its securities is not an investment company); 15 U.S.C. 80a-3(c)(7) (issuer whose securities are owned only by "qualified purchasers" and that is not making and does not propose to make a public offering of its securities is not an investment company).
7 See GLBA, supra note 1, at §§ 504(a)(1), 505(a)(7). Under GLBA, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision are the regulators for national and state banks; the National Credit Union Administration is the regulator for federally insured credit unions; and state insurance authorities are the regulators for insurance providers. Id. § 505(a)(1), (2), (6). In addition, the Commodity Futures Modernization Act of 2000 ("CFMA") provides that the Commodity Futures Trading Commission ("CFTC") is the regulator, for purposes of GLBA, for futures commission merchants, commodity trading advisors, commodity pool operators, and introducing brokers subject to the CFTC's jurisdiction under the CFMA. CFMA, Pub. L. No. 106-554, § 124, 114 Stat. 2763, 2763A-411 (2000).
8 17 CFR 248.3(k)(1).
9 See 17 CFR. 248.3(k)(2)(B).
10 See 17 CFR 275.204-3.
11 See National Regulatory Services, Inc., SEC No-Action Letter (Dec. 2, 1992) ("NRS") at n.4.
12 It may be unclear when the customer relationship with the portfolio manager is established in a wrap account and, therefore, when the portfolio manager must provide the initial notice to the customer. Regulation S-P provides that a customer relationship is established when the consumer enters into a contract with the adviser. See 17 CFR 248.4(c)(3)(iii). The staff has previously stated that it believes the contractual relationship arises no later than the time the portfolio manager begins to provide services to the client. See NRS, supra note 11,. at text following n. 4. Therefore, a portfolio manager must provide an initial privacy notice to a wrap account client no later than when it begins to provide services to the client.
13 The adviser must provide to customers: (i) an initial privacy notice generally not later than when the customer relationship is established, and (ii) an annual privacy notice after that. 17 CFR 248.4(a)(1), 248.5(a)(1). See also 17 CFR 248.8 (requiring a financial institution to provide a revised privacy notice before sharing nonpublic personal information about a consumer with a nonaffiliate other than as described in the initial privacy notice provided to the consumer). If an adviser intends to share nonpublic personal information about a consumer with a nonaffiliated third party (other than under an exception), the adviser must provide the consumer with an initial notice and opportunity to opt out of the sharing. 17 CFR 248.10(a)(1).
14 See 17 CFR 248.3(g)(1) (a "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes, or that individual's legal representative); 17 CFR 248.3(j), 248.3(k)(1) (a "customer" is a consumer who has an ongoing relationship with the institution).
15 See Adopting Release, supra note 2, at n.43. Beneficiaries of a pension plan that is the adviser's client also would not be the adviser's customers. Any individual accommodation clients to whom the adviser provides personal financial services would, however, be the adviser's customers for purposes of Regulation S-P.
16 Funds may have indirect contact with individual shareholders, who receive fund prospectuses and shareholder reports through a broker-dealer.
17 See 17 CFR 248.3(k)(2)(i)(C). See also Adopting Release, supra note 2, at text preceding n.59.
18 A fund may receive nonpublic personal information about a beneficial shareholder from a broker-dealer under an exception in sections 248.14 or 248.15 (to provide tax information directly to the shareholder for example). See 17 CFR 248.14, 248.15. A fund that receives nonpublic personal information about shareholders under an exception in sections 248.14 or 248.15 is limited in the ways in which it can share or use that information. See 17 CFR 248.11(a).
19 See Adopting Release, supra note 2, at text following n.28 (discussion of combined notices). See also 17 CFR 248.3(c)(2)(ii)(E) (examples of methods for making a privacy notice "clear and conspicuous" when it is combined with another document).
20 See 17 CFR 248.4(a)(1), 248.5(a)(1), 248.7(a)(1).
21 See 17 CFR 248.3(c) (a clear and conspicuous notice is designed to call attention to the nature and significance of the information in the notice); 17 CFR 248.3(c)(2)(E) (examples of design techniques that call attention to the nature and significance of a privacy notice combined with other information include using distinctive type size, style, and graphic devices).
22 See 17 CFR 275.204-3(c)(1) (an investment adviser must deliver or offer in writing to deliver to each of its clients a written disclosure statement).
23 See 17 CFR 248.9(c)(2); 17 CFR 230.154 (permitting public companies to household prospectuses); 17 CFR 270.30d-1(f) (permitting management companies to household semi-annual stockholder reports); 17 CFR 270.30d-2(b) (permitting unit investment trusts to household semi-annual shareholder reports).
24 See 17 CFR 230.154(a)(3) (requiring written consent to household prospectuses); 17 CFR 230.154(b) (conditions for implied consent to household prospectuses); 17 CFR 230.154(c) (annual notice to shareholders of right to revoke consent); 17 CFR 270.30d-1(f)(1)(iii) (requiring written consent to household shareholder reports); 17 CFR 270.30d-1(f)(2) (conditions for implied consent to household shareholder reports); 17 CFR 270.30d-1(f)(3) (annual notice to shareholders of right to revoke consent); 17 CFR 270.30d-2(b) (incorporating requirements of rule 30d-1(f) for householding reports to shareholders of unit investment trusts).
25 17 CFR 248.18(b)(1).
26 See Adopting Release, supra note 2, at text following n.139.
27 See id.
28 The Commission noted that (i) it believed any reduction in the number of initial notices consumers might receive would be minimal, and (ii) individuals who share the same address may not become consumers of the financial institution at the same time. Id. at text following n.139.
29 See 17 CFR 248.9(c)(2). The staff also would not recommend enforcement action to the Commission if a fund delivers an annual notice in or with an annual report or proxy statement under the conditions in 17 CFR 240.14a-3(e).
30 A financial institution may combine an opt out notice with an initial notice. See 17 CFR 248.7(b).
31 See 17 CFR 248.7(a)(iii). By contrast, an initial or annual notice must include an explanation of the consumer's right to opt out, including the method by which the consumer may exercise the right to opt out. See 17 CFR 248.6(a)(6).
32 Certain methods of opt out, such as a check-off box, would require a separate form for each customer to exercise the opt out right. Other means, such as a toll-free number, would allow multiple customers to opt out even if they received one form. The Commission did not, however, provide an exception for householding opt out notices based on the means of opt out.
33 When a fund delivers an opt out notice, it also must include a copy of the privacy notice. See 17 CFR 248.7(c) (fund that provides an opt out notice after the initial notice must include a copy of the initial notice with the opt out notice).
34 See 17 CFR 248.4(a) (initial notice must be clear and conspicuous and accurately reflect the financial institution's privacy policies), 248.5(a)(1) (same for annual notice), 248.9(a) (privacy notices must be delivered so that each consumer can reasonably be expected to receive actual notice). The regulation does not prohibit an institution from providing a single privacy notice to a customer regarding all the customer's accounts. See 17 CFR 248.4(d)(2) (if the initial, revised, or annual notice that a fund most recently provided to a customer was accurate with respect to a new financial product or service, the fund need not provide the customer a new privacy notice).
35 17 CFR 248.9(a).
36 See 17 CFR 248.9(b)(2) (an institution may not reasonably expect that a consumer will receive actual notice of the institution's privacy policies if the institution only posts the policies in a branch office, generally publishes advertisements of the policies, or sends a notice by e-mail to a consumer who does not obtain financial products or services from the institution electronically).
37 17 CFR 248.9(b)(1)(iii).
38 17 CFR 248.9(c)(1)(i).
39 See 17 CFR 248.4(c)(3)(iv).
40 17 CFR 248.4(e)(1).
41 Variable contracts are securities under the Securities Act of 1933. See, e.g., SEC v. Variable Annuity Life Ins. Co., 359 U.S. 65, 71-73 (1959). Variable annuity and variable life insurance payments are allocated to a segregated asset account, or "separate account," which typically is registered as an investment company under the ICA. See Prudential Ins. Co. v. SEC, 326 F.2d 383 (3d Cir.), cert. denied, 377 U.S. 953 (1964). See also 15 U.S.C. 80a-2(a)(37) (definition of "separate account" under the ICA).
42 See 17 CFR 248.4(c)(3)(iv) (a customer relationship with a fund is established when the consumer (who is the record owner) purchases shares the fund has issued).
43 Variable annuity and variable life contracts typically contain a "free-look" provision that gives the contract owner the right to return the contract within a specified period for a refund. See Frederick R. Belamy & Steven B. Boehm, The Investment Company Regulation Deskbook §17.4 (Amy L. Goodman, ed., 1997).
44 Adopting Release, supra note 2, at text accompanying n.98.
45 See 17 CFR 248.3(k)(1) (defining "customer relationship" to mean a continuing relationship between a consumer and a financial institution).
46 This position is in comity with the requirements of the National Association of Insurance Commissioners' Privacy of Consumer Financial and Health Information Model Regulation. See National Association of Insurance Commissioners, Privacy of Consumer Financial and Health Information Model Regulation, Art. II, § 5.A(1) (initial privacy notice must be provided not later than when the customer relationship is established); Art. II, § 5.C(2)(a) (customer relationship is established upon delivery of the insurance contract).
47 See 17 CFR 248.5(a)(1); 248.4(c)(3)(iv). If the investor already owns shares of the fund, he or she already will have received an initial privacy notice, and need not receive another initial notice.
48 See 17 CFR 248.4(e)(1)(iii).
49 See 17 CFR 248.13, 248.14, 248.15.
50 17 CFR 248.14(a)(1)-(2). See also 17 CFR 248.14(b)(1) ("necessary to effect, administer, or enforce a transaction" includes information sharing that is required or is a usual, appropriate, or acceptable method to carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the customer's account in the ordinary course of providing the financial service).
51 See 17 CFR 248.11(a).
52 See GLBA, supra note 1, at § 505(a)(3)-(5). Another regulator specified in GLBA would enforce the privacy regulations with respect to a nonaffiliated financial institution subject to that regulator's jurisdiction. See supra note 7. See also Adopting Release, supra note 2, at text preceding n.157.