Office of the Comptroller of the Currency
250 E Street, SW Room H-159
Washington, DC 20219
Attention: Docket No. 00-05
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve System
20th and C Streets, NW
Washington, DC 20551
Attention: Docket No. R-1058
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Becky Baker, Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
File No. S7-6-00
Robert E. Feldman, Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Manager, Dissemination Branch
Information Management Services Division
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2000-13
Re: Privacy of Consumer Financial Information
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA)1 is pleased to offer the following comments on the interagency proposal to implement the consumer financial privacy provisions of the Gramm-Leach-Bliley Act (GLB).
The financial privacy provisions of GLB are highly complex, and the ICBA strongly encourages the agencies to be as flexible as possible in the final regulations. The agencies should not add requirements beyond those specified in the statute, especially with respect to privacy notices. The ICBA also strongly urges the agencies to ensure that banks are provided an adequate transition phase in order to implement the requirements properly. Too little time will likely result in mistakes that would be a disservice both to banks and their customers.
Nonpublic Personal Information; Publicly Available. The ICBA supports the Alternative B definition of "publicly available." Information available in the public domain should be defined as publicly available regardless of how it is received by the bank. Any other definition would require a bank to track the source of each bit of information in its possession-a nightmarish administrative burden. The effect of the more restrictive Alternative A is contrary to the statute which clearly contemplates that some information would be considered publicly available.
Personally Identifiable Financial Information. The agencies' interpretation of "personally identifiable financial information" gives little effect to the word "financial" in the statute and hence may be too broad. In any case, community banks are unlikely to share even nonfinancial information about customers as a matter of practice and in keeping with customer expectations of confidentiality.
Consumer vs. Customer. The proposal's distinction between consumers and customers, and the circumstances under which each is entitled to receive a privacy notice, is appropriate and should be retained in the final rule. This distinction also helps to strike the right balance between burden and disclosure by not requiring banks to provide notices to consumers with whom they do not have a continuing relationship unless the bank plans to share nonpublic information.
Initial Privacy Notice. The ICBA encourages additional flexibility regarding when the initial notice must be furnished. The statute specifies the notice be furnished at the time a relationship is established, not "prior to" as required in the proposal. The final rule should follow the statute. Requiring the initial privacy notice before an account relationship is established may unnecessarily slow down customer service and inconvenience consumers. The final regulation should also recognize instances when it is appropriate to furnish the initial notice after the account relationship is established, such as when opening accounts over the telephone, fax or mail (similar to Truth in Savings requirements).
Annual Privacy Notice. Annual privacy notices need not be furnished to customers whose accounts are dormant. The ICBA recommends that bank policy define when an account is considered dormant. This allows banks flexibility to craft a policy on dormancy that fits the bank's own particular needs and circumstances (while still complying with state law). For ease of administration, banks should be able to apply their own policy on dormancy to all accounts, not just deposit accounts. In addition, banks should be able to honor customer requests not to receive correspondence, including privacy notices.
Contents of the Privacy Notice. The information the proposed rule requires the privacy notice to include is quite extensive and more detailed than GLB requires. The disclosures required by the statute are already detailed and complex. The ICBA strongly recommends that the agencies make the notice as simple as possible and only require the information mandated by the statute. Notices that are too detailed and complex will become less meaningful and consumers will be less likely to read them, defeating the purpose of the legislation. The more detail required, the more potential there is for inadvertent error by the bank-and confusion for the customer. Finally, the more detailed the notice, the more likely banks will have to continually provide revised notices as circumstances change or they contract with a new service provider or business partner. Offering a new product or service should be based on business considerations, not artificially governed by regulatory burden and compliance costs.
Model Privacy Notices. The ICBA very strongly urges the agencies to provide model notices or model language that banks can use in developing their own privacy notices to ensure they are compliant. This is especially critical for smaller banks that lack in-house resources available to larger banks such as extensive compliance departments, personnel devoted full time to privacy issues and compliance, or in-house counsel.
Joint Accounts. For joint account holders, banks should be permitted to provide notice to one account holder, consistent with other regulations (such as Truth in Lending), and in keeping with normal industry practice. Likewise, if one joint account holder opts out, the bank should be permitted to apply the opt-out to the entire account.
Opt-Out. The ICBA agrees that the examples of methods to opt out in the proposed rules are appropriate and that customers should not be required to draft a letter to the bank in order to opt out. We also agree that 30 days after the initial privacy notice has been sent is a reasonable time to require the bank to wait to give the customer an opportunity to opt out. For ease of administration, this should be a uniform time frame for all accounts, whether communication with the customer is by mail or electronically.
Exceptions to the Notice and Opt Out Requirements. The ICBA believes that agencies have misconstrued the statute and inappropriately applied the full disclosure and contract requirements intended for joint agreements to outsourcing arrangements where the third party agent, processor or service provider is performing operational functions on behalf of the bank. GLB exempts routine outsourcing and servicing from both the notice and opt out requirements. Accordingly, the full disclosure and contract requirements should only apply to joint agreements between nonaffiliated financial institutions.
A contrary reading would have a disproportionate effect on community banks, which because of their small size and finite resources frequently turn to outsourcers who can perform functions on their behalf more efficiently than they could undertake in-house. The agencies' interpretation imposes additional costs on community banks that are not warranted, particularly when no benefit will be realized by consumers since they can not opt out of operational outsourcing arrangements.
A bank should not be required to state in its privacy notice that it makes "disclosures to nonaffiliated third parties as permitted by law" when it relies on one of the processing, servicing or other exceptions to the notice and opt out provided by GLB. Notice in these instances is explicitly exempted by the statute. Moreover, to avoid unnecessarily raising apprehension in customers, banks may find it necessary or prudent to provide details about what disclosures are permitted by law. This will result in more complex, confusing and lengthy notices, again with no benefit to consumers since there is no right to opt out in these instances.
Third Party Compliance. Banks should not be charged with responsibility to oversee the use of information after it has been legitimately provided to third parties. Some banks may voluntarily choose to take measures to reaffirm the third party's commitment to confidentiality, depending on the bank's particular circumstance and its relationship with the third party. Banks generally take great care in selecting high-quality, trusted vendors, and can enforce any breach of a confidentiality agreement that occurs. A regulatory requirement that banks conduct reviews, audits, and/or some form of examination of third parties is unduly burdensome and beyond the scope of statutory requirements.
The agencies should also clarify that a third party who receives information from a financial institution may disclose it to others in accordance with the service provider, processing or other exceptions explicitly delineated in the statute.
Prohibition on Sharing Account Numbers. The ICBA urges the agencies to clarify that the prohibition on sharing account numbers for marketing purposes does not prevent a data service bureau that prepares and mails customer account statements for the bank from also inserting statement stuffers that contain marketing information.
Date for Mandatory Compliance with the Regulatory Requirements. The agencies should use the authority granted to them by GLB and extend the transition period between the issuance of a final rule and mandatory compliance. The ICBA recommends that the rule become effective six months after issuance with compliance not mandatory until 12 to 15 months after the final rule is issued. The additional time is essential to give banks adequate time to understand the nuances of this complex new regulation, craft accurate privacy notices, revise other forms as necessary, implement necessary computer system and policy and procedures changes, devise and implement training programs for employees, etc. Without adequate time to do a careful job, mistakes that do not benefit either the bank or its customers are likely to occur.
At the outset, we must emphasize that community banks have historically been strong guardians of their customers' privacy and have had a long-standing commitment to protect the confidentiality of their customers' information. Protecting confidential customer information is central to maintaining the public trust and is key to long-term customer retention, especially now, as the technological and electronic revolution transforms bank operations and financial services and consumers are increasingly concerned about their personal financial privacy.
The ICBA believes it is critical for community banks to let their customers know through the adoption and dissemination of privacy principles and privacy policies/statements that their financial privacy will be respected and protected when they conduct business with community banks-just as it always has been. The Banking Industry Privacy Principles, adopted in 1997 by the ICBA and other national bank trade associations, provided a useful guide for community banks in this regard.
GLB, enacted last November, requires banks2 to provide an initial and an annual disclosure to customers about their information sharing practices and privacy policies, including practices regarding the disclosure of customer information to affiliates and third parties. Before a bank may share nonpublic personal information with certain unaffiliated third parties, the bank must furnish a privacy notice, explain when the bank might share information, and provide the consumer a chance to opt out of information sharing. However, to take into account banks' legitimate information sharing needs, the opt-out requirement is subject to a number of exceptions, including allowing banks to share information with third parties that perform functions on behalf of the bank and when offering financial products and services under a joint agreement with another institution.
It is worth noting that GLB does not apply similar opt-out requirements to information sharing with affiliates. Since many community banks do not have affiliates, but do outsource functions or partner with unaffiliated third parties to serve their customers, this new burden will reduce the ability of community banks to compete with the new financial conglomerates that are created as a result of the passage of GLB. As a result of these burdens, some community banks may decide it is not cost effective to offer related products and services, reducing customer options and choice.
As the proposed rules on the privacy of consumer financial information are finalized, the ICBA strongly urges the agencies to be mindful of these concerns and maintain an appropriate balance between community banks' legitimate information sharing needs and the critical protection of consumer financial privacy.3
The provisions of GLB are complex and very specific. They require banks to provide initial and annual notices to customers of the bank's information sharing practices and privacy policies. GLB requires the notice to provide information about the bank's policies and practices on disclosing nonpublic personal information to affiliates and nonaffiliated third parties and about disclosing nonpublic personal information of former customers. GLB also requires the notice to inform customers of the categories of persons to whom nonpublic personal information is or may be disclosed, the categories of nonpublic personal information collected by the bank, and the steps the bank takes to protect the confidentiality and security of nonpublic personal information.
GLB also requires that customers be given an opportunity to opt-out of information sharing with unaffiliated third parties, except in certain circumstances, such as information sharing needed to complete a transaction. However, account numbers may not be shared with unaffiliated third parties for the purpose of telemarketing, direct mail marketing or e-mail marketing. GLB also reaffirms the Fair Credit Reporting Act (FCRA) requirements on information sharing with affiliates.
The ICBA strongly encourages the agencies to be as flexible as possible when instituting final regulations. Because the statutory requirements are extensive, the agencies should not add requirements beyond those specified in the statute, especially with respect to the notices that banks must provide. Unnecessarily lengthy and complex notices are a disservice both to banks and to their customers who will be less likely to read them, thereby defeating the purpose of the exercise.
Moreover, since complying with these new requirements will be an extremely burdensome task for banks, the ICBA also strongly encourages the regulators to provide an adequate transition phase after a final rule is issued and before compliance is mandatory. This will provide community banks the time needed to craft meaningful notices and institute policies and procedures to comply with these complex new regulatory requirements as they continue to protect the confidentiality of their customers' personal financial information.
Following are our specific comments on the proposed rule.
Nonpublic Personal Information; Section ___.3(n). How nonpublic personal information (NPI) is defined affects information sharing with third parties, since publicly available information may be shared while NPI is subject to the notice and opt-out requirements. As proposed, NPI would be defined as "personally identifiable financial information" or any information that a consumer provides a bank to obtain a financial product or service, that results from a transaction, or that the bank otherwise obtains providing a consumer a financial product or service.
The agencies propose two alternatives to what is considered "publicly available." Both define publicly available information as information obtained from government records, widely distributed media (e.g., telephone books, newspapers), or disclosures required by law. Publicly available information would also include information available over the Internet, if accessible by the general public without password or similar protection. Under the first alternative, information must in fact be obtained from a public source in order to be considered public; if information was received from the consumer, even though it might be publicly available, it would be considered nonpublic. Under the second alternative, information would be considered public if publicly available, no matter how it was obtained by the bank.
The ICBA supports adoption of the second alternative. When information is in the public domain, it should be considered public; how a bank obtains the information should not be determinative. To require a bank to track the source of each bit of information would be a nightmarish administrative burden. For all practical purposes, adoption of the first alternative (which relies on the source of information) would destroy the distinction between public and nonpublic information. This result is contrary to the statute, which contemplates that some information would be considered publicly available. Because banks would find it prohibitively expensive and burdensome to track the source of all information on consumer customers, the practical result that banks would be compelled to treat all information in a customer file as nonpublic. Therefore, if information is already in the public domain as otherwise defined by the regulation, a bank should be able to consider it as such.
Information Available on the Internet. Publicly available information also would include information available over the Internet, provided it is not password or otherwise protected from access by the general public. The ICBA believes this is an appropriate distinction, especially since an increasing amount of information is available over the Internet. If any member of the public may access it, it should be considered and defined as public information.
Customer Lists. Significantly, any bank customer list of names and addresses would be considered NPI under the proposed rule, because a list would disclose the fact that an individual on the list was a customer of that bank. However, customers disclose their relationship with a bank in many ways. For example, whenever a customer writes a check, they divulge their banking relationship. In fact, some would argue that when a customer walks into a bank, the existence of a customer relationship becomes apparent to anyone on the sidewalk that sees the individual enter the bank. GLB does provide that NPI excludes a list or other grouping of consumers created without the use of nonpublic personal information.4 Therefore, it clearly contemplates the existence of some customer lists that will not be considered nonpublic information.
The ICBA does not object to an interpretation considering customer lists to be nonpublic information if such a restriction is limited to lists derived using information about an individual's financial transactions or condition, but the ICBA has concerns whether this extremely restrictive reading-that any bank customer list is nonpublic -- renders a provision of the statute meaningless, contrary to the normal tenets of statutory interpretation.
Personally Identifiable Financial Information; Section ___.3(o). In general, the proposed definition of personally identifiable financial information is very broad. It would classify personally identifiable information as financial if obtained in connection with providing a financial product or service to a consumer. This might then include information not traditionally considered as financial. For example, age or marital status included in a loan application, though not financial information per se would be considered financial information under the proposal because it was provided in connection with a financial product or service.
This may be too broad an interpretation since it gives little effect to the word "financial" in the statute. In any case, we note that community banks are unlikely to share this information as a matter of practice since their customers have an expectation that their information will be treated with confidentiality even when it isn't directly related to account transactions or balances or to their financial condition. In fact, community banks that give greater protection to this nonfinancial information than is required by law may use this to their competitive advantage.
Consumer vs. Customer; Sections ___.3(e), (h), (i). The distinction under the proposed rule between consumers and customers is important because it determines whether and when a privacy notice must be given. While the statute primarily focuses on the importance of protecting customer information and ensuring its confidentiality,5 it does establish obligations for financial institutions before they may disclose consumer information. Therefore, the distinction between the two is needed.
As proposed, a consumer is an individual who obtains a financial product or service from a financial institution that is used primarily for personal, family or household purposes. Under the proposal, the definition would include someone who engages in an isolated transaction, such as a non-account holder who uses an ATM or purchases a cashier's check. It would also include an applicant for a financial product or service, even if the application is ultimately turned down or withdrawn. And, it would cover the brokerage of an application. Non-customer consumers are entitled to receive privacy notices or an opportunity to opt-out only if the bank plans to share NPI about that individual and none of the opt-out exceptions apply.
A customer, on the other hand, is a consumer who has established an "ongoing relationship" with the financial institution. For example, a customer would include a consumer with a checking account, savings account, consumer loan, trust account, investment account, insurance policy and so forth. All consumer customers are entitled to receive privacy notices.
The ICBA believes that the manner in which the regulatory agencies have proposed to define the distinction between a consumer and a customer, and the circumstances under which each is entitled to receive a privacy notice, is appropriate. This distinction also helps to strike the right balance between burden and disclosure by not requiring banks to provide notices to consumers with whom they do not have a continuing relationship unless the bank plans to share nonpublic information.
The ICBA finds the existing examples in the proposal are helpful, and recommends they be retained in the final rule. We also suggest that additional examples of the distinction between customers and consumers be added-for instance, an example clarifying that an individual can be a consumer in one instance but a customer of the same bank through a different transaction or set of transactions.
Requirements for Notices to Customers
Initial Notice, Section ___.4.. GLB requires a bank to provide an initial notice to customers about the bank's privacy policies and information sharing practices, including the conditions under which the bank might disclose nonpublic personal information. Under the proposal, this notice must be provided before the customer relationship is established,6 although it may be provided at the same time as other federally mandated notices, such as a Truth-in-Lending disclosure.
For consumers who do not become customers, an initial notice must be provided before any information can be shared with a nonaffiliated third party (if the bank does not plan to share NPI, it is not required to provide this notice). The ICBA believes it is appropriate to provide notice to non-customer consumers, such as loan applicants, about the information sharing practices of the bank if the bank plans to or may share NPI. And if personal, nonpublic financial information is to be shared about these individuals, they should have the opportunity to opt out.
As specified in the proposal, a bank must provide the initial notice to "an individual who becomes the bank's customer, prior to the time that the bank establishes a customer relationship."7 However, the ICBA believes that this is inconsistent with the provisions of the statute. The statute specifies that the notice be furnished "at the time of establishing a customer relationship..."8 The statute does not require earlier disclosure. Therefore, the ICBA urges the regulators to adhere to the statutory language and require the initial notice when a customer relationship is established, and not before. Although banks will provide this information to potential customers who request them before they establish an account relationship, providing the information in advance as a matter of course should be an option for the bank rather than a regulatory mandate.
The proposal provides appropriate exceptions to the preceding requirement, and the ICBA encourages that these be retained in the final regulation. For example, where a bank purchases a loan or acquires a portfolio of loans from another institution, it is not practical to furnish the initial notice before the customer relationship is established. The proposal recognizes this and the ICBA believes this appropriate.
However, it should be acceptable in other instances to furnish the notice after the fact as well. The ICBA urges the agencies to make this clear in the final rule. When a transaction is conducted over the telephone, requiring banks to obtain permission to provide later notice will be burdensome and make conducting business over the telephone increasingly difficult; the final regulation should allow a bank to furnish the notice afterwards for telephone transactions. This should be equally true for transactions conducted by facsimile or by mail, when it is not practical to furnish the notice before the customer relationship is established.9 If a consumer sends a fax or mails a request to open an account, the bank and the consumer cannot agree to a notice after the account is opened. Therefore, unless it is clarified in the final rule that a notice may be sent after the account is opened by fax or by mail, the account opening must be delayed while the notice is furnished, a result not consistent with prompt customer service.
Annual Notice; Section ___.5.. In addition to the initial notice, all customers must thereafter receive an annual notice of the bank's privacy policies. The general rules about the form, content and delivery of the initial notice and annual notice are generally the same.
The bank must furnish the annual notice to each customer once every twelve months. The annual notice is no longer required when the customer relationship has been terminated (e.g., dormant deposit account, loan paid off or charged off, loan sold without retaining servicing rights). If it is not clear that a customer relationship still exists, the proposal allows a bank to assume there is no relationship if it has not had any communication with the customer in twelve months (other than providing the privacy notice).
Dormant Accounts. The need to provide notices required by regulations when an account is dormant can be confusing for banks. The proposal addresses this issue by providing that a bank would not be required to send a notice to the owner of a dormant account. The example in the proposal specifies that notice need not be sent "if, in the case of a deposit account, the account is dormant under the bank's policies."10 The ICBA finds this appropriate, and believes that bank policy should govern when an account is considered dormant. This allows banks flexibility to craft a policy on dormancy that fits the bank's own particular needs and circumstances (while still complying with state law).
For customer relationships that do not involve deposit accounts, closed-end loans, or credit cards or other open-ended loan relationships, the proposal would provide that if the bank has not communicated with the customer for over twelve months, other than to furnish the annual notice, the notice need not be sent. While the ICBA believes this is appropriate, we also find that it would be much simpler and cleaner from an administrative viewpoint to provide that notice need not be sent to any account defined as dormant by the bank, and not just deposit accounts.
Customer Request to Not Receive. Customers sometimes request that the bank not mail information to them. The ICBA believes that the final rule should permit a customer's request not to send notices to include privacy notices. The bank should be allowed to honor a customer's request not to receive information in all instances.11 For example, if a customer has a practice of coming in to the bank to pick up their account statements, the bank should be able to provide the privacy notice with the statement. However, the ICBA also believes that any such request should be required to be in writing in order to protect both the customer and the bank.
Content of the Privacy Notice; Section ___.6. Both the statute and the proposal require the initial and the annual notices to cover the categories of NPI that a bank collects; categories of NPI that a bank may disclose; categories of affiliates and nonaffiliated third parties to which a bank might disclose NPI;12 categories of information the bank provides to service providers and joint agreement partners (although this information sharing is not subject to opt-out); and information sharing of data on former customers. In addition, the bank must include information on how a customer can choose to opt-out, any applicable Fair Credit Reporting Act (FCRA) disclosures, and finally, how the bank protects the confidentiality, security and integrity of customer information.
The proposal would allow a bank to include anticipated policies and practices in the notice. However, whenever a bank intends to change information sharing practices from what was stated in its notice, it must provide a revised notice and a new opportunity to opt-out.
The ICBA finds that the information required by the proposed rule to be included in the privacy notice is much more detailed than GLB requires. For example, GLB states that information may be shared with unaffiliated financial institutions when the bank is in a joint agreement to provide services, "if the financial institution fully discloses the providing of such information."13 The statute says nothing about providing detail about what information is disclosed or with what entities that it may be shared. However, the proposal would require banks that do so to provide "a separate description of the categories of information the bank discloses and the categories of third parties with whom the bank has contracted."14 In another instance, while statute requires disclosure about the "categories of nonpublic personal information that are collected,"15 the proposal would require additional detail on the source of the information.16
To be sure, the disclosures required by the statute are already extensive and complex, but the proposed rule would add to this complexity. Even though both the statute and the proposal require the notice to be "clear and conspicuous," the amount of detail required for the notices is so extensive that the notice will be quite lengthy for many banks. The more information that is thrown at them, the less likely consumers and customers will be to even begin to read these notices. By including extensive detail in the notice, the notices become a meaningless exercise as customers ignore them, thereby defeating the purpose of the legislation.
In addition, the more detail the regulation adds to the statutory requirements, the more likely that a bank will have to continually provide revised notices as their circumstances change or they conduct business with a new service provider or partner or want to add a company to provide a new service for its customers. The cost of providing new privacy notices in order to offer a new product may make banks reluctant to actually offer the service. Thus, what should be a business decision becomes artificially governed by regulatory burden and compliance considerations.
Finally, the more detailed that a notice must be, the more potential there is for inadvertent error by the bank-and confusion for the customer. The ICBA strongly recommends that the agencies make the notice as simple as possible and only require the information mandated by statute in the contents of the privacy notices, nothing more.
Model Notices. The ICBA very strongly urges the agencies to provide a set of model notices or model language that banks could incorporate in their notices as appropriate. While privacy notices will not be uniform and will vary from bank to bank depending on the bank's individual circumstances, the basic elements of the privacy notice will be similar. Although banks should be permitted and in fact encouraged to create their own unique notices, having model language to incorporate or use as a guideline would be extremely helpful and would provide the guidance for banks to draft notices that comply with the final rule. In addition, model language would help ensure consistent treatment when examiners review the notices for compliance.
Model notices or model language is especially critical for smaller banks. Larger banks, with entire compliance departments and personnel devoted full time to privacy issues and compliance, have available resources-including access to in-house counsel, to develop the required notices and disclosures. Small banks lack these resources, and would benefit enormously from guidance from their supervisors in crafting compliant privacy notices, especially given the complexity and detail required. Model notices to assist smaller institutions will be especially critical if the transition period between issuance of the final rule and mandatory compliance is not extended beyond the six months provided in the proposed rule. See discussion on pages 18-19 regarding the need for a longer transition period.
Joint Accounts. Many bank customers hold joint accounts. The ICBA does not believe that a bank should be required to provide privacy notices to all account holders. This would be consistent with other regulations, where a bank may notify only one holder of a joint account. For example, under Truth-in-Lending, the Commentary provides that, "disclosures may be made to either obligor on a joint account."17 To require notice to all holders on a joint account would be unduly burdensome. Under normal bank practices, customer notices are given to the person present when the account is opened, sent to the primary individual listed on the account, or sent to the address specified on the account. Therefore, here as with other regulations, the bank should have the option of providing the notice to any legitimate account holder. And, by the same rationale, if one joint account holder opts out, the bank should be permitted to apply that to the entire account.18 To provide otherwise would present a logistical disaster for programming systems and tracking.19
One of the key features of the GLB is the ability of a consumer to opt out of having NPI shared with certain nonaffiliated third parties. The proposed rule specifies that the ability to opt out must be clearly presented in both the initial and annual notices, and the bank must provide a reasonable means for consumers to exercise their rights to opt out. The proposal provides several examples, such as prominent check-off boxes on a form or a self-addressed stamped reply form.
The ICBA agrees these are appropriate methods for a customer to exercise the opt-out and that the examples offered provide adequate guidance for banks at this time. The ICBA also agrees that it is not reasonable to require a customer to draft a letter to exercise the right (though the bank may honor such a letter if it receives one). If a letter is required, many customers are likely to see the process as too cumbersome and not bother to opt out, defeating the purpose of the requirement. A form also has the advantage of being clear and to the point, something an individually drafted letter may lack.
Time Between Initial Notice and Ability to Share Information. Once an initial privacy notice has been provided, the bank would have to wait a reasonable time to allow a customer to opt-out before it can share information; the proposal would provide that 30 days is presumed reasonable for notices sent by mail. The ICBA agrees that 30 days is reasonable. Thirty days provides sufficient time for customers to respond, is consistent with most system cycles and other notice provisions, yet short enough for banks to monitor easily.
Since the requirements and mandates of this new regulation are highly complex, the ICBA does not believe a separate time frame should be instituted for notices delivered electronically. Using the same time frame will keep things uniform and eliminate confusion.
Exceptions to the Notice and Opt Out Requirements
As delineated in the proposed rule, there are three types of exceptions to the requirement to provide an opt-out before sharing NPI with nonaffiliated third parties. Under the first type of exception, the bank must disclose the fact of information sharing, but the customer does not have the right to opt out. Under the second and third types of exceptions, the bank does not have to disclose specifics about sharing NPI, although the proposal would require a statement in the notice that the bank makes disclosures to other nonaffiliated third parties "as permitted by law."
Service Providers and Joint Marketing Exceptions; Section ___.9. As drafted by the agencies, the first exception allows a bank to share NPI with an unaffiliated third party so that the third party can perform services for, or on behalf of, the bank. This includes using a third party to market the bank's products and services or marketing financial products and services offered under a joint agreement. However, section ___.9 specifies that the bank must meet several requirements to use this exception: the bank must disclose the sharing in the privacy notice and must enter a contract that requires the third party to limit use of the information shared to the purpose for which it is disclosed and to maintain the confidentiality of any information shared.
Service Providers. The ICBA believes that the agencies have misconstrued the statute and have inappropriately applied the full disclosure and contract requirements intended for joint agreements to outsourcing arrangements where the third party agent, processor or service provider is merely performing operational functions that the bank could perform for itself. Sections 502(b)(2) and 502(e) of GLB, which exempt routine outsourcing and servicing from the opt out requirement, when read together, clearly express Congress's intent that use of third parties to perform any functions for or on behalf of the bank should be exempt from the notice and opt out requirements.
A contrary reading of these sections will have a disproportionate, negative effect on community banks, which because of their small size and finite resources traditionally have turned frequently to outsourcers that can perform functions on their behalf more efficiently than they could undertake in-house. The agencies' proposed interpretation of GLB, as reflected in Section ___.9 of the proposed rule, will impose additional costs on community banks that are not warranted, particularly when no benefit will be realized by consumers, since there is, appropriately, no right to opt out of these routine outsourcing arrangements. Requiring specific disclosures of these arrangements in the notice could be a source of confusion for consumers. In addition, it unnecessarily increases the complexity and length of the notices that must be provided. Finally, if a bank does not craft its notice to include a description of all of the categories of information that might be shared with outsourcers, or all of the categories of third party outsourcers, it could be faced with the expense of having to revise and redisclose notices before using a new outsourcer.
We urge the agencies to revise section ___.9 of the proposed rule to make clear that the full disclosure and confidentiality requirements of Section 502(b)(2) of GLB apply only to information shared pursuant to a joint agreements between nonaffiliated financial institutions and not to routine use of third party agents, processors or servicers as outsourcers to perform functions on the bank's own behalf. Outsourcing functions should be treated the same as the Section 502(e) exceptions (sections ___.10 and ___.11 of the proposed rule). 20
Joint Agreements. The agencies have asked for comment on whether additional requirements should be imposed for this exception. The ICBA does not believe it is necessary or appropriate at this time to add additional requirements to this exception. The disclosure and confidentiality safeguards already imposed are sufficient. Once the rule goes into effect and the agencies gain experience with it, they can better assess whether additional requirements are necessary. If at some point the agencies believe additional requirements are necessary, they should seek public comment on any specific proposed additional requirements before imposing them.
Processing and Servicing, and Other Exceptions; Sections ___.10 and ___.11. The second category of exception to the opt-out requirements allows a bank to share NPI with nonaffiliated third parties for processing and servicing including: to administer, process, service, or enforce a consumer's transaction; service or process a product or service for the consumer; maintain or service a consumer's account; or in connection with a securitization or secondary market sale. The third category includes a variety of other exceptions including, among other things, with the consumer's consent; to protect the confidentiality or security of consumer records; to protect against fraud; to the consumer's fiduciary or representative; to consumer reporting agencies; in connection with a sale or merger, to comply with law, etc.
GLB is fairly specific about these exceptions, and the proposal closely follows the statutory language. For the second and third categories of exceptions, the bank need only state in its privacy notices that it makes disclosures as permitted by law (it does not need to list the categories of nonaffiliated third parties or types of information disclosed). Also, the bank is not required to provide an opportunity to opt out for these exceptions.
With the exception of treating certain outsourcing arrangements similarly to the section ___.10 and ___.11 exceptions (see discussion above), the ICBA does not have any recommendations for additional exceptions at this time. However, we encourage the agencies to continue to be sensitive to the need to revise and expand this list in the future as appropriate once the agencies and the industry have experience implementing the final rule.
Customer Consent. One of the exceptions allows a bank to share information if the customer consents. The ICBA believes that such consent should be written, to protect both the customer and the bank from later disputes. A written consent will also provide an explicit outline of exactly what the customer consented to and what information can be shared. However, once that consent has been granted, the ICBA also believes that the bank should be permitted to rely on the consent until revoked in writing by the customer (with a reasonable time to process and implement the revocation).
Disclosures "As Permitted by Law." If a bank only shares information with nonaffiliated third parties covered by the sections ___.10 and ___.11 exceptions, it is required only to specify in its notice that it "makes disclosures to nonaffiliated third parties as permitted by law."
The ICBA has serious reservations about requiring this disclosure in the notice. First and foremost, this disclosure is not required by the statute. In fact, Section 502(e) of GLB explicitly exempts situations covered under the section ___.10 and ___.11 exceptions from the notice and opt out requirements. Moreover, for many community banks, these exceptions are critical for allowing them to conduct business. As discussed above, many community banks do not have the resources to carry out all operations in-house, and rely on outside processors and vendors to meet customer needs. Concern about their ability to do this and remain competitive with their larger counterparts produced these exceptions in the statute.
If banks use these exceptions, but must tell their customers that they only share information "as permitted by law," without further explanation, there is a very distinct chance many customers could become unnecessarily apprehensive. It is unlikely that many consumers will have a working familiarity with the exceptions permitted by GLB. Reading that disclosures may be made "as permitted by law" could naturally raise questions about exactly what information might be disclosed, and to whom. Banks may find it necessary or prudent to provide details about the kinds of information that may be disclosed, and when and to whom, to prevent customer apprehension and constant customer inquiries about what these disclosures might be ("what's permitted by law?"). This again will result in more complex, confusing and lengthy notices.
Since Congress has explicitly provided exceptions to the notice and opt out requirement, the ICBA strongly urges the agencies not to require that banks include in their privacy notices a statement that they make "disclosures to other nonaffiliated third parties as permitted by law." As an alternative, the ICBA suggests that the agencies make this statement optional.
Limitations on Redisclosure; Section ___.12. As specified in GLB, the proposed rule provides that a third party that receives NPI from a financial institution may not redisclose that information to anyone else unless the financial institution could have lawfully disclosed it to them directly.
Third Party Compliance. The agencies seek comment on whether banks should be required to develop policies and procedures to ensure that the third party complies with the limitation on redisclosure.
The ICBA anticipates that some banks may find it appropriate to take steps towards ensuring that third parties with which they share information comply with this limitation, such as requiring an annual confirmation from the third party reaffirming their commitment to preserve confidentiality and certifying that no violations have occurred. However, the final rule should not require that banks take such measures. Rather, these steps should be voluntary and at the discretion of the individual institution, depending on that bank's particular circumstances, and their relationship with the third party.
A regulatory requirement that banks conduct reviews, audits, and/or some form of examination of third parties is unduly burdensome and beyond the scope of the statutory requirements. Moreover, the costs and responsibilities associated with such reviews could make it cost prohibitive to use the services of outside vendors which in turn would limit the products and services that the bank-especially a community bank-might offer customers. Banks cannot control nor be held responsible for the actions of unaffiliated third parties. The bank takes care in selecting high-quality, trusted vendors, and can enforce any breach of a confidentiality agreement that occurs, but to require it to do more would be unreasonable.
Use of the Word "Lawful." The agencies also seek comment on the use of the word "lawful." The ICBA urges the agencies to make clear in the final rule that a third party who receives information from a financial institution may disclose it to others in accordance with one of the service provider or section ___.10 or ___.11 exceptions. For example, if as part of a credit card agent bank program an agent bank shares customer information with its partner bank, the partner bank should be able to use third party outsourcers to perform functions on its behalf, such as mailing information to consumers or evaluating applications.
Prohibition on Sharing Account Numbers; Section ___.13. The proposal would implement Section 502(d) of GLB that prohibits a bank from disclosing an account number or access code to anyone other than a consumer reporting agency (credit bureau) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
The agencies seek comment on whether the flat prohibition in Section 502(d) might unintentionally disrupt routine practices such as disclosures of account numbers to a data processing service provider that prepares and mails monthly account statements to the bank's customers with a request to include a statement stuffer marketing a product. The ICBA does not believe that Congress intended this incongruous result whether the bank is marketing its own products or services or the products and services of a third party.
In the case described, the reason for sharing the account number is to facilitate the statement preparation and distribution; it is not for use in marketing to the consumer. In fact, including third party marketing materials in their own monthly account statements is one way that banks can avoid sharing information with third parties, yet make the products and services of those third parties available to their customers. It would be ironic, indeed, if Section 502(d) of GLB were interpreted to prohibit these practices. Therefore, the ICBA urges the agencies to make clear in the final rule that such routine practices are not prohibited.
Section 504(b) of GLB gives the agencies general authority to grant additional exceptions to subsections (a) through (d) of section 502 as are consistent with the purposes of the subtitle. If there is any question that section 502(d) would have the unintentional result described above, the agencies should use this exception authority to prevent it.
Date for Mandatory Compliance. Assuming that a final rule is adopted as scheduled by May 12, banks would be given six months to bring their policies and procedures into compliance. Congress recognized in the statute that this may not be sufficient time for banks to comply with all the complexities of the statutory requirements, and provided that the regulatory agencies could prescribe a later effective date.21
The ICBA strongly urges the agencies to use the authority granted by GLB and extend the transition period in order to provide banks with sufficient time to implement these complex requirements properly. We recommend that the final rule become effective as contemplated in six months, but that compliance not be mandatory until 12 to 15 months after a final rule is issued.
This additional time is essential to give banks adequate time to understand the nuances of this complex new regulation, craft accurate privacy notices, revise other forms as necessary (such as deposit agreement forms and loan application forms), implement necessary computer system and policy and procedures changes, devise and implement employee training programs, etc. Without adequate time to do a careful job, mistakes are likely to occur, which is not in the interest of either banks or their customers.
Banks and other financial institutions subject to these regulations will be competing for the same resources to implement these provisions, from computer software providers to consultants and printers and forms providers. To perform computer processing functions, community banks rely on either outside data processing service bureaus or run off-the-shelf software on in-house systems. In order to implement a system to track customer opt-outs, service bureaus and software vendors will have to make software changes, test them, and distribute them to their clients. Many data processing systems used by community banks and their data processing service bureaus currently are not configured to support such tracking. Putting in place the necessary programs to monitor customer elections will be both time consuming and expensive. It is our understanding that these service providers have not begun to implement the changes contemplated by these regulatory requirements.
Even banks with privacy policies in place, and banks that do not share any information with third parties that would require an opt-out, will not find it an easy matter to comply. The must carefully review their practices and compare them against the requirements of the regulation before undertaking to revise or craft their privacy policies.
In addition, if existing customers must be provided privacy notices within 30 days after November 12, millions of mailings will take place at the busiest time of the year for the United States Postal Service.22 And, this significant new notice will need to be produced at the same time many banks are working on other significant information needs, e.g., year-end tax notices and other year-end information.
For these reasons, the ICBA urges the agencies to provide 12 to 15 months after a final rule is issued before compliance is mandatory in order to ensure quality work and not a "rush job," especially since this is an extremely sensitive issue for consumers.
Timing for Intitial Notices to Existing Customers. Under the proposal, banks would have 30 days after the rule takes effect to deliver the initial notice to their existing customers. If the bank is already sharing NPI, the customer must be given a reasonable time to opt out before the bank would have to cease sharing that information, and the bank would have a reasonable time to comply with the customer's opt-out request. Again, the ICBA believes that 30 days is too short for many banks to finalize, print and mail notices (and may not provide sufficient time for banks to provide notices in conjunction with existing statement cycles). Ninety days after mandatory compliance is required is more reasonable, and the ICBA strongly urges the regulators to allow at least 90 days for the delivery of the initial notice to existing customers.
Regulatory Burden Estimate
The regulatory agencies have estimated that it will take banks 45 hours on average to comply with the requirements of the proposals requirements, based on the premise that many banks already have privacy policies in place and that they will merely have to fine tune existing policies and procedures.
The ICBA strongly disagrees with this assessment. Even for those banks that have privacy policies in place, existing policies and procedures will have to be carefully reviewed against the requirements of the new regulation. As noted above, banks must reconfigure and update their computer systems; design, print and mail notices; develop new procedures to comply with the new requirements; design training programs and train all bank staff on the new requirements; and implement new internal audit procedures. Accordingly, 45 hours is an inadequate assessment of the regulatory burden. For the great majority of community banks, it will take many times that amount of time. In fact, the overall implementation of this regulation will be a very expensive proposition for many community banks, costing many thousands of dollars.
The Gramm-Leach-Bliley privacy title creates new administrative and regulatory burdens. These burdens will impact community banks disproportionately because of their finite and limited resources. Therefore, the ICBA urges the regulatory agencies to strive to maintain an appropriate balance between the critical protection of consumer financial privacy and community banks' legitimate information sharing needs.
If we can provide additional information, please contact either Karen Thomas or Robert Rowe at 202-659-8111. Thank you for the opportunity to comment on this critical subject.
Thomas J. Sheehan
1 ICBA is the primary voice for the nation's community banks, representing nearly 5,300 institutions at nearly 16,200 locations nationwide. Community banks are independently owned and operated and are characterized by attention to customer service, lower fees and small business, agricultural and consumer lending. ICBA's members hold nearly $439 billion in insured deposits, $526 billion in assets and more than $314 billion in loans for consumers, small businesses and farms in the communities they serve.
2 The law applies to "financial institutions," which is a broadly defined term encompassing much more than banks. However, for ease of reference, we will use the term "bank" throughout this document.
3 The issue of competitive disadvantage to community banks was of sufficient importance to Congress that the Statement of Managers in the Conference Report on S. 900 includes the following language:
The Conferees wish to ensure that smaller financial institutions are not placed at a competitive disadvantage by a statutory regime that permits certain information to be shared freely within an affiliate structure while limiting the ability to share that same information with nonaffiliated third parties. Accordingly, in prescribing regulations pursuant to this subtitle, the agencies and authorities described in section 504(a)(1) should take into consideration any adverse competitive effects upon small commercial banks, thrifts and credit unions.
4 GLB, section 509(4)(C)(ii).
5 Section 501(a) of GLB states explicitly that, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." (emphasis added).
6 Section ___. 4(c)(2) of the proposal offers helpful examples of when the customer relationship is established, e.g. where a customer signs a deposit agreement, the signing of the contract identifies the moment the relationship is established.
7 Section ___.4(a)(1).
8 GLB, section 503(a).
9 This would be consistent with other existing regulations such as Electronic Funds Transfer and Truth in Savings, see e.g., 12 CFR 205.7 and 12 CFR 230.4(a)(1). The latter provides that, "if the consumer is not present at the institution when the account is opened or the service is provided and has not already received the disclosures, the institution shall mail or deliver the disclosures no later than 10 business days after the account is opened or the service is provided, whichever is later."
10 Section ___.5(c)(2).
11 The purpose of the rule is to protect customers - not annoy them.
12 Information sharing with affiliates must comply with Fair Credit Reporting Act requirements.
13 GLB, section 502(b)(2).
14 Section __.6(a)(5). See additional discussion on disclosures regarding section ___.9 service providers on pages 14-15.
15 GLB, section 503(b)(2).
16 Section __.6(d)(1).
17 12 CFR 226.5(d).
18 A bank should also be permitted, at its option, to allow each joint account holder to opt out independently of the other holders of the account, provided the bank's systems permit such distinctions.
19 While banks are making extensive efforts to assemble information at the customer level, most data processing systems still function at the account level.
20 We note that as a matter of practice, community banks are very mindful of confidentiality when using outsourcers to perform functions on their behalf. They carefully select reputable outsourcers, and review and limit the customer information that may be shared. Third parties are typically required by contract to maintain the confidentiality of the customer information. Commonly, these contracts provide that the customer information remains the property of the bank, the third party may use the information only for the purposes specified and may not transfer it to anyone else, and access to the information must be limited to those employees who need it to perform the services on behalf of the bank.
21 GLB, section 510.
22 Under the current schedule, if no extension is granted, all financial institutions will be mailing privacy notices to their existing customers around the second week in December. This is one of the busiest times for the Post Office, and the addition of billions of pieces of mail could prove overwhelming.