March 31, 2000

Jonathan G. Katz, Secretary
U.S. Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549
Re: Privacy of Consumer Financial Information (Regulation S-P)
Securities Exchange Act Release No. 42484, File No. S7-6-00

Ladies and Gentlemen:

Charles Schwab & Co., Inc. (Schwab) appreciates this opportunity to comment on proposed Regulation S-P. Schwab is the world's largest online broker-dealer in terms of transactions and customer assets, and overall has 6.7 million customer accounts. Appropriate protection of confidential customer information is a core value for Schwab. We believe we were the first broker-dealer to have on online privacy policy, which we posted more than two years ago. Last year we expanded that policy to cover all of our retail businesses, and mailed a copy of the policy to all of our customers in addition to posting it online. Our privacy policy gives notice to consumers about the limited circumstances under which we disclose personal information to third parties. Our privacy policy also makes it clear that we do not sell personal information to anyone.

The responsible and efficient use of customer information is a cornerstone of our customer service business. As a financial institution serving millions of customers through multiple channels, Schwab necessarily shares customer information with trusted third parties subject to strict confidentiality agreements. These third-party relationships cover everything from printing customer account statements to co-branded Internet products and services such as our relationship with Excite that allows us to offer our customers their own personalized home page on MySchwab, a primary gateway to Schwab's Internet channel.

In our view, protecting consumer privacy is both a customer relationship and a competitive issue. The proposed industry-wide privacy regulations will help assure that Schwab and other financial institutions are subject to the same basic uniform rules, oversight, and enforcement mechanisms governing the collection and disclosure of consumer information. Our basic philosophy is that privacy regulation ought primarily to be disclosure-based: clearly disclose to consumers what your company's privacy practices are so that customers can make informed decisions about whom to trust with their most personal financial information. Firms that harm customers by materially violating their own publicly disclosed policies should be subject to sanction. However, as a general matter the government is not particularly well situated to dictate the substantive content of privacy policies, particularly in areas subject to rapid technological evolution such as Internet delivery of financial services. We believe that with the required disclosure of companies' privacy policies, customer and competitive pressure will drive toward the adoption of better and stronger privacy policies than could be imposed by government mandate.

The Commission and other financial regulators have done a commendable job drafting regulations to implement the privacy requirements of the Gramm-Leach-Bliley Act ("G-L-B"). However, we believe additional guidance and clarity are necessary to avoid subjecting financial institutions to uncertainty and unwarranted burdens. As our comments below detail, in its adopting release the Commission should address five critical areas in crafting the final rules:

  1. Expressly exclude from the definition of "nonpublic personal information" aggregate information and blind data that do not include indicators of a consumer's identity and whose unfettered use greatly benefits both financial institutions and consumers.

  2. Establish a workable framework for financial institutions to deliver the initial privacy notice by (i) making the timing of the notice consistent with current business practices, (ii) not imposing greater burdens on electronic delivery by requiring that a customer "acknowledge receipt," and (iii) allowing delivery of the notice to the primary account holder on a joint account.

  3. Provide practical examples that demonstrate the scope of the "with the consent or at the direction of the consumer" exception under § 248.11(a)(1).

  4. Not require financial institutions to monitor with expensive, formal controls the use of consumer information by third party service providers who are already subject to strict contractual confidentiality provisions.

  5. Adopt an effective date that will enable financial institutions to deliver the required notices with quarterly account statements and to have sufficient time to make the expensive and considerable systems and database changes and implement the necessary controls to comply with these significant new requirements.

I. Definition of "Nonpublic Personal Information" -- § 248.3(t).

The proposing release invites comment on whether this key definition "should cover information about a consumer that contains no indicators of a consumer's identity." We think that aggregate information and "blind data"1 that does not identify a consumer clearly falls outside the scope of the G-L-B's definition of nonpublic personal information: "personally identifiable financial information."2 Neither aggregate information nor blind data identify a consumer and, therefore, neither implicates G-L-B's purpose in assuring that consumers are informed about what personally identifiable information a financial institution may disclose to a third party.

Both consumers and financial institutions substantially benefit from the use of aggregate information and blind data that, by definition, do not implicate individual privacy interests. Financial institutions essentially identify themselves through aggregate information about their customer base that they share with the public and third parties. Examples include the number of customers invested in a particular kind of security, monthly trade tallies, total assets under management, or number and type of account holders who reside in a particular state. The release of aggregate information allows prospective consumers to compare and better understand firms with which they may want to do business.

Sharing such information with nonaffiliated financial institutions also enables a firm to compete better while promoting its customers' interests. Financial institutions may disclose aggregate data to obtain access to new opportunities for their customers, like participation in a new mutual fund subscription or receiving an allocation in an initial public offering. Financial institutions also use blind data to test new technology with prospective vendors. Actual data - minus identifying information - offers a more authentic and less expensive trial run than manufactured data.

In addition, both blind data and aggregate information are critical to market research and trend analysis through which individual firms and the industry as a whole better understand their customers and investors generally. Including aggregate information and blind data within the scope of Regulation S-P would unnecessarily burden the beneficial uses of such information without any corresponding enhancement to consumer privacy. To make clear that this information is not included within Regulation S-P, we encourage the Commission to state expressly under § 248.3(t)(2) that aggregate information and blind data are not "nonpublic personal information."

II. Initial Notice of Privacy Policies and Practices -- § 248.4.

Timing. G-L-B requires that the initial notice be given at the time the customer relationship is established.3 The proposed rules go further, however, and would require that financial institutions provide the notice "prior to the time that you establish a customer relationship." Taken literally, for broker-dealers the proposed rules likely would require that the detailed privacy notice accompany all new account application forms. This would increase the burden on financial institutions, which print many more application forms than are actually submitted, and because a large percentage of new accounts are opened by existing customers. Moreover, providing the required notice before the customer relationship is established is not always practicable. For example, unaffiliated investment advisers often apply to open Schwab brokerage accounts on behalf of their advisory clients. It is not practicable for Schwab to monitor whether an adviser has properly delivered Schwab's privacy notice at the time of application, nor is it fair to burden the adviser with this responsibility.

Because financial institutions are prohibited from disclosing a new customer's nonpublic personal information until after delivering the required privacy notice, broker-dealers should be permitted to wait and send the privacy notice with the "welcome package" of information that typically includes the account agreement booklet. The welcome package is mailed after a new customer's application has been received, reviewed, and approved. Prospects who wish to compare financial institutions' privacy policies prior to establishing a customer relationship may still do so by asking to see their respective privacy policies or by visiting the firms' Web sites to view them online.

Electronic Delivery of Initial Notice. We agree that, going forward, posting a privacy policy somewhere on a Web site is insufficient notice. However, the burdens on electronic delivery of privacy policies should be no greater than those on paper delivery. Customers who receive paper copies of the notice are not required to "acknowledge receipt," and neither should customers who consent to receive the notice electronically.4 Typically, "acknowledging receipt" online implies that a firm is recording a customer's act of clicking on an "I agree," or similarly worded, button. There is no rationale for imposing these additional discriminatory steps and costs on electronic delivery. It should be sufficient for the privacy notice to be highlighted on a Web site where, for example, it is part of an account opening process and the customer can click on hypertext to view the entire notice and download or print it at the customer's option and convenience. If a firm permanently maintains its privacy notice on its Web site, and its online application process includes a prominently displayed link to the privacy policy, there should be no requirement that a customer must click-through the entire notice and "acknowledge receipt."5 Any additional burdens placed on electronic delivery beyond those placed on paper delivery should, at the very least, be discussed in the cost-benefit and Paperwork Reduction Act sections of the adopting release.

Multiple Account Holders. For accounts for which there is more than one account holder, the final rules should make clear that both the initial and annual privacy notices need only go to the primary account holder whose address is given at the time of the account opening, unless subsequently updated. Firms typically send account statements and other important information to only a single address, and privacy notices should not be treated differently. The additional burden imposed on firms to solicit and keep track of additional addresses and to mail out multiple privacy notices would be substantial.

III. Consumer "Consent or Direction" Exception to Notice and Opt Out Requirements -- § 248.11(a)(1).

Proposed Rule 248.11(a)(1) excludes from the notice and opt out requirements the disclosure of nonpublic personal information that a consumer directs a financial institution to make on the consumer's behalf. This exception appropriately reflects that customers routinely request that their broker-dealers disclose their nonpublic personal information to third parties. Broker-dealers, as the customer's agent, comply with these requests. It would be unnecessarily burdensome to subject customer-directed disclosures of the customer's own information to the new requirements of Regulation S-P. To provide clearer guidance, the adopting release should include examples that fall under this exception, such as:

These examples reflect routine practices at Schwab and other financial institutions, and imposing additional steps before enabling customers to direct where their information is sent would be inefficient and counter to those customers' interests.

In addition, Schwab and other financial institutions often enter into co-branding or co-marketing ventures with non-financial institutions to offer a wider array of products and services to their customers. When consumers register or subscribe for these co-branded products and services, they are informed that it is a joint offering of both companies and that the two companies will be jointly collecting or sharing the consumer's information in order to provide the product or service. One such example is Schwab's relationship with the portal Excite, which provides our customers with their own personalized home page as part of Internet access to Schwab. To avoid unnecessarily encumbering these beneficial relationships, an example should be included in the final rule clarifying that when consumers are informed about the joint sharing of consumer information prior to subscribing or registering, the consumer who then subscribes or registers thereby consents to the sharing of nonpublic personal information.

IV. Limits on Redisclosure and Reuse of Information -- § 248.12.

The proposing release requests comments on whether the rules should require a financial institution that discloses nonpublic personal information to nonaffiliated third parties to develop policies and procedures to ensure that the third parties comply with the limits on redisclosure of that information. The rules should not impose this additional burden on firms, which would substantially increase the cost of compliance with Regulation S-P, thereby making financial services more expensive for consumers. Confidentiality agreements with third parties, such as those required under § 248.9(a)(2), are enforceable in court and are further backed by the government's authority to enforce the regulatory limits on redisclosure and reuse. (An example would be the third-party printing vendors that almost all broker-dealers use to print customer statements.) These enforceable safeguards will sufficiently protect consumer information, with the additional safeguard suggested below.

The release also asks whether subsequent disclosures by a third party could be "lawful" if the financial institution is not a party to the subsequent disclosure. We believe that § 248.12(b) should be redrafted to state expressly that nonaffiliated third parties who receive nonpublic personal information under § 248.10 (processing and servicing transactions) may only use that information to perform the necessary services for the financial institution.6 This will further safeguard consumer information without imposing additional costs on financial institutions to monitor such third parties through difficult and expensive compliance procedures.

V. Limits on Sharing Account Numbers for Marketing Purposes -- § 248.13.

Section 248.13 broadly prohibits a financial institution from disclosing account numbers and passwords to nonaffiliated third parties for use in telemarketing, direct mail marketing, and e-mail marketing. This prohibition means that firms cannot disclose such information to nonaffiliated marketing companies, even if their customers otherwise would have consented to it (or not opted out). This protective provision, however, should be read in harmony with the exceptions under §§ 248.9 and 248.10. For example, some service providers perform multiple functions for a financial institution, such as distributing information about a firm's products and services along with required regulatory notices. (Print vendors are again an example; many firms bundle newsletters or product information together with customers' account statements.) Conceivably, this could be construed as involving a "marketing" function. Although such a service provider, acting as an agent of the financial institution, may receive customer account numbers, that information - like all customer information - is protected by strict contractual confidentiality provisions.

Subject to the safeguards such as those required under § 248.9(a)(2), there is no rationale for distinguishing service providers according to the service they provide as an agent of a financial institution, whether the service be classified as "marketing," customer communications, or transaction processing. Accordingly, we ask that an example or exception be included in the final rules clarifying that § 248.13 does not prevent financial institutions from disclosing account numbers to service providers subject to the protections under §§ 248.9 or 248.10.

VI. Scope and Rule of Construction -- §§ 248.1 and .2

Broker-dealers, investment companies, and registered investment advisers who are, or become, part of a financial holding company structure will need additional guidance about which financial regulator's privacy rules, including examples, will apply if the holding company chooses to have one overall privacy policy. The SEC and other financial regulators should include in their adopting releases an explanation of material differences, if any, among the financial regulators' final rules. The examples within one regulator's rules should be accepted as authoritative by the other regulators, especially if the examples are to be treated as safe harbors. To assure equal treatment among financial institutions, the Commission should deem the examples it provides as safe harbors if the other financial regulators deem their examples to be safe harbors. If the examples become safe harbors, the adopting release should make clear that the safe harbors are nonexclusive and do not raise any negative inferences regarding other factual situations or means of compliance.

VII. Effective Date.

The proposing release invites comment on whether November 13, 2000 enables financial institutions sufficient time to comply with the new rules. As discussed below in our comments on the cost-benefit analysis, we believe the Commission has underestimated the substantial work necessary for financial institutions to undertake the necessary internal data inventories, privacy policy revisions, systems changes, and internal controls to assure compliance. Moreover, for broker-dealers, quarterly account statements would be the most efficient and logical means to deliver both the initial and annual notices to existing customers. Requiring firms to mail new privacy notices on top of the large amount of year-end information customers already receive would not be effective. In fact, the proposed "transition rule" that would require firms to mail the initial notice to existing customers by December 13, 2000 is too early to allow firms to mail privacy notices with fourth quarter account statements.

To give financial institutions sufficient time to comply with the new requirements, and to establish a more reasonable time period and season for providing the initial and annual notices, we suggest that November 13, 2000 be a voluntary compliance date, with a mandatory compliance date set no earlier than May 14, 2001. Because privacy is a significant issue for consumers, competitive forces will push financial institutions to come into compliance as soon as reasonably possible.

VIII. Other Comments.

§ 248.3(g) - Definition of "consumer." Consumers, unlike "customers," only receive the required privacy and opt-out notice if the financial institution is going to disclose consumers' nonpublic personal information to a nonaffiliated third party not covered by one of Regulation S-P's exceptions. The distinction between consumers and customers protects individuals' privacy interests where those interests are at stake, without unduly burdening the financial institution with additional costs of providing notices to persons who have not established a continuing relationship.

Several clarifications of "consumer" would be helpful. First, the proposed definition includes the consumer's "legal representative." The adopting release should make clear that information about the legal representative - such as an investment adviser, person with power of attorney, or trustee - is part of the information of the consumer whom they represent. In other words, legal representatives are not themselves consumers.

Second, the example under § 248.3(g)(2)(ii) of who is not a consumer should be clarified. The proposed example excludes from the definition of consumer individuals who provide basic contact information in order to obtain a prospectus, brochure, "or other information about financial products." The example should also expressly cover visitors to a financial institution's publicly available Web site who provide basic information to indicate their agreement to the terms and conditions of using the Web site and accessing its content or to participate in online educational forums. The publicly available Web site is the digital analogue of paper brochures and other general written information or seminars about financial products and services. Web site visitors who do more than browse would be covered as consumers under the rules when they, for example, obtain a financial product or service from the financial institution.

Third, the example under § 248.3(g)(2)(iii) is somewhat confusing in describing the typical omnibus clearing broker relationship, which should be excluded from the definition of consumer. Restating the example using the terms "introducing broker" and "clearing broker" would help. Moreover, brokers who clear on an omnibus basis may receive the account numbers and transactional information of the introducing broker's customers in order to clear the transactions. The adopting release should explain that, unless the clearing broker receives identifying information of the customer such as name or social security number, an omnibus introducing broker's customers are not consumers of the clearing broker.7

§ 248.3(d) - Definition of "collect." Under the proposed rules, financial institutions are required to provide notice of, among other things, the categories of information that they "collect." The proposed definition of collect is "to obtain information that is organized or retrievable on a personally identifiable basis," irrespective of source. Thus, only information that a firm maintains in a database or paper filing system that is retrievable by name or social security number, or some other personal identifier falls within the definition of collect. The final rules should make clear that "collecting" does not encompass information such as the names of payees on customer checks or the names of persons to whom a customer directs wired funds. Collecting statistical or categorical information about prospects (e.g., how or from where a prospect was referred) should also fall outside the scope of the definition, unless the information can be retrieved by name or other personal identifier.8

§ 248.6 -- Simplified Initial and Annual Notices. As a burden-saving device, the "simplified notice" provision under § 248.6(d)(4) is appropriate and justified for those firms who do not intend to disclose nonpublic personal information to affiliates or nonaffiliated third parties. The final rules should include a similar example relieving firms of the burden of explaining the opt-out right under §§ 248.6(a)(6) and 248.8(a) if a firm has no intention of disclosing nonpublic personal information to third parties outside the scope of the exceptions under §§ 248.9, .10, and .11. It would be confusing and meaningless for customers to be informed about an opt-out right and procedure if a firm is not going to disclose nonpublic personal information to third parties not covered by one of the exceptions.

IX. Cost-Benefit Analysis and Paperwork Reduction Act (PRA) Burden.

In our view, the cost-benefit and PRA sections of the proposing release grossly underestimate the costs and burdens associated with complying with Regulation S-P. The new financial privacy regulations will require significant changes to existing database systems and controls, and will require significant changes to financial institutions' internal procedures. These costs are much higher than the estimated costs set forth in the proposing release.9

We are still in the process of projecting the extent of the necessary database and systems changes, and the results of that work are dependent on the final rules the Commission adopts. The costs of complying with the rules will be substantially greater, for example, if the Commission and other financial regulators determine to adopt the very broad proposed definition of "nonpublic personal information" that goes well beyond "financial information" as we understand that term is used in G-L-B itself. The costs will also be substantially greater if the Commission requires financial institutions to adopt policies and procedures to "ensure" that a nonaffiliated third party that receives nonpublic personal information complies with the § 248.12 limits on redisclosure and reuse. Whether Schwab and other financial institutions will be required to build costly systems to accommodate opt-out requests in large measure depends on how the Commission clarifies the opt-out exceptions, including the scope of the "with the consent or at the direction of the consumer" exception under § 248.11(a)(1).

Depending on the final rules, implementation and compliance for a large firm such as Schwab would be at least $ 1 million and likely several million dollars for a vast project involving changes to multiple systems and databases, developing new access and information tracking controls, and firm-wide training. This reflects the hundreds of hours of personnel time that will be required from technology, compliance, audit, legal, marketing, and customer services staff. We also estimate that it will cost Schwab an additional $210,000 per year for preparing and mailing the initial and annual privacy notices, and any opt-out notices or interim updates (an average of 1.5 mailings per year to over 6 million account holders). This assumes that we could include the privacy materials with already scheduled regulatory mailings such as quarterly account statements.


The new financial privacy regulations will have a major impact on the way financial institutions treat customer data and should have the positive effect of increasing privacy protection for consumers. The Commission and other financial regulators, however, should tailor the final rules and include the examples and clarifications we have set forth above. These clarifications will ease the burden on financial institutions and accommodate the routine exchange of information between consumers and their financial institutions. These practices are far removed from the sale and misuse of personal information for unsolicited third-party marketing that G-L-B was intended to prevent. Over the past few years, the financial services industry has taken great strides to embrace database and Internet technologies to enhance the availability, timeliness and quality of financial products and services for retail customers. It would be unfortunate if, in the name of consumer privacy, the Commission inadvertently curtails these pro-investor and pro-consumer advances.

Very truly yours,

W. Hardy Callcott
Senior Vice President and General Counsel
Charles Schwab & Co., Inc.

cc: Hon. Arthur Levitt
Hon. Norman S. Johnson
Hon. Isaac C. Hunt, Jr.
Hon. Paul R. Carey
Hon. Laura S. Unger
David Becker
Annette Nazareth
Caite McGuire
George Lavdas
Penelope Saltzman

1 Blind data includes account information or transactional histories without account number, names, addresses, or other personal identifiers.
2 Gramm-Leach-Bliley Act, § 509(4).
3 Id. at § 503(a).
4 See Proposed Regulation S-P, § 248.4(d)(5)(i).
5 The final rules should include an example indicating that a consumer who is doing business with a firm electronically, such as applying to open an account online, is deemed to have consented to electronic delivery of the privacy notice, provided that the firm informs the consumer of this as part of the online application process.
6 Similarly, nonaffiliated third parties that receive nonpublic personal information under § 249.9 (service providers and joint marketing) may not use that information for their own purposes unrelated to servicing the financial institution.
7 Under this same rationale, transfer agents are excluded from Regulation S-P.
8 These limitations on the definition of "collect" are consistent with the scope of the Government's own responsibilities under the Privacy Act.


The key estimates in the proposing release are: preparing or revising a privacy notice (average of 40 hours for a broker-dealer at a personnel cost of $4950), mailing the notices ($0.02 per notice), and revising internal policies and procedures (average of 30 hours at a personnel cost of $4,500).