|ABN AMRO||ABN AMRO North America, Inc
135 South LaSalle Street
Chicago, Illinois 60603-9135
March 31, 2000
Jonathon G. Katz
Securities & Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
Re: File No. S7-6-00
Ladies and Gentlemen:
ABN AMRO North America, Inc. ("AANA") appreciates the opportunity to comment on proposed Regulation S-P, privacy rules published under Section 504 of the Gramm-Leach-Bliley Act ("GLBA"). We welcome the balanced approach set forth in the proposal. There are, however, a few areas where some modification or additional clarification would further ensure an appropriate cost-benefit balance is achieved.
AANA, which is among the largest foreign bank holding companies in North America with $162 billion in assets and 18,000 employees, is a subsidiary of ABN AMRO Bank N.V. ("Bank"). The Bank is headquartered in Amsterdam, the Netherlands, and as of June 30, 1999, it had over $480 billion in assets, approximately 105,000 employees, and a network of approximately 3,568 offices in 76 countries and territories.
The U.S. operations of the Bank include, but are not limited to, ABN AMRO Incorporated (a full service brokerage firm that is a member of the NASD and all national exchanges), ABN AMRO Investment Services, Inc. (which conducts retail brokerage activities on bank premises), ABN AMRO Asset Management (USA) Inc. (a registered investment adviser), LaSalle Bank National Association and LaSalle Bank, F.S.B., located in Chicago; Standard Federal Bank, located in Troy, Michigan; and European American Bank, located in Uniondale, New York. These banks subsidiaries maintain approximately 390 offices in Illinois, Michigan, Indiana, Ohio, and New York.
NONPUBLIC PERSONAL INFORMATION
The GLBA defines "nonpublic personal information" to include, among other things, "personally identifiable financial information," but it does not define the latter term. As proposed, the rules generally would treat any personally identifiable information as financial if the financial institution obtains the information in connection with providing a financial product or service to a consumer. The Commission seeks comment regarding whether further definition of "personally identifiable financial information" would be helpful. For the reasons set forth below, AANA encourages the Commission to adopt a more narrow definition of "personally identifiable financial information": one that would include only information that describes a consumer's financial condition (e.g., assets, liabilities, income, account balances, transaction history, etc.).
As proposed, Regulation S-P appears to broaden the scope of this term beyond what was intended in the GLBA. The fact the GLBA specifically contains the term "financial" information indicates that it was meant to refer to specific account information, balances, loan amounts, etc. Simply because information is obtained as a result of a person having an account at a financial institution should not, in and of itself, make all such information "financial." A customer's name, address, phone number, and other similar information is "personally identifiable information," but it is not intrinsically "financial." To label such identification information or the fact that a customer relationship exists as "financial information" expands the reach of this term beyond Congress's intent because this information in no way describes an individual's financial condition.1
PUBLICLY AVAILABLE INFORMATION
The GLBA expressly excludes from the definition of "nonpublic personal information" any "publicly available information." The Commission proposes to treat as publicly available any information that could be obtained from one of the public sources listed in the rules. AANA fully supports this position. If information were considered public only if a financial institution could prove that it actually obtained2 the information from a public source would require financial institutions to erect costly processes and procedures to track the actual source of information they hold and surely would lead to needless litigation.
TIMING OF INITIAL NOTICE
The proposed rule states that notice must be provided to an individual "prior to" the time a customer relationship is established. The GLBA, however, provides that notice must be provided "at the time" a customer relationship is established. We encourage the Commission to adopt language that is consistent with "at the time."
HOW TO PROVIDE INITIAL NOTICE
The Commission asks for comment on various aspects of how to provide notice. AANA fully supports the Commission's position that notice is given if it is provided in writing or in electronic form. It is reasonable to allow a financial institution to fulfill the notice requirement if a notice is hand-delivered, mailed to the last known address of the consumer, or posted on an electronic site where the consumer must acknowledge receipt before obtaining a financial product or service.
AANA also supports the Commission's view that, under certain circumstances, it should be permissible to allow a customer to choose to receive privacy notices within a reasonable time after the customer relationship is established in order not to delay the transaction.
Under certain circumstances, the benefit of an annual disclosure would be outweighed by the cost imposed on financial institutions. For example, an annual notice should not be required for financial products or services that do not require regular, on-going communication with the customer. An initial notice should be sufficient.
The Commission also should provide an exemption from the annual disclosure requirement for customers who have previously exercised their right to opt-out. The privacy notice should not be treated differently than other mailings, and therefore, a customer's request to be shielded from the numerous mailings required per account also should extend to the privacy notice.
With respect to determining when a customer relationship is terminated, AANA agrees with the Commission. A relationship should not be considered continuing if twelve months pass with no communication between the financial institution and the customer.
INFORMATION TO BE INCLUDED IN INITIAL AND ANNUAL NOTICES
As proposed, the information required to be disclosed concerning a financial institution's policies and practices will create an unmanageable product and an undue burden in gathering, printing, and mailing such a sizeable notice to customers. AANA is concerned that the requirements will result in overly detailed and extensive disclosures that consumers may not read or be able to fully understand. The purpose of the GLBA would then be lost. In addition, because of the detail of information required, it would be difficult to avoid a situation where a technical or minor change would require a revised notice and mailing. AANA proposes that the disclosure of categories of nonpublic information collected and disclosed be sufficient if a financial institution provides the information either by source, by content, or if the financial institution chooses, by a combination of both. AANA also proposes that the regulations provide that the disclosure of categories of nonaffiliated third parties with whom information is disclosed be satisfied by either providing information based on the type of products offered by the entities, or if the financial institution chooses, by a combination of both.
AANA agrees that the disclosure requirement for sharing of information with nonaffiliated third parties under the exceptions provided in the GLBA should be satisfied by a statement that the financial institution shares information with nonaffiliated third parties as permitted by law.
Finally, AANA would like to comment on the disclosure of a financial institution's policies with respect to protecting the confidentiality, security and integrity of nonpublic information. In a large multinational organization, it would be difficult to address everyone who may have access to information and to address all circumstances under which information may be accessed. AANA recommends that the final rule only require a general statement as to a financial institution's security practices including examples of limitations or measures an institution takes to protect against unauthorized access to information.
OPT-OUT RIGHTS FOR JOINT ACCOUNTS
The Commission requests comment on how the right to opt-out should apply in situations in which there is more than one party to an account. AANA recommends that the Commission allow financial institutions to have the flexibility to apply the opt-out to joint accounts as it sees fit. Applying a general rule is difficult considering the many unique circumstances that surround various products, services and customer relationships. In some cases, requiring an opt-out for all beneficiaries may be counter to the interests of the account holder and the regulations implementing customer confidentiality.
REASONABLE OPPORTUNITY TO OPT-OUT
AANA believes that a thirty-day opt-out period is a reasonable time frame for notices sent by mail. AANA requests that the Commission provide an example in the context of transactions conducted using an electronic medium. Many AANA customers choose to engage in online transactions. These customers and other consumers elect to receive various communications from AANA through electronic mail. By providing products, services, and notifications online, AANA also should be able to provide its opt-out notice to these consumers and customers through electronic mail. AANA recommends that the time frame to opt-out through an electronic notice be consistent with the time frame given for a notice sent by regular mail.
FORM AND METHOD OF PROVIDING THE OPT-OUT NOTICE
The proposed regulations provide examples of what the Commission considers to be reasonable means to opt-out. AANA generally supports the proposed form and method of providing opt-out notices to customers. In particular, we support the Commission's suggestion that customers be able to exercise their right to opt-out by providing a written request to the financial institution.
SERVICE PROVIDERS AND JOINT MARKETING
AANA generally agrees with the disclosure and contractual requirements with respect to joint marketing agreements. We do, however, respectfully request the Commission to revise the proposed regulations to eliminate the disclosure requirements with respect to agents, processors, and service providers. One objective of the GLBA is to allow consumers to choose not to have their information shared with third parties, which could result in the receipt of unsolicited information. With respect to joint marketing arrangements, it is reasonable to notify a consumer about a product or service the financial institution will be marketing. It is not, however, necessary to fully disclose to a customer the arrangements a financial institution has with service providers and, in fact, such disclosure may confuse customers. The regulations themselves provide that servicing activities are exempt from the opt-out and disclosure requirements.
PROPERLY AUTHORIZED CIVIL, CRIMINAL, AND REGULATORY INVESTIGATIONS
AANA believes it is appropriate to allow institutions to disclose nonpublic information in order "to comply with a properly authorized civil, criminal or regulatory investigation, or a subpoena or summons by federal, State or local authorities or self regulatory organizations." We, however, question including the term "properly authorized." Financial institutions do not often have the ability and should not be required to determine whether an investigation, subpoena, or summons is "properly authorized." Accordingly, AANA urges the Commission to delete "properly authorized" from the proposal.
SHARING OF ACCOUNT NUMBERS FOR MARKETING PURPOSES
The Commission has requested comment on whether the proposed rules should outline exceptions to the prohibition on sharing of account numbers for marketing purposes. Initially, AANA recommends that financial institutions be allowed to disclose account numbers and similar forms of access numbers if a customer does not opt-out.
The Commission also solicited comment on whether the prohibition should apply to the disclosure of encrypted account numbers if the financial institution does not provide the marketer with the key to decrypt the number. Disclosure under these circumstances is appropriate due to the safeguards in place. AANA, however, requests clear guidance from the Commission to verify that a financial institution may provide account numbers or a similar form of access numbers or access codes to nonaffiliated third party marketers in encrypted form if the financial institution does not provide the key to decrypt the number. This will enable financial institutions to continue to serve customer needs yet maintain the confidentiality of customer account numbers.
AANA appreciates the efforts put forth by the Commission to implement the privacy provisions of the GLBA. We thank the Commission for the opportunity to comment on this important issue, and for their consideration of our comments.
Christine A. Edwards
Executive Vice President
Chief Legal Office and Secretary
|1||145 Cong. Rec. S13,902-03 (daily ed. Nov. 4, 1999) (Statement of Sen. Gramm indicating that Congress only intended the term "personally identifiable financial information" to include information that describes a consumer's financial condition).|
|2||Several banking agencies (other than the Federal Reserve Board, which proposed the same definition as the Commission) also have sought comment on an alternative definition that would require a financial institution to actually obtain the information from a public source before it would be considered "publicly available information." 65 Fed. Reg. 8770 (Feb. 22, 2000).|