March 31, 2000
Office of the Comptroller
of the Currency
250 E Street, SW
Washington, D.C. 20219
Docket No. 00-05
|Jennifer J. Johnson
Board of Governors of the
Federal Reserve System
20th and C Streets, NW
Washington, D.C. 20551
Docket No. R-1058
|Robert E. Feldman
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, D.C. 20429
| Manager, Dissemination
and Services Division
Office of Thrift Supervision
1700 G Street, NW
Washington, D.C. 20552
Attn: Docket No. 2000-13
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
| Jonathan G. Katz
Securities and Exchange
450 5th Street, NW
Washington, D.C. 20549
File No. S7-6-00
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314
Dear Sirs and Madams:
This is the comment letter of MBNA America Bank, N.A. ("MBNA") regarding the Joint Notice of Proposed Rule Making on the Privacy of Consumer Financial Information published in the Federal Register on February 22, 2000 (Volume 65, No. 35, Pages 8769 - 8816) by the Office of the Comptroller of the Currency ("OCC"), the Board of Governors of the Federal Reserve System ("FRB"), the Federal Deposit Insurance Corporation ("FDIC") and the Office of Thrift Supervision ("OTS") (collectively, the "Agencies"). We refer to the proposed privacy regulations of the Agencies, which implement Subtitle A of Title V of the Gramm-Leach-Bliley Act ("GLBA"), collectively as the "Proposed Rule". While MBNA's primary regulator is the OCC, we and our affiliates also are subject to regulation by the FRB and the FDIC and we issue this letter to the Agencies and to the Federal Trade Commission ("FTC"), the Securities and Exchange Commission ("SEC") and the National Credit Union Administration ("NCUA") because of the common issues involved and our desire for uniformity in the final rules.
MBNA appreciates the opportunity to comment on the Proposed Rule and requests that the Agencies and the FTC, SEC and NCUA consider our recommendations when revising the Proposed Rule for final adoption (the "Final Rule").
MBNA is one of the world's largest issuers of MasterCard and Visa brand credit cards with approximately 21 million Customers in the United States. In business for 18 years and listed on the New York Stock Exchange since 1991, our managed loan outstandings at December 31, 1999 were $72.3 billion and our earnings for 1999 were $1.024 billion. Co-branding relationships, where MBNA provides credit card and other financial products and services to members of a group sharing common interests or to customers of other financial institutions or commercial organizations, are an integral part of our business. Worldwide, MBNA's products are endorsed by more than 4,500 organizations. In addition to credit cards, together with our affiliates we offer consumer deposits, consumer finance, insurance and travel products. Our products and services are sold and serviced almost entirely over the telephone and through the mail, although the Internet is an increasingly important channel. Our success lies in getting the right Customers and keeping them.
Our primary concerns with the Proposed Rule are: (i) the effective date of November 13, 2000 (which §510(1) of GLBA specifically authorizes the Final Rule to extend) does not allow financial institutions sufficient time for confident, cost-effective and comprehensive compliance implementation and an effective date of May 13, 2002 (with voluntary compliance during the 18 months intervening) benefits everyone; (ii) the need for the Final Rule to address co-brand programs; (iii) fundamental definitions either extend beyond Congress' intent as set forth in GLBA or are so lacking in specifics that they imperil compliance efforts by financial institutions and invite unnecessary future litigation; and (iv) the level of detail required in the privacy notices is extreme, creating an unnecessary burden upon financial institutions and increasing the likelihood that consumers will neither read nor react to it, defeating the entire purpose.
Our comments follow the Sections of the Proposed Rule.
§__.1 Purpose and scope
1.1 The Proposed Rule should apply to a foreign financial institution that solicits business in the U.S. whether or not it has an office in the U.S. This provides uniformity of consumer expectation and of financial industry application.
§__.2 Rule of construction
2.1 Notwithstanding our comments regarding particular language set forth below, the Agencies used plain language in the Proposed Rule and are to be congratulated.
2.2 We believe many of the examples in the Proposed Rule provide significant guidance and our comments reference both additional and alternative examples for further clarification. Most examples should be included in the Final Rule, as should the provisions that: (i) the examples are not intended to be exhaustive; and (ii) compliance with an example, to the extent applicable, constitutes compliance with the requirements of the Final Rule. Notwithstanding the foregoing, we do not think the examples are necessary for purposes of defining "clear and conspicuous" (see below). The Agencies, and in particular the FRB, have already promulgated ample guidance on the meaning of "clear and conspicuous" (e.g., TILA).
2.3 All of the examples, like all provisions of the Final Rule, should be identical except where deviation is absolutely necessary; and then only as a consequence of fundamental business or regulatory differences. In such cases the examples must still be consistent and comparable. The Agencies and the FTC, SEC and NCUA must, to the maximum extent possible, provide the same rules for everyone. MBNA needs this consistency and uniformity across its credit card, consumer deposits, consumer finance, insurance and travel businesses as do many other financial institutions with multiple businesses and multiple regulatory relationships.
2.4 To illustrate the preceding point, in §__.6 of the Proposed Rule, each of the Agencies sets forth an example of an adequate categorization of information disclosed in a privacy notice. While the OCC and the FDIC state that "illustrative examples of the content of the information" are appropriate, the FRB and the OTS state that "a few illustrative examples of the content of the information" are appropriate. We can think of no reason for this difference in language and favor any modifications of the Proposed Rule which increase its uniformity and decrease the detail, length and complexity of the privacy disclosure. MBNA is very concerned that the complexity of the Proposed Rule: (i) will cause financial institutions to prepare voluminous privacy notices which consumers will not wish to read, effectively defeating the purpose of the GLBA privacy provisions; and (ii) creates unnecessary time and expense burdens on financial institutions in terms of systems modifications, production of required notices and modifications of policies, procedures and practices such that satisfactory compliance by November 13, 2000 is not possible.
3.1 The definition of "clear and conspicuous" is inconsistent with longstanding definitions of that term set forth by the FRB in Regulations M, AA, CC and DD and contains numerous requirements subject to varied interpretation. We recommend that the Final Rule follow the FRB precedents to provide greater certainty for financial institutions in preparing the required notices.
3.2 The definition of "collect" rests on the flawed definitions of "nonpublic personal information", "personally identifiable financial information" and "publicly available information" (addressed below) and makes it appear as though the scope and extent of the Proposed Rule require customer level, as opposed to account level, detail. This definition should include only "nonpublic personal information" which is "personally identifiable", genuinely "financial" in nature, obtained by the "financial institution" from a "consumer" or "consumer report" and which cannot be obtained from any "publicly available information". Further, this definition should only apply to such information actually obtained and stored or maintained by a financial institution.
3.3 The definition of "consumer " in the Proposed Rule is not supported by §509(9) of GLBA. In the statute a "consumer" is "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes". Yet the example in §__.3(e)(2) of the Proposed Rule defines a consumer to include an individual who applies for credit "regardless of whether the credit is extended". The Proposed Rule's attempt to rationalize this departure from the statute; that a financial institution's review of an application is the provision of a financial product or service in and of itself, defies common sense. Similarly, the definition of "customer" must include the concept that a "customer relationship" is only established when the consumer has taken the steps necessary to open an account or to borrow money and the account is opened or the credit extended by the financial institution.
3.4 As the application process, by definition, is how a financial institution determines whether to offer a financial service (i.e., whether the consumer will in fact obtain it), the definition of "customer" and "continuing relationship" in the Proposed Rule require further clarification and examples, particularly with respect to isolated transactions not creating a continuing relationship. The FTC specifically requests notice regarding travel agencies operated in conjunction with financial services (MBNA operates a travel agency) and we find the examples of isolated transactions in this regard confusing. While the examples set forth that the purchase of airline tickets alone, even on a repeated basis, is considered an isolated transaction, the FTC goes on to set forth that "planning a trip" creates a continuing relationship, thereby re-classifying a "consumer" as a "customer" under the Proposed Rule. We respectfully disagree with this conclusion and believe that "planning a trip" may also be classified as an isolated transaction where it involves singular contact between the consumer and the travel agency. Uncertainties like this make the task of educating MBNA's people regarding the requirements of the Proposed Rule, for which little time is allowed, next to impossible. How are we to recognize the difference? For example, does the addition of ordering a rental car or booking a hotel room constitute "planning a trip"? The Final Rule must clearly define what are and are not "isolated transactions" and when a consumer becomes a customer.
3.5 The definition of "nonpublic personal information" and its component definitions of "personally identifiable financial information" and "publicly available information" are all inconsistent with GLBA. The Proposed Rule effectively deletes the word "financial" from the definition of "personally identifiable financial information" because it classifies as financial all information furnished by a consumer to a financial institution or otherwise obtained by a financial institution as part of providing a financial product or service to the consumer. The Agencies have unilaterally decided that the circumstances of the disclosure are more important than the substance of the information disclosed. This is contrary to Congress' intention which (as described in a colloquy between Senators Allard and Gramm, 145 Cong. Rec. S13,902-03 (daily ed. November 4, 1999)), was that only information describing an individual's financial condition, such as assets, liabilities, income, account balance and payment and overdraft history, should be included within "personally identifiable financial information" and "nonpublic personal information". Similarly: (i) the existence of a customer relationship or former customer relationship (e.g., Mr. Jones is a Customer of MBNA), provides no information regarding financial condition and therefore, in and of itself, must not be included within "personally identifiable financial information" and "nonpublic personal information"; and (ii) identification information (e.g., name, address and telephone number), must not be included within "personally identifiable financial information" and "nonpublic personal information".
3.6 With respect to Alternatives A and B (we note that the FRB alone among the Agencies includes only Alternative B), only the latter makes sense. Alternative A is counterintuitive because it again makes the circumstances of the disclosure more important than the substance of the information disclosed. Further, it fails to recognize that many institutions, including MBNA, cannot track the source of all information in its possession and it places financial institutions at a competitive disadvantage to all other commercial enterprises able to make unrestricted use of "publicly available information". Finally, the definition of "publicly available information" is unduly restrictive. To attempt to list all sources of "publicly available information" is a pointless exercise; the sources change all the time. A definition such as "lawfully made available to the general public" is more appropriate.
3.7 Application of the Proposed Rule to credit bureaus may make so-called "credit header" information unavailable. This information is routinely used for a variety of purposes in the financial industry, including address verification, direct marketing and fraud prevention. Therefore we urge that the Final Rule not prevent access to such information as it will exacerbate fraud and increase marketing costs without providing appreciably to consumer privacy.
§__.4 Initial notices to consumers of privacy policies and practices required
4.1 The Proposed Rule improperly advances the point in time established by Congress for providing the initial notice. While §503(a) of GLBA requires the initial privacy notice to be furnished "at the time of establishing a customer relationship", §__.4(a)(1) of the Proposed Rule requires the same notice to be furnished "prior to the time that the bank establishes a customer relationship". Further, the Final Rule must provide flexibility and permit financial institutions to provide the initial notice within a reasonable period of time after the establishment of the customer relationship. This is similar to Regulation DD providing financial institutions with ten business days to provide account disclosures for deposit accounts opened through the mail or over the telephone. Customer privacy is protected because no sharing of nonpublic personal information may occur until the required notices are furnished. In MBNA's case, such a provision permits use of new account materials as the delivery vehicle and also provides more flexibility for point of sale loan transactions. It also recognizes the conditions associated with MBNA's primary Customer communication channels.
4.2 The requirement of specific customer agreement to receive the initial privacy notice "within a reasonable time", where the financial institution and the customer have orally agreed to enter into a customer relationship, is unnecessary. The customer's privacy interests are already protected because the financial institution cannot share the customer's nonpublic personal information until the notice is provided. Further, this requirement is confusing. The §503 privacy notice itself cannot be given orally pursuant to the Proposed Rule (and therefore its delivery must be deferred), yet an agreement to defer its receipt is required and may be delivered orally? Will customers understand this? What is the result if the customer declines to consent to deferred delivery? Finally and at the very least, with respect to loan purchases and deposit assumptions, the Final Rule should not include the concept of whether or not the customer has a choice about the purchase or assumption because it adds significant uncertainty without adding any benefit.
4.3 The Proposed Rule prohibits oral delivery of the §503 privacy notice. This has a disproportionately adverse affect on financial institutions like MBNA that establish customer relationships through telemarketing. Our comment regarding provision of the §503 privacy notice "within a reasonable time after establishing the customer relationship" addresses this point. However, if the Agencies do not accept our comments set forth in Paragraphs 4.1 and 4.2 above, they must permit oral delivery of the §503 privacy notice or an abbreviated version. The Agencies clearly have the power to do so pursuant to §503(a) of GLBA, requiring that, "a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by section 504 . . ." Prohibiting oral disclosures leaves MBNA at a severe disadvantage with respect to other financial institutions.
4.4 The Final Rule should provide that where there is more than one party to an account, the financial institution is required only to provide one §503 privacy notice (initial and annual) to the party identified as the principal account holder or to the address specified by the parties for the account. This is consistent with Regulations DD, E and Z, which contain similar provisions. This issue of "account" versus "customer" treatment is overwhelmingly important in determining the cost, time, and systems and mail processes for complying with the Proposed Rule. Most financial institutions, including MBNA, maintain records at the account level, not the customer level, and matching customers across accounts is an expensive, time consuming and difficult process inevitably producing errors. In this regard, the Final Rule should permit a financial institution to require a specific opt out notice (or specific multiple account identification by the customer) within each opt out notice or establish a reasonable "safe harbor" for the financial institution's efforts to match accounts.
4.5 Duplicative notices under the Proposed Rule are a significant problem. They will waste time, effort and money and they will confuse consumers. The Final Rule must provide that where a financial institution furnishes all required privacy notices to a customer in connection with an existing relationship, those notices need not be repeated (provided they remain accurate and adequate) with respect to any additional relationships entered into between that customer and the financial institution (e.g., another credit card account). The Final Rule should also provide that the standards regarding dormant accounts and who must receive annual privacy notices (see our comment 5.1 below) are also applicable to initial privacy notices to be issued to customers by financial institutions when GLBA becomes effective.
4.6 The Proposed Rule's requirements regarding electronic delivery of the privacy notice are unnecessarily burdensome. A financial institution should not be required to send the initial or annual privacy notice via e-mail or to require customers to acknowledge receipt or access the web site page on which they are posted in order to access the product or service they desire. Posting of the privacy notices on the financial institution's web site is sufficient provided that the financial institution has advised the customer accordingly. Further, if the consumer applied for the financial product or service electronically then the financial institution should be permitted to issue the disclosures electronically. No agreement by the consumer to receive them electronically is necessary. Finally, there is no support in the statute for the Proposed Rule's requirement that, with respect to customers only, a financial institution must provide the §503 notice "so that it can be retained or obtained at a later time by the customer, in a written form, or if the customer agrees, in electronic form".
4.7 The Final Rule should be revised to provide that the financial institution is not required to send the §503 privacy notice, the annual privacy notice or the §502 opt out notice to any customer that has instructed the financial institution that he/she does not wish to receive any notices or other communication from the financial institution.
§__.5 Annual notice to customers required
5.1 The applicable standards for dormant accounts/transactions should be those of the financial institution to allow for maximum flexibility. This is consistent with Regulation E. As explained more fully in comment 5.3 below, we prefer the word "inactive" to "dormant".
5.2 The examples provided are useful and additional examples, specific to travel and insurance businesses, would be useful.
5.3 The Final Rule should be revised to provide that a financial institution will not be deemed to have a "continuing relationship" with a borrower: (i) during the time period that the borrower's loan (open end or closed-end) is in default, if that default could lead to a charge off; and (ii) if the customer's account is deemed to be "inactive" under the financial institution's policies. Further, the Final Rule should be revised to provide that marketing or activation materials that may be sent to a customer during the 12-month period will not cause the relationship between the financial institution and the customer to be deemed to be a "continuing relationship" or an "active" relationship.
5.4 Substantial cost savings could be realized if the Final Rule defines "annually" to allow financial institutions the flexibility to deliver the annual notice with other mailings to their customers, all of which will vary over time. Finally, with respect to customers who have been provided the initial §503 privacy notice and the §502 opt out notice, or at least with respect to those provided these items and who have opted out, the Final Rule should provide that only a reminder of the availability of the financial institution's current privacy disclosure need be sent to customers. This would reduce printing and mailing costs, prevent customer confusion and avoid duplicative opt out requests.
§__.6 Information to be included in initial and annual notices of privacy policies and practices
6.1 The Proposed Rule exceeds the scope of Congress' intent by requiring that the notice contain "source and content" of the nonpublic personal information as opposed to the "categories of information" described in GLBA §503(b). The resulting level of detail is burdensome to financial institutions (who must perform the due diligence and drafting efforts required to prepare these notices) and to consumers (who must read considerable quantities of information to answer what is basically a simple question). Like too many other federally mandated disclosures that financial institutions produce, the privacy notice required by the Proposed Rule will be so detailed and complex that it will lose its meaning and purpose. The Final Rule should eliminate the requirement for "sources" and should specifically permit general descriptions of "categories".
6.2 Further, the Proposed Rule's provisions regarding the financial institution's policies and practices with respect to protecting the confidentiality, security and integrity of nonpublic personal information have not yet been produced and apparently will not be produced until issuance of the Final Rule. This particular disclosure cannot be made meaningful without providing a level of detail detrimental to the security of financial institutions. To be specific, disclosing every line of business that has access to information, who has access authorization and under what circumstances, seems ill-advised and a level of detail both burdensome to the financial institution and of questionable benefit to the consumer.
6.3 Considering the magnitude of GLBA and the Proposed Rule, the obvious confusion of the financial industry with respect to required compliance efforts, anticipated consumer reaction and the extensive notification and data tracking/suppression processes that result from it, examples of complete privacy and opt out notices to provide safe harbors for financial institutions are appropriate.
§__.7 Limitation on disclosure of nonpublic personal information about consumers to nonaffiliated third parties
7.1 Financial institutions should be required to provide the §502 opt out notice only to the party identified as the principal account holder or to the address specified by the parties for the account. This is consistent with Regulations DD, E and Z. The party receiving the §502 opt out notice serves as representative of all other parties to the account.
7.2 The example regarding isolated transactions should be revised to specify that the §502 opt out notice may be provided either at the time of the transaction or at a later time so long as the financial institution does not share any nonpublic personal information of the consumer with a nonaffiliated third party until after the notice has been furnished and the consumer is provided a reasonable amount of time to opt out. Examples for each communication channel (e.g., mail, telephone or electronic) should specify the reasonable amount of time allowed to the consumer to exercise the opt out, prior to the expiration of which the financial institution may not share nonpublic personal information.
7.3 Allowing 30 days for a consumer to effect an opt out by mail is reasonable but this example should be revised to apply to all consumers, not just to customers. Further, examples in an electronic medium and authorizing consumer opt out by toll free 800 number with automated response unit processing by the financial institution would be helpful.
7.4 The ability of banks to match consumer notice and opt out information with subsequent customer notice and opt out data is questionable and match rates will decline because the overall effect of the Proposed Rule is that financial institutions will collect less information. Data matching between consumers and customers will become increasingly difficult, time consuming and expensive. Specific regulations with examples are necessary to specify a financial institution's obligations in this area.
§__.8 Form and method of providing opt out notice to consumer
8.1 The Final Rule must permit consumers to opt out by toll free 800 number with automated response unit processing by the financial institution.
8.2 The examples include response mechanisms which raise significant account security concerns (e.g., reply cards with account numbers written upon them) or methodologies with enormous cost implications for financial institutions (e.g., the FTC's example of a self-addressed, stamped envelope to be included with each §502 opt out notice). The printing, processing and postage cost for a typical bank-wide notice by MBNA exceeds $10,000,000. To burden financial institutions with further costs is inappropriate, particularly when many consumers will not respond and those that do bear no more cost to do so than associated with a monthly payment or deposit sent through the mail.
8.3 The Final Rule must specify that a financial institution may require opt out responses to be in particular formats/channels and may either accept or refuse to process, in its sole discretion, non-compliant responses. Financial institutions should also be permitted to reject opt out responses prepared in "aggregate" form where they cannot confirm, based on the information provided, that the aggregator is actually the legal representative of the consumers or customers concerned. MBNA will issue millions of notices under the Final Rule and opt out response rates may be significant. To properly plan, implement and process the responses MBNA must allocate its resources in advance, including systems development and education of MBNA people. To require a financial institution to accept opt outs in whatever form they are received will squander resources, increase the likelihood of failed implementation and impinge on other operations of the financial institution, such as customer service.
8.4 The Proposed Rule requires a financial institution to implement a consumer's election to opt out as soon as "reasonably practicable". The flexibility provided to financial institutions by this standard is appropriate but examples would be helpful to clarify the meanings of "implement" and "reasonably practicable". For example, MBNA's current privacy disclosure, sent to all existing MBNA Customers from August through December, 1999 (and provided thereafter to all new MBNA Customers in new account materials), advises the Customer to allow ten weeks for the opt out to take effect. While we promptly process all opt outs received, a Customer's information may have been shared prior to MBNA's receipt or processing of the opt out. In such a situation (e.g., information shared for direct mail or telemarketing programs already released for marketing), additional suppression steps are cost prohibitive and the ten week period covers the issue, avoiding Customer dissatisfaction.
§__.9 Exception to opt out requirements for service providers and joint marketing
9.1 Nothing in GLBA §502(b)(2) supports the Proposed Rule's requirement that additional, specific disclosure with respect to sharing of nonpublic personal information pursuant to joint marketing agreements is required. GLBA §502(b)(2) only requires that for joint marketing agreements, the disclosure requirements regarding nonpublic personal information sharing are the same as those required generally under GLBA §503. The interpretation in the Proposed Rule requires financial institutions with a variety of such relationships to develop individualized notices, unnecessarily increasing the cost and complexity of compliance.
9.2 The Final Rule should not inhibit financial institutions, their affiliates, and their nonaffiliated third parties from using consumer information without indicators of personal identity to test or improve credit scoring, market response or other consumer behavioral models. These database management techniques are critical to maintaining the safety and soundness of financial institutions, to the development of strategies for "continuous relationship management" and to the growth of our information economy.
9.3 The Final Rule should not require financial institutions to police or audit one another and there is no logic or benefit in such a requirement. Regulatory oversight, enforcement of required contract provisions limiting re-disclosure of nonpublic personal information and market responses are sufficient to prevent abuse.
9.4 We interpret the joint marketing exception to be unlimited in scope, content and directional flow of information sharing, provided that the business relationship involves an agreement for the marketing of a product or service between two or more financial institutions and the financial institutions disclose the basic categories of information required under GLBA §503. At a minimum, there must be no question that financial institutions in a joint marketing agreement are able to share nonpublic personal information back and forth with each other, after providing the §503 privacy notices. Specifically, we interpret the joint marketing exception to apply to our issuance of credit cards on behalf of other financial institutions. With that understanding, we see no need for examples.
§__.10 Exception to notice and opt out requirements for processing and servicing transactions
10.1 To be consistent with §502(e) of GLBA, the phrase "in connection with" must be added to the beginning of the clauses set forth in §___.10(a)(2) and (a)(3) of the Proposed Rule. These revisions make it clear that the exceptions to providing the privacy notice and the opt out include activities that relate to servicing or processing a financial product or service or maintaining or servicing the consumer's account, as opposed to being absolutely necessary for such functions.
§__.11 Other exceptions to notice and opt out requirements
11.1 The Final Rule must accommodate co-branded financial products and services. Privacy is in part a function of expectations, and the Final Rule should account for the expectations a customer has with a co-branded financial product programs, where a third party endorses the product and, in the case of credit cards, is prominently displayed on the card. If the endorsing party is a financial institution, then the Final Rule already addresses the need for an obvious exception to the opt-out requirement. The same logic applies to a co-brand program where the third party is not a financial institution; a customer expects that the endorsing organization knows they are a customer. Certainly customers should still receive disclosure of what nonpublic personal information is shared however, no opt out should apply. An opt out right unduly burdens program logistics and synergies and would merely serve to delay providing the customer with the very benefit they sought when applying for the account.
As an alternative, in order to be able to meet the customer's expectations, a financial institution must be able to condition obtaining a co-branded product upon the customer's agreement not to opt out regarding sharing of nonpublic personal information with the applicable co-branded or partner (those opting out receive a non-co-branded product).
11.2 §__.11(a)(3) and (7) of the Final Rule must be revised to permit disclosure of nonpublic personal information without requirement of notice or opportunity to opt out in connection with alternative forms of dispute resolution, such as arbitration. This comment extends both to the financial institution's representatives in such matters and to the arbitrator, mediator or other person(s) involved with the alternative dispute resolution.
§__.12 Limits on redisclosure and reuse of information
12.1 The Final Rule must not require financial institutions to police or audit one another and there is no logic or benefit in such a requirement. Regulatory oversight, enforcement of required contract provisions limiting re-disclosure of nonpublic personal information and market response are sufficient to prevent abuse.
12.2 The Final Rule should not inhibit financial institutions, their affiliates, and their nonaffiliated third parties from using consumer information without indicators of personal identity to test or improve credit scoring, market response or other consumer behavioral models. These database management techniques are critical to the safety and soundness of financial institutions, the development of "continuous relationship management" strategies and the growth of our information economy.
12.3 The Final Rule should not apply to a financial institution receiving nonpublic personal information from another financial institution about a consumer where the receiving financial institution also has a customer relationship with that consumer and has furnished that consumer the privacy disclosures required of that financial institution pursuant to the Final Rule. In this situation, it is not the limitations on re-disclosure of §__.12 of the Proposed Rule that govern, but rather the financial institution's own privacy disclosures.
§__.13 Limits on sharing of account number information for marketing purposes.
13.1 The Final Rule should specifically provide that, given proper disclosure and opportunity to opt out, financial institutions are permitted to provide encrypted account numbers to nonaffiliated third parties for purposes of telemarketing, direct mail marketing or other marketing through electronic mail to the consumer where the financial institution alone retains the key. There is no evidence whatsoever that such arrangements have contributed in any way to identity theft, so-called "slamming" of telemarketed products or services, or any other perceived privacy abuses.
13.2 The Final Rule should specifically authorize sharing of account numbers for non-marketing purposes, such as where a joint marketing agreement between two or more financial institutions requires information sharing to facilitate cross-account/institution operations such as combination statements, overdraft protection and the like. Further, the Final Rule should clarify that nothing contained in the Final Rule is intended to prohibit the transfer of account numbers in marketing the financial institution's own products and services.
13.3 The Final Rule should provide that the term "account number or similar form of access number or access code" does not include a "customer unique identifier" or "reference" number used by the financial institution to identify a particular customer or account, provided that such number has no capability, in the possession of the nonaffiliated third party, to effect a charge to a particular account.
13.4 The Final Rule should specify that a financial institution may provide an account number to a nonaffiliated third party for use in marketing to the consumer if the financial institution has obtained the consumer's prior consent. In MBNA's co-branded relationships, account numbers are frequently provided to the respective co-brand partners to accurately match accounts for the information sharing (e.g., for use in administering points programs and confirming group compensation, etc.) that is an integral part of such relationships.
§__.16 Effective date; transition rule
16.1 The Proposed Rule requires financial institutions to implement the regulations by November 13, 2000, but in §§504 and 510 of GLBA Congress provided the Agencies with authority to extend that date. This timeframe represents a significant compliance burden given the magnitude and cost of the operational changes needed to implement the regulation. We cannot stress enough that the Agencies and the FTC, SEC and NCUA should exercise their discretionary authority under GLBA to postpone the date for mandatory compliance. We recommend that compliance be made optional as of November 13, 2000, with an extended phase-in period to May 13, 2002. The specific impacts are described more fully below:
The cost to implement the Proposed Rule is considerable. Cost implications include system and programming changes; costs to develop, print, mail and maintain written privacy and opt out notices; education of personnel; legal and audit fees; and overall opportunity costs incurred by allocating resources previously devoted to business development and customer services to implementation of the privacy regulations.
We firmly believe that the considerable costs to be incurred in implementing this Proposed Rule were not given sufficient consideration. Since the Proposed Rule was not published until February 22, 2000, most financial institutions' annual financial plans and budgets were already established. Implementation costs will be covered by financial institutions reducing expenditures for previously planned marketing and operational activities. Extending the implementation period will greatly ease the financial burden and provide management with greater flexibility in making the necessary changes in systems, personnel, etc.
The system changes required in implementing the Proposed Rule are significant. They include programming necessary to support the delivery of revised disclosures, processing of "opt out" notifications, and suppression of nonpublic personal information when being transferred to nonaffiliated third parties. The difficulties in developing the systems necessary to comply with the Proposed Rule are further compounded by the fact that individual States have the authority under §507 of GLBA to enact additional privacy requirements not pre-empted at the Federal level. As far as we are aware, no State has yet adopted a privacy law akin to the GLBA provisions, although many are considering legislation. We are at a disadvantage in not knowing the full scope of system changes that will ultimately be needed. We could very well be in the position of expending substantial resources to make programming changes to implement Title V of GLBA and subsequently making changes of equal or larger magnitude next year to comply with differing State requirements.
Financial institution system resources are at a premium because most institutions went through an extended "lockdown" period in preparation for Year 2000. As a result, there exists pent-up demand for system projects and resources to support normal business operations. The very short window to implement the Proposed Rule is an extreme hardship to financial institutions because it requires immediate reprioritization of resources and will cause deferment or cancellation of projects that would have favorably impacted the growth and profitability of the institution.
The commentary in the Proposed Rule notes that many financial institutions have "opt out" systems for purposes of complying with the affiliate sharing restrictions under the Fair Credit Reporting Act ("FCRA"). This implication that financial institutions may be able to utilize existing functionality with minimal impact is incorrect. The FCRA "opt out" is limited in scope and impact and is much more easily administered than the Proposed Rule.
MBNA appreciates this opportunity to provide comments on the Proposed Rule. If you have any questions please contact the undersigned at 302-432-1850.
James W. Brooks, Jr.
Senior Vice President