March 31, 2000
Federal Trade Commission
Room H-159, 600
Pennsylvania Avenue, N.W.
Washington, DC 20580
Re: 16 CFR Part 313
Privacy of Consumer Financial Information
Dear Madam or Sir:
Navy Federal Financial Group (NFFG) appreciates the opportunity to comment on the Federal Trade Commission's (FTC) proposal to add Part 313 to its rules and regulations. We recognize that maintaining our customers' financial privacy is critical to preserving our customers' trust and our long-term success.
NFFG is a wholly-owned subsidiary of Navy Federal Credit Union, which has over $11 billion in assets and 1.9 million member-owners worldwide. Federal credit unions are not-for profit financial institutions regulated by the National Credit Union Administration (NCUA). Credit unions have historically enjoyed a cooperative organizational structure that allows them to affiliate with credit union service organizations (CUSO) through part or full ownership arrangements. CUSOs enable credit unions to provide certain necessary or desired financial products and services to members that are not otherwise permissible. Consequently, credit unions can compete with banks, which are not similarly restricted in their activities. Some activities CUSOs may engage in include the sale of securities and insurance products, mortgage origination and servicing, data processing, and trust services. There is a close affiliation between a CUSO, its owner-credit unions and the members of those credit unions. Credit union members perceive the CUSO as an affiliate of the owner-credit union.
NCUA limits the amount of money a credit union may invest in a CUSO. This limitation, which corresponds to a credit union's asset size, effectively prohibits many small credit unions from owning a substantial percentage of a CUSO. Typically, several credit unions will band together to form a CUSO, each with a small share of ownership. Under the FTC's proposed rule, many of these credit unions will be subject to burdensome privacy requirements because they own less than 25 percent of the CUSO and, therefore, do not "control" the CUSO.
The FTC should modify its definition of the term "control" to recognize the unique relationships between credit unions and their CUSOs. Specifically, "control" should be broadened to include credit unions with any ownership interest in a CUSO.
It is extremely important that NCUA, the FTC, and the Securities Exchange Commission coordinate their respective privacy rules to recognize the unique nature of CUSOs and their relationships with their credit union-owners. Information must be allowed to pass between CUSOs and their owner-credit unions with the same acuity as it passes within banks. Any inconsistency will place credit unions at a serious competitive disadvantage.
Title V, Subtitle A, of the Gramm-Leach-Bliley Act (GLB Act) governs the disclosure of nonpublic personal information while the FTC's proposed part 313 would regulate certain financial institutions' disclosure of nonpublic personal information. The proposed regulation inadequately defines nonpublic personal information. The proposal defines nonpublic personal information as "personally identifiable financial information," but makes no attempt to explain what makes the information personally identifiable. The definition of "personally identifiable financial information" fails to recognize that individual identity is an essential element of nonpublic personal information.
To comply with the GLB Act, the regulatory definition of "personally identifiable financial information" must include an element that makes the financial information personally identifiable. For example, information such as name, address, social security number, telephone number, account number, e-mail address, etc. can be used to identify an individual. Therefore, such information would be considered personally identifiable and, consequently, nonpublic personal information when used alone or in combination with other financial information that the financial institution obtains from consumers.
The FTC requested comment on its use of examples in the proposed rule. Generally, the non-exhaustive examples used in the proposed rule are beneficial, especially if there will be no staff commentary to part 313. It would be helpful to add examples to &SECT;&SECT;313.9 and 313.10 to clarify how these provisions apply to the various third party relationships financial institutions maintain. Specifically, examples illustrating disclosure of nonpublic personal information "to perform services for you or functions on your behalf," "to effect, administer or enforce a transaction," and "to service or process a financial product or service" would clarify the applicability of these sections.
The proposed &SECT;313.6(a)(8) requires a financial institution include in its initial and annual notices the credit union's policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information. The financial and information systems industries have developed numerous techniques and schemes to protect information. Many are used by financial institutions. Further, we understand that the FTC is in the process of preparing standards relating to administrative, technical, and physical safeguards. Any standard promulgated by the Commission should allow for future advances in technology to ensure the safest practical environment for personal information. We suggest the Commission provide examples in the final rule of how these standards should be incorporated in financial institutions' initial and annual notices. Additionally, we recommend that the FTC prepare an appendix to part 313 containing non-mandatory model statements.
The FTC offers for comment two definitions of "nonpublic personal information," alternatives A and B. Alternative A defines this term as information that is derived from public sources while Alternative B defines this as information that could be derived from public sources even if it is obtained from a financial institution's own records. We urge the Commission to consider defining "nonpublic personal information" as depicted in Alternative B. This alternative is more practicable.
The GLB Act (&SECT;503) states that disclosure of an initial notice is required, "At the time of establishing a customer relationship." The FTC's proposal changes this requirement to "prior to the time that you establish a customer relationship." The Commission should modify its proposed rule to reflect the same timing mandated by the Act.
We would oppose a requirement that financial institutions develop policies and procedures to make sure that non-affiliated third parties comply with limits on redisclosure of information. Even if permitted to audit the practices of these third parties, the aggregate costs of performing compliance exams would be extraordinary. NFFG requires confidentiality agreements in all of its contractual relationships. Such agreements should be sufficient to guard against unlawful redisclosure of customers' information.
Provided the final rule allows financial institutions to provide notices to all owners of an account at the account's addresses, six months following the adoption of the final rule is sufficient time for NFFG to comply. Otherwise, additional time would likely be necessary.
We plan to communicate electronically with our customers through our web site. Our web site provides a secure and controlled environment for transacting business and communicating electronically. NFFG does not maintain a database of customers' e-mail addresses. Regular maintenance and updates to e-mail address databases would be very costly. We urge the Commission to allow financial institutions to deliver electronic notices to customers via secure interactive communications on their web sites. We oppose the Agency's position in the supplementary information to this proposed rule that states, "Electronic delivery generally should be in the form of electronic mail so as to ensure that a consumer actually receives the notice."
We believe the FTC's position is too narrow and will result in electronic communications between financial institutions and their customers that are less secure and less effective than today's web site communication technologies. With the proliferation of free and trial e-mail accounts, customers are likely to have multiple e-mail addresses and frequent address changes. Customers may not check all of their e-mail addresses on a regular basis and overlook important messages from their financial institutions. For those customers who want an "electronic relationship" with their financial institution, we believe secure web site communications are unquestionably the better approach.
If you have any questions concerning our comments, you may contact me at (703) 206-1300.
Dennis J. Godfrey