AMERICAN INTERNATIONAL GROUP, INC.
70 PINE STREET, NEW YORK, N.Y. 10270
|ERNEST T. PATRIKIS
SENIOR VICE PRESIDENT AND
| TEL NO:. 212 770-5426
FAX NO:.212 425-2175
March 31, 2000
|Donald S. Clark
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313-Comment
Information Management & Services Division
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: Docket No. 2000-13
|Jonathan G. Katz
Securities and Exchange Commission
450 5th Street, N.W.
Washington, D.C. 20549-0609
Re: File No. S7-6-00
Office of the Comptroller of the Currency
250 E Street, S.W.
Washington, D.C. 20219
Attention: Docket No. 00-05
|Ms. Jennifer J. Johnson
Board of Governors of the Federal
20th and C Streets, N.W.
Washington, D.C. 20551
Docket No. R-1058
|Robert E. Feldman
Executive SecretaryAttention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
|Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428
Dear Ladies and Gentlemen:
American International Group, Inc. ("AIG") appreciates the opportunity to comment on the proposed regulations implementing the privacy provisions contained in Title V of the Gramm-Leach-Bliley Act (the "Act"). The complexities involved in this process are well known and we applaud the efforts of the federal agencies to work cooperatively with each other in implementing regulations.
AIG is the leading U.S.-based international insurance organization and the largest underwriter of commercial and industrial coverages in the United States. Its member companies write property, casualty, marine, life and financial services insurance in approximately 130 countries and jurisdictions, and are engaged in a range of financial services and asset management businesses. At AIG, our longstanding success has been built upon providing our customers with reliable, high-quality, and competitively priced financial products and services. An important component of our success is recognizing the need to protect the privacy of our customers. Accordingly, AIG companies have adopted numerous policies to ensure the security, confidentiality, integrity, and access to our customers' personal information and our commitment in this area, irrespective of legislative or regulatory action, will continue to be strong.
At the same time, we fully understand growing public demands, especially in the growing internet age, for increased government involvement to protect individual privacy. This is a worthwhile objective that should be explored by government. However, as governments at all levels begin to address privacy matters in a more comprehensive manner, we must never lose sight of the simple fact that, in all consumer protection initiatives, the consumer is the intended beneficiary. Consequently, we must be vigilant to ensure that privacy protections do not unduly diminish important consumer benefits by inhibiting the development of new products, limiting competition, or imposing excessive compliance costs that raise prices beyond a consumer's reach. Indeed, it could not have been Congress's intent to protect consumers in a manner that would raise prices, constrain consumer choice, and diminish access to important financial services and products.
The attached note to this letter sets out some issues that should be addressed in developing final rules. AIG believes that, in addressing these issues, the federal agencies implementing the Act will go along way towards providing consumers maximum privacy protections while avoiding some of the most detrimental unintended consequences of such protection. At AIG, we remain strongly committed to protecting privacy while enhancing consumer benefits and look forward to the publication of final regulations that strengthen our ability to achieve these goals.
Ernest T. Patrikis
Gramm-Leach-Bliley Act Privacy Regulations
1. Regulations Must be Clear, Consistent, and Uniform.
The language of the Gramm-Leach-Bliley Act (the "Act") clearly demonstrates Congress's intent to adopt consistent rules in a manner sufficiently flexible to cover an extraordinarily diverse financial services industry. Flexibility is provided by apportioning enforcement responsibilities among regulatory agencies having historical jurisdiction over a particular type of financial institution. This approach seeks to ensure that a regulator will have sufficient knowledge and expertise about the operations and practices of the type of financial institution under its jurisdiction and that privacy regulations are applied in a reasonable manner. At the same time, Congress did not intend to apply different standards to different types of financial institutions. To prevent this, Congress explicitly directed regulators to work cooperatively in developing comparable and consistent requirements.
Therefore, the adoption of clear, consistent, and uniform regulations across regulatory agencies should be a top priority. Clarity is necessary to determine a financial institution's obligations under the Act while ambiguity will foster uncertainty and drive up compliance costs. However, clarity is just the first step; regulations also must be consistent across agencies to ensure that every financial institution is playing by the same rules. More specifically, where the agencies are adopting similar terms and principles, the regulations should be issued uniformly, down to the letter, thereby ending any debate as to whether one agency meant something different than another in implementing the Act.
Our review of the proposed regulations issued to date indicates that government regulators have in fact done an outstanding job in working to make regulatory language as uniform as possible. We urge that final rules continue adhering to this principle.
2. Regulations and Remedies Must Be Enforced Uniformly.
Equally if not more important than clear, consistent, and uniform regulations is the need for uniformity in enforcement. A great injustice will occur if the regulatory treatment of one financial institution's privacy practices differs from another's only with respect to how those practices are enforced by government regulators. Similarly, the remedies applied by the respective regulatory authorities should be uniform. For example, even where the rules appear clear, new questions are bound to surface in the actual implementation of the privacy regulations. In working through these questions, if a financial institution inadvertently finds itself in non-compliance with the Act, the institution should not be subject to fines from one agency while a similarly situated financial institution under the jurisdiction of another agency is merely asked to take corrective action.
Three things are certain to occur if enforcement is not applied uniformly. First, the financial sector receiving more lenient regulatory treatment will gain an unfair competitive advantage over financial sectors receiving more stringent treatment. Second, the resulting competitive imbalance between financial sectors will reduce competition. Third, consumers will suffer due to the unequal and inconsistent protection of their personal information and the detrimental impacts of reduced competition.
To avoid these harmful results, we urge regulators to maintain a continuing working relationship to ensure that the rules are enforced uniformly across all financial sectors.
3. Precise Definition Needed of the Term "Control".
The draft regulations essentially utilize a two-pronged approach in defining the term "control". First is the adoption of a 25% percent ownership interest in the affiliate as a proxy for control. Second is the use of a "control-in-fact" test.
The preferable approach would be for all of the agencies to establish a bright line test for ascertaining control. A precise test would greatly simplify the process for determining whether related entities are affiliates and would facilitate the streamlining of operational systems to provide required notices and implement consumer opt-out requests at a much lower cost than under an indeterminate standard.
4. Greater Latitude is Needed in Providing Initial Notices to Customers for Certain Transactions.
Section 503 of the Act requires a financial institution to disclose its privacy policies and practices "at the time of establishing a customer relationship" with a consumer. Congress delegates to the agencies through regulation the authority to define "time of establishing a customer relationship," but makes clear in Section 509(11) that the term shall "in the case of a financial institution engaged in extending credit directly to consumers to finance purchases of goods and services, mean the time of establishing the credit relationship with the consumer."
The proposed rule requires notice to be provided "prior" to the time a customer relationship is established. Assuming arguendo that the law requires notice prior to the establishment of a customer relationship, the proposed rule notes that there may be circumstances where it is impractical to provide prior notice. Accordingly, exceptions are provided to permit subsequent notice within a reasonable time. However, the exceptions are too narrowly drawn and completely ignore Congress with respect to certain transactions related to the extension of consumer credit.
For example, with respect to insurance premium finance companies, a consumer has no contact with the financial institution until the point in time where the financial institution extends credit. Consequently, it is impossible to deliver the privacy notice at
any time other than the delivery of the notice of acceptance (an "NOA"). Prior to delivery of the NOA, neither party to the contract is legally bound. Simply stated, the issuance of the NOA is the time of establishing a credit relationship and requiring prior notice on privacy policies is complete contrary to congressional intent and the letter of the law. Consequently, an additional exception should be provided.
5. More Time Should be Allowed to Provide Required Notices to Existing Customers Following the Effective Date.
The proposed rule requires that after the effective date, a financial institution has 30 days in which to send to all existing customers initial notices or other required notices under the Act. While we agree with the need to provide consumers with information concerning their privacy rights as soon as possible, this may be impractical in numerous situations. Customer lists change daily and obtaining current information on the status of such lists for a particular day can be time consuming. Thus, notice within 60 days would be a more realistic and appropriate timeframe.
6. Definition of Financial Institution.
In discussing the definition of the term "financial institution," the Federal Trade Commission ("FTC") invited comments on the treatment of entities that would otherwise be covered financial institutions but have no "consumers" or do not establish "customer relationships." Moreover, an example presented by the FTC suggested that a covered institution would have to be "significantly engaged" in financial activities to be covered under the Act. Proposed 16 CFR § 313.3(j)(2). A logical extension of this approach would be to create a de minimis exception from coverage under the Act and exclude companies whose consumer component represents a negligible amount of their entire business (e.g., less than one percent of all accounts). For example, if a company has 200,000 accounts and only 1,000 are consumer accounts, that company should not be covered under the Act.