|Kenneth J. Sperl
Deputy General Counsel,
Senior Vice President
Direct Dial: 614/248-6042
|Bank One Corporation
100 East Broad Street
18th Floor, OH1-0158
Columbus, OH 42371-0158
Phone: (614) 248-6488
Fax: (614) 248-6060
March 31, 2000
Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, N.W.
Washington, D.C. 20549-0609
Re: Proposed Privacy of Consumer Financial Information Regulations - File No. S7-6-00_
Dear Secretary Katz:
BANK ONE CORPORATION is writing to comment on the Commission's notice of proposed rulemaking (the "Proposal" or the "Proposed Regulation") relating to the Privacy of Consumer Financial Information under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) (the "Act").
BANK ONE CORPORATION ("BANK ONE" or "we") is a multi-bank holding company headquartered in Chicago, Illinois, with offices located in Arizona, Colorado, Delaware, Illinois, Indiana, Florida, Kentucky, Louisiana, Michigan, Ohio, Oklahoma, Texas, Utah, West Virginia and Wisconsin. BANK ONE also operates numerous non-bank subsidiaries that engage in various financial activities, including brokerage services through Banc One Securities Corporation, a registered broker/dealer and member NASD, and investment advisory services through Banc One Investment Advisors Corporation, a registered investment advisor. Banc One Investment Advisors Corporation acts as investment advisor to the One Group® family of mutual funds.
We appreciate the opportunity to comment on the Proposed Regulation and support the objective of the Commission and the federal banking agencies to move quickly to devise a workable framework for implementing the Act. We place a high priority on addressing the privacy concerns of our customers to insure their continued confidence in our institutions and the financial services industry. At the same time, we are eager to work with regulators to create a framework that carries out the legislative intent without unnecessarily restricting the continued development of innovative products and services to meet consumers financial needs.
The risks of rushing to undertake a project of this magnitude and complexity are significant. As noted above, the risk of undermining the long-standing confidence of our customers is our primary concern. Inaccurate or incomplete disclosures or inaccurate recording of customer preferences could also jeopardize the safety and soundness of a financial institution if a product, service or processing arrangement must be terminated because of the failure to properly disclose or record consumer preferences. The costs associated with implementation are material and significant additional costs would be incurred if a financial institution were forced to redisclose due to an inaccurate initial notice. In addition, there will be significant incremental costs associated with a short implementation deadline, including additional charges from printers, mailing houses and other servicers for providing rush service. Furthermore, with many financial institutions required to produce notices within the same short time frame, it is likely that there will be insufficient capacity among these vendors to produce and mail notices for all of the financial institutions who require their services. Finally, the short implementation period may prevent financial institutions from using the cost-effective method of enclosing the initial notice with account statements, because some customers only receive account statements quarterly or annually.
For the reasons noted above, we believe that the effective date of the Proposed Regulation should be extended to December 31, 2001 to give financial institutions a full opportunity to comply with this complex Regulation. This additional implementation time should enable financial institutions for complete the tasks described above in an orderly and careful manner, while sparing consumers the confusion and inconvenience of receiving scores of notices from different providers in a short time frame.
The following are some specific comments on the Proposed Regulation, organized by section.
Rule of Construction (Section 248.2)
The Proposal differs from that issued by the federal banking agencies with respect to the interpretation of examples. The banking agency proposal would create an effective "safe harbor" for an institution that complies with a specific example, to the extent applicable. We urge the Commission to adopt a similar approach, which will provide needed certainty to financial institutions attempting to comply with rules addressing an area which is both new as a subject of regulatory oversight and subject to many potentially conflicting interpretations. Further, as discussed above, consistency in regulatory approach is vital to organizations such as Bank One which are attempting to forge consistent policies across affiliated companies which are responsive to different functional regulators.
Definitions (Section 248.3)
"Affiliate" is defined in a manner that is potentially inconsistent with the Investment Company Act. The Investment Company Act deems every investment advisor to be an affiliate of the fund that it advises, regardless of whether it "controls" the fund. The Commission should consider an additional provision to the effect that an entity will be deemed affiliated if it would be treated as such under any applicable governing law. Further, the Proposal is unclear whether the term "affiliate" is intended to include the second tier of affiliation, i.e., whether an affiliate of an affiliate is deemed affiliated for purposes of this regulation. For example, a registered investment company might be deemed affiliated with a bank trust department that controlled, as discretionary fiduciary, more than 25% of fund shares. In that situation, it is unclear whether affiliates of the bank are then deemed affiliates of the fund. Additional clarifying examples might be useful in this context.
"Clear and conspicuous". We believe that the examples given in this definition are unnecessary and may set a standard for disclosures under the Proposed Regulation that would be very difficult to meet. We believe that the same standard should apply as applies under the existing consumer banking regulations such as Regulations Z and DD; a standard that has already been interpreted by the regulators and the courts. For these reasons, we suggest that the examples set forth in this definition be deleted.
"Consumer". Example (iii) in the proposal states that an individual is not a consumer if the individual carries his or her account with another broker which maintains only an omnibus account relationship and the omnibus account holding institution does not routinely receive information regarding the consumer. We believe the second phrase is unnecessary and should be deleted. The consumer has not "obtained a service" from the omnibus account holding institution and has no direct relationship or expectation of a relationship with that institution.
In addition, we note that the definition of "consumer" includes both an individual and the individual's legal representative. We believe that the word "or" should be substituted for "and" to avoid a requirement for duplicate disclosures.
"Customer". We do not believe that holding securities as custodian in a collateral situation should be regarded as creating a customer relationship between the custodian and the security owner. This is one of a number of circumstances in which a financial institution may have access to information regarding individuals as a result of its servicing activities for another entity, but does not have a contractual relationship with the individual. Other examples include 401(k) and other retirement plans where the financial institution is a record keeper or investment advisor; pension funds where the financial institution is a paying agent; or bond issues where the financial institution is a registrar, transfer agent or paying agent. These are commercial relationships between the financial institution and its commercial customer, and should not be subject to the Regulation. Further, the agreement between the financial institution and its commercial customer will generally control the financial institution's obligations with respect to the property and information with which it is entrusted. To require financial institutions to provide initial and annual privacy notices in connection with the above services would be unduly burdensome, very expensive and would only lead to customer confusion about the nature of the financial institution's role. The final Regulation should clarify that these types of relationships are not covered and should provide that an individual is a customer only if he or she has a direct contractual relationship with the financial institution.
"Nonpublic Personal Information". We believe that the definition of "nonpublic personal information" in the Proposed Regulation misinterprets the statutory definition in the Act. Section 509(4) of the Act defines "nonpublic personal information" as "personally identifiable financial information" (emphasis added) that is provided to, or obtained by, a financial institution. The statutory definition includes only information that is (i) personally identifiable, (ii) financial and (iii) provided by or otherwise obtained about a consumer in connection with a financial product or service. The Proposed Regulation eliminates the first two requirements from this definition, and is a serious misinterpretation of the Act. It ignores the clear intent of Congress to limit the special protections of the Act to financial information rather than all information held by a financial institution about a customer. This interpretation of the Act violates the most basic principle of statutory interpretation by rendering the word "financial" meaningless in the statutory definition.
Congress further demonstrated its intent to restrict the Act to financial information in Section 509(4)(C)(i) of the Act by including in the definition of nonpublic personal information "any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information" (emphasis added). If Congress had intended that all personally identifiable information be subject to the Act, there would have been no need to include the italicized language, because any customer list would have been included in the definition. As explained in a colloquy between Senator Allard and Senator Gramm on Title V, Congress only intended the term "personally identifiable financial information" to include information that describes a consumer's "financial condition."1
The final Regulation should adopt the narrower definition of "personally identifiable financial information" intended by Congress -- that is, only information that describes an individual's financial condition, such as an individual's assets and liabilities, income, account balances or transaction history. In particular, the mere fact of a customer relationship, without any indication of the types of products or services purchased by the customer, should not be considered to be "personally identifiable financial information" because it contains absolutely no information regarding the consumer's financial condition. The final Regulation should make clear that mere identification information (e.g., name, address and telephone number) or customer lists containing such identification information are not "personally identifiable financial information" under the Regulation. No other business is similarly restricted, and no public policy goal is served by restricting the release of such information by a financial institution.
We also do not believe that the goals of the Act would be served by restrictions on the disclosure of information that is not identified with a particular customer. The Regulation should clearly state that depersonalized information that cannot be identified with a particular individual is not included in the definition of "nonpublic personal information". Financial institutions share such depersonalized information with vendors who perform services such as marketing and profitability analysis, portfolio analysis for compliance and other purposes, and product design. It is very important that financial institutions be able to use this information freely and share it when necessary in order to promote safety and soundness and greater efficiency within the financial industry. The sharing of this depersonalized information benefits both financial institutions and their customers by facilitating the development of cost effective and needs-targeted products and services.
"Publicly available information". We believe that the example in Section 248.3 (w) (2) (iii) should not state that internet information is not "publicly available" if the user needs a password. A number of free information resources on the Internet may require registration and a password in order to identify users for marketing purposes, but the information is freely available to the public. Non-financial companies are able to obtain and freely use such information, and there is no public policy reason why financial institutions should not be able to do the same.
The Commission has asked for comment whether information should be treated as publicly available only if actually obtained from a public source. We suggest that this distinction imposes a potentially burdensome documentation requirement on financial institutions. If information is freely available to the general public, the actual source in a particular case is irrelevant.
Initial notice to consumers of privacy policies and practices (Section 248.4).
When initial notice is required:
We ask the Commission to consider providing additional flexibility with respect to the timing of the initial notice, which is necessary to address situations in which it might be impossible or impractical to provide an initial notice to a customer at the time of establishing a customer relationship. Specifically, we suggest that the final Regulation should provide that a financial institution deliver the initial notice within a reasonable period after the customer relationship is established, so long as no nonpublic personal information relating to that customer is disclosed to a nonaffiliated third party before the initial notice and the opt-out notice are provided, and that the customer is given a reasonable amount of time to opt-out before any such disclosure occurs. Customers will not be disadvantaged, and financial institutions will gain needed flexibility in complying with the Regulation.
If the Commission decides not to make the above change, we would urge that you follow the language of the Act and permit disclosure "at the time of" entering into the customer relationship. The Proposed Regulation provides that a financial institution must provide the initial notice to an individual "prior to" the time that the institution establishes a customer relationship. This "prior to" standard is inconsistent with the statutory language of Section 503(a) of the Act, which states that a financial institution is expected to provide the initial notice to a customer "at the time of establishing a customer relationship".
Financial institutions establish customer relationships through many delivery channels, including telephone, Internet, through the mail, as well as at physical offices. It would be difficult and expensive to deliver the initial notice prior to establishing a customer relationship through all of these various delivery channels. Customers would not be disadvantaged by delivery of the notice at the time of establishing the customer relationship, because no sharing of customer information can take place until the customer has received the notice and has had a reasonable opportunity to opt out.
How to provide notice (Section 248.4(d)).
You have invited comment on the issue of how the notices should be given for accounts with multiple parties. We urge the Commission to clarify that if there is more than one party to an account, that a financial institution is required only to provide one copy of the initial notice to the parties at the address specified by the parties, for the account, or to the individual personally present at the financial institution, or to whom otherwise is the party initiating the relationship on behalf of the joint account customers. This rule is consistent with other consumer regulations in the banking field, such as Regulation Z and Regulation DD, which require that only one set of disclosures be given to the parties to the account. In addition, joint accountholders have agreed as a matter of contract that only one copy of documents will be sent per account and that it will be sent to the address of record.
Financial institutions generally capture only one address per account, and locating the addresses of secondary account holders would be a virtually impossible task. The financial institution should be able to provide the notice and opt out to any joint account holder, leaving it to that person to consult with the other joint account holders about whether to opt out. We note, however, that we will be prepared to accept opt out elections made by any or all joint account holders on an individual basis.
With respect to oral contracts, Section 248.4(d)(2) of the Proposed Regulation specifies that if a financial institution and a customer orally agree to enter into a customer relationship, the institution may provide the initial notice to the customer within a reasonable time thereafter if the customer agrees. If a customer relationship is established orally, the financial institution has no alternative but to provide the written initial notice to the customer at a time after the customer relationship has been established. The customer's consent to receiving the written notice at a later time is implied by the nature of the transaction. Requiring the institution to formally obtain the separate consent of the customer to such later disclosure would lead to customer confusion and would be difficult to document.
We believe that an additional exception is needed in Section 248.4(d) for the situation in which the "customer" in the relationship changes because of an external event, such as when an account holder of a "payable on death" account dies and the beneficiary becomes the "customer". In such a case, the financial institution should have a reasonable time after it learns of the precipitating event to provide the initial notice.
We suggest that the Commission clarify that the initial disclosure and opt out may be given in another language, if the customer has previously received disclosures and contractual documents in another language and as long as an English version is available upon request. Financial institutions should not be required to provide the notice in languages other than English, but may wish to do so as a customer service. This notice and opt out will be complex, and providing the notice in other languages would be a valuable service to many of our customers.
Information to be included in initial and annual notices (Section 248.6)
We believe that the form of notice theoretically required by the Proposed Regulation, as currently drafted, is counterproductive to the interests of consumers because financial institutions will be required to produce a notice that is lengthy and complex. It will require definitions of several different types of customer information and an explanation of the categories of permissible sharing of customer information under several regulatory schemes. We urge the Commission to allow financial institutions flexibility in complying with the disclosure requirements of the Act in order to provide a simpler, more customer-friendly disclosure.
The Proposed Regulation requires financial institutions to include in their initial notices so much detail about their policies on collecting, disclosing, and protecting nonpublic personal information of consumers that such notices could not possibly be meaningful to most consumers. In fact, the Proposed Regulation, by requiring overly detailed initial notices, would actually be counterproductive to the privacy interest of consumers. As a practical matter, a consumer is far less likely to read a financial institution's initial notice if it is lengthy and complex. Also, because consumers are likely to receive initial notices from many different financial institutions (we estimate 20 or more of such notices for the typical consumer), the consumer may be overwhelmed by receiving lengthy, detailed notices from every financial institution with which he or she has some type of relationship. We also believe that financial institutions should be permitted to use examples liberally in the disclosure, rather than supply long lists of types of information or third parties. Examples are more likely to clearly convey the required intent to consumers.
The example in 248.6(d)(5) indicates that a financial institution adequately describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it "explains who has access to the information and the circumstances under which the information may be accessed". This example suggests that a financial institution may have to set up a system of sophisticated levels of access to customer information for all of its employees. The focus of the Act is on the release of information to unaffiliated third parties, rather than the use of customer information within a financial institution by employees of the financial institution. We believe that this disclosure should also focus on external security rather than levels of access within the financial institution, and we urge the Commission to allow a general description of security measures rather than detailed descriptions of which employees have access to certain types of customer information.
Form and method of providing opt out notice to consumers (Section 248.8)
The first sentence of Section 248.8(a)(1) indicates that a financial institution must provide an opt out notice to "each of [its] consumers". This contradicts Section 248.4 which states that a financial institution is not required to provide an initial notice or opt out to a consumer unless the financial institution is planning to disclose nonpublic personal information about the consumer to any nonaffiliated third party.
We believe that an additional example should be added to Section 248.8(a)(2)(ii) permitting the use of an 800 number as a reasonable means for consumers to opt out. We do not believe, however, that the Regulation should include a mandatory requirement that an 800 number be provided for opt outs. Taking opt out elections by phone is desirable because it is a convenient method for customers, but it would require systems changes and training programs to implement it properly. Financial institutions may have difficulty making such a system available given the short time before the Regulation becomes effective.
You have asked for estimates of the costs of complying with the Proposed Regulation. We estimate that BANK ONE CORPORATION will spend about $25 million per year to comply with this Regulation. Included in this estimate are the costs of printing and mailing the initial opt out notice to existing customers, developing and maintaining a system for tracking the opt out elections, modifying account opening procedures, documents and software through each of our delivery channels (banking centers, telephone, internet, mail and others) to include the initial notice and opt out and to be able to capture opt out elections, training branch and telephone personnel to respond to customer inquiries and to take opt out elections, and reviewing and modifying procedures and documents in connection with brokered products.
We request clarification on whether a financial institution could change the terms of its privacy disclosure in the annual notice. We believe that this should be permitted, as long as the changes are highlighted.
Exception to opt out requirements for service providers and joint marketing (Section 248.9)
As currently drafted, this section would place significant restrictions on the ability of financial institutions to outsource activities, restrictions that we believe were not intended by Congress. This section addresses two very different situations: 1) sharing information with a party who is providing marketing or other services involving the financial institution's own products and services, on behalf of the financial institution, and 2) sharing information pursuant to a joint agreement with another financial institution for the purpose of jointly marketing financial products or services. We believe that the disclosure and confidentiality requirements of Section 502(b)(2) of the Act were intended to apply only to the joint marketing arrangements, and not to basic outsourcing practices. We urge the Commission to remove these restrictions on outsourcing practices, so that financial institutions will have the flexibility to realize the efficiencies of outsourcing marketing and other services and to manage their businesses effectively.
In order to utilize the Section 248.9 exception, as currently drafted, a financial institution must include in its initial notice a separate description of the categories of information that the financial institution discloses and the categories of third parties with whom the financial institution has contracted. We are concerned that, once the initial notice is sent, the financial institution may not be able to outsource a new service because it would require a new disclosure to all of its customers, which would be prohibitively expensive. Financial institutions could be locked in to outsourcing decisions they had made or contemplated prior to the time of the initial disclosure. In order to economically justify the use of a new outsourcing arrangement, the financial institution would have to factor in not only the cost of the outsourcing and the practical benefits, but also the cost and confusion of sending a change-in-terms notice to each of its customers.
We see no public policy benefit in requiring the initial notice to describe outsourcing arrangements under Section 248.9, because the Regulation does not permit consumers to opt out of the sharing of information under such outsourcing arrangements. The notice will simply cause confusion among consumers. Outsourcing programs under Section 248.9 should be accorded the same treatment as the outsourcing programs under 248.10. In both cases, a financial institution is choosing to contract with a third party to provide a service on its behalf, for reasons of efficiency or other considerations. These exceptions allow financial institutions to make rational economic decisions about how best to run their businesses.
Financial institutions use service providers for many purposes, including marketing of the financial institution's products on behalf of the financial institution through direct mail, telemarketing or other channels, the preparation and validation of scorecard models, and answering customer service calls. Sometimes the service provider is the initial point of contact between the financial institution and a prospective customer. For example, a financial institution may contract with a service provider to act as its agent to make telemarketing calls with individuals on a prospect list. In this situation, it would be impossible to give the consumer the initial notice before information is shared with the service provider. Such outsourcing arrangements will not be possible under the Proposed Regulation, as currently written.
Joint Marketing Exception (Section 248.9(b))
Additional examples to clarify the types of agreements and marketing arrangements which that within the scope of the exception would be helpful. For example, it should be clear that a marketing arrangement between a registered investment advisor and its advised mutual funds is not subject to an opt out.
We believe that financial institutions should be able to use this joint marketing exception to offer any products or services that may be offered by a financial institution, including those that are "complementary" to financial products and services, as defined in Section 4(k) of the Bank Holding Company Act of 1956, as amended. Institutions should not be penalized for the business decision to offer complementary products through a venture with an unaffiliated third party, rather than incurring the costs associated with developing an in-house capability to market such products and services. The joint marketing exception was designed to allow a financial institution to outsource activities that it could perform itself, and there is no public policy benefit to be gained by limiting the ability of financial institutions to offer innovative products that are "complementary" to financial services through cooperative relationships.
If, in the future, a new product is deemed to be financial in nature and the product category was not included in the joint marketing language of the initial notice, then a financial institution will not be able to offer the new product through a joint marketing arrangement unless it first rediscloses to all of its customers. This may limit the development and availability of new financial products, and operate to reduce choices for consumers. We urge the Commission to permit broad language in the initial notice to allow for the future development of financial and complementary products that will benefit consumers.
Other exceptions to notice and opt out requirements (Section 248.11)
Care should be taken that any safeguards do not unduly restrict the ability of customers to grant consent in specific instances. Unduly restricting the ability of customers to consent to the sharing of customer information may stifle innovation in the development of new and more convenient products or delivery channels such as the telephone or internet. A requirement, for example, that consent be in writing would make telephone transactions virtually unworkable and internet transactions uncertain at best. Such a requirement would not be in the best interests of consumers.
In addition, financial institutions frequently offer bundled products with multiple legal entities providing pieces of a single product. In these situations, a customer's consent to the sharing of information among the participating entities should be implied by the customer's selection of the product.
We suggest that if a customer's consent to share information is revoked, the financial institution should have a reasonable period, such as 30 days, to implement the change.
Limits on sharing of account number information for marketing purposes (Section 248.13)
We believe that exceptions and safe harbor examples are needed in this Section. First, financial institutions should be permitted to share account numbers with service providers who are marketing the financial institution's products and services on behalf of the financial institution under the Section 248.9 exception. For example, a financial institution may engage a service provider to contact a financial institution's existing customers to make them aware of a new product. The service provider is acting as agent for the financial institution in selling the financial institution's own products and services. We believe that the Act permits a financial institution to share account numbers with nonaffiliated third parties that are engaged in marketing the products or services of the financial institution. The prohibition in the Act was intended to apply to circumstances in which a financial institution provides account numbers to a third party for purposes of marketing the third party's products or services. The Proposed Regulation should be revised to clarify that financial institutions are permitted to outsource their marketing efforts. There is no public policy purpose to be gained by forcing financial institutions to become inefficient horizontally integrated marketing organizations.
In addition, we believe that Section 248.13 should not be interpreted to prohibit a vendor that processes account statements for a financial institution from inserting marketing material, whether relating to the financial institution's own products or a third party's, into the statement envelope at the direction of the financial institution. An example should be added to clarify that this practice is not prohibited.
We also believe that the Commission should clarify that this Section does not prohibit a financial institution from sharing account numbers for fulfillment of customer requests and similar non-marketing purposes. Section 502(d) of the Act restricts the sharing of information for marketing purposes, but not for other purposes.
Key-Encrypted Account Numbers.
We urge the Commission to clarify that the term "account number or similar form of access number or access code" in Section 248.13 does not include an account number or other similar number that is key-encrypted when provided to the nonaffiliated third-party marketer, as long as the nonaffiliated third-party marketer is not given the information or device needed to decode or unscramble the encrypted number. In addition, the final Regulation should clarify that the term "account number or similar form of access number or access code" does not include a reference number used by the financial institution to identify a particular account holder, including a partial or truncated account number, provided that the reference number cannot be used by the recipient nonaffiliated third-party marketer to access the particular account.
Thank you again for the opportunity to comment on these Proposed Regulations. If you have any questions concerning these comments, please contact Julie Johnson, Director of Information Policy and Privacy at (614)248-5654, or Andrea Beggs, Law Department, at (312) 732-5345.
Very truly yours,
Kenneth J. Sperl
Deputy General Counsel,
Senior Vice President
1 145 Cong. Rec. S13,902-03 (daily ed. November 4, 1999)