March 30, 2000
Jonathan G. Katz
U.S. Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549-0609
Re: File No. S7-6-00 (Regulation S-P), Proposed Privacy Regulations
Dear Mr. Katz:
Banc of America Investment Services, Inc. ("BAISI") submits this letter in response to the request for comment by the Securities and Exchange Commission (the "Commission") on proposed privacy regulations implementing Title V (the "Proposed Rule") of the Gramm-Leach-Bliley Act ("GLBA"). BAISI appreciates the opportunity to comment on this very important matter. BAISI and its predecessors have been helping investors since 1983 with more than 500,000 customers representing over $60 billion in assets. As a non-bank subsidiary of Bank of America Corporation, we take very seriously the charge to protect the privacy of our customers' personal financial information. Our parent, Bank of America, has previously announced it and its subsidiaries will not share any customer information with non-affiliated third parties that offer their products and services to customers of the Bank of America family. In addition, we will not enable non-affiliated third parties to call our customers offering products unrelated to financial needs. Our company continues to offer customers a variety of ways to opt-out of marketing solicitations. With this in mind, we support the enactment of the privacy provisions of GLBA. We applaud the Commission for working together with other federal regulators to produce a framework of consistent regulations. However, several issues arise from the proposed rules that we feel compelled to comment on. Our comments relate to:
A. Non-Public Personal Information
Section 509(4) of GLBA defines non-public personal information as "personally identifiable financial information" that 1) is provided by a consumer to a financial institution, 2) results from any transaction with a consumer or any service performed for a consumer, or 3) is otherwise obtained by the financial institution. "Non-public personal information" also includes any list, description or other grouping of consumers and publicly available information pertaining to them. This proposed definition of "personally identifiable financial information" is overly broad and is not supported by GLBA or its legislative history. As explained in a colloquy by Senator Allard and Senator Gramm on Title V, Congress intended the term "personally identifiable financial information" to be information that describes a consumer's financial condition.1 The final rule should adopt the more narrow definition of personally identifiable financial information intended by Congress, reaching only information that describes an individual's financial condition, such as individual's assets and liabilities, income, account balances, net worth and investment objectives. The rules should make it clear that identification information, such as name, address and phone number, is not financial information.
Additionally, the Commission invited comment on whether the definition of "non-public personal information" should cover information about a consumer that contained no indicators of a consumer's identity. We believe that it should not. The sharing of information that is in no way personally identifiable does not threaten a consumer's privacy. The Commission should add an example indicating that non-public personal information does not include aggregate information about investors, which cannot be linked to specific individuals.
B. Publicly Available Information
The Commission invited comment on whether the definition of publicly available information should treat information that is, in fact, publicly available as non-public if the institution did not actually obtain the information from a public source. The definition of publicly available information should not depend on the source from which it was obtained. To adopt a definition that depends upon the source would simply engender factual disputes over the origin of information. Current records of financial institutions do not track such sources and are a mixture of information obtained from public and other sources. Financial institutions should be allowed to assume that certain types of information are ordinarily publicly available without being forced to incur an unnecessary burden of verifying its specific source.
Timing of the Initial Notice
Proposed Section 248(4)a(1) would require that a financial institution provide an initial notice to every individual who becomes its customer prior to the time it establishes a customer relationship. We urge the Commission to delete this requirement for several reasons. First, the standard is inconsistent with the statutory language of Section 503 of GLBA, which states that a financial institution is expected to provide the initial privacy notices to the customer at the time of establishing a customer relationship. Secondly, broker/dealers need the flexibility to provide privacy notices at the same time they are required to provide other notices. The final rule should allow a broker/dealer to deliver the notice within a reasonable time after the customer relationship is established, provided that no non-public personal information relating to the customer is disclosed to a non-affiliated third party before the initial privacy notices are provided and opt-outs allowed. Providing the privacy notice in this manner gives the customer the opportunity to opt-out prior to the time any privacy right may be infringed. Such delivery is consistent with the timing of other notices currently provided by broker/dealers. The Commission recognized such delivery in citing the notice under 16b(1), which may be provided or sent at the time of account opening.
Content of the Notice
Proposed Rule 248.6 would require that the initial and annual notice a firm provides to its customers describe, among other things, the categories of 1) non-public personal information about consumers that are collected and/or disclosed; and 2) affiliates and non-affiliated third parties to whom non-public personal information is disclosed.
The examples in the Proposed Rule could be interpreted as converting a requirement to disclose general classes of information into a requirement to disclose very detailed information (i.e., the source of information collected, the lines of business involved, the entities to whom the information is disclosed, and the categories of the information collected from each source). We suggest that these rules may be interpreted as requiring overly detailed descriptions, which would only confuse customers and be counter-productive to the Commission's goal. Given that customers and consumers are likely to receive privacy notices from a broad range of financial institutions, they stand to be overwhelmed by lengthy detailed descriptions arguably required by the examples.
Broker/dealers need flexibility in drafting privacy notices so that a clear, consistent message can be delivered among an affiliated family of financial companies. Notice requirements containing unnecessary detail will preclude affiliated companies from efficiently providing notice, and will ultimately disserve investors. We urge the Commission to allow broader descriptions of the categories of non-public personal information disclosed and of institutions to which it may be disclosed.
The Proposed Rules would further require that privacy notices include a detailed discussion of information sharing practices with respect to affiliates. A financial institution would be required to provide the categories of non-public personal information that may be disclosed to affiliated third parties and categories of affiliated third parties to which such information may be disclosed. We respectfully suggest that these affiliate-sharing provisions are inconsistent with GLBA: Section 503 of GLBA provides that, except for the FCRA opt-out notice, a financial institution is not required to include information relating to information sharing practices with affiliates in its privacy notice. The intended reach of Title V of GLBA is sharing practices with non-affiliated third parties. We urge that the final rule should be consistent with the letter and intent of GLBA so that, except as required for FCRA opt-out notices, privacy notices need not include affiliate-sharing practices.
Effective Date and Transition Rule
The Proposed Rule 248.16(a) provides November 13, 2000 as an effective date for the final regulations. The effective date is premised on the adoption of a final rule by May 12, 2000, six months after the enactment of GLBA. Under the Proposed Rule, initial privacy notices would have to be provided to customers and consumers as of 30 days of the effective date. We urge the Commission to extend the effective date of the final rule, and to make compliance with its requirements voluntary until the effective date. GLBA and proposed regulations will require that, at a minimum, financial institutions:
We respectfully submit that this simply cannot be done in a six-month period. As stated in the Proposed Rule, financial institutions will be held responsible for inaccurate notices. We are confident that the Commission will ultimately establish the effective date of the rule with a realistic view of what its requirements entail.
Full Disclosure Regarding Service Providers
The Proposed Rule would require full disclosure of not only joint marketing agreements, but also service providers. We suggest that service providers must be viewed as an extension of the financial institution. Including a separate description of categories of information which may be disclosed to third parties to which we may outsource services only adds to the potential confusion. Moreover, the utility of detailed disclosures regarding service providers is not apparent, as there is no opt-out right for such disclosures. The full disclosure requirements should be restricted to joint marketing arrangements involving non-affiliated financial institutions. However, if the Commission believes an outsourcing disclosure is necessary, we urge you to adopt a brief and generic example, requiring that financial institutions disclose that they may use third party processors and service providers to assist in delivering services.
We commend the Commission and staff on the obvious effort on this challenging issue. At BAISI, and at our parent Bank of America Corporation, we share the Commission's goals and concerns on financial privacy. We hope that our comments will assist in the adoption of regulations that protect those interests, without causing undue burden on financial institutions or confusion to the public.
We have attached a copy of Bank of America Corporation's comments on the Proposed Rule, as submitted to the banking regulators. As part of a larger group of affiliated companies, we share their concerns as well and hope that Bank of America Corporation's comments to the banking regulators are beneficial to the Commission.
We appreciate the opportunity to comment on the Commission's proposal. If you have any questions, or would like to discuss BAISI's comments further, please contact the undersigned at 704-386-4650.
BANC OF AMERICA INVESTMENT SERVICES, INC.
Vicky W. Ayers
Vicky W. Ayers
Assistant General Counsel