MORGAN STANLEY DEAN WITTER & CO.
March 31, 2000
Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549-0609
Re: File No. S7-6-00 (Regulation S-P)
Dear Mr. Katz:
Morgan Stanley Dean Witter & Co. appreciates the opportunity to comment on proposed Regulation S-P issued by the Securities and Exchange Commission ("SEC") to implement the financial privacy provisions of the Gramm-Leach-Bliley Act ("G-L-B Act"). We acknowledge and value the SEC's efforts to reach an appropriate balance between protecting the privacy of consumers' financial information and ensuring the efficient operation of financial institutions.
Morgan Stanley Dean Witter & Co. ("MSDW") is a global financial services firm engaged in three primary businesses: securities, asset management and credit and transactions services. This letter addresses MSDW's comments to the proposed privacy regulations for its securities and asset management businesses.1
MSDW believes that the proposed regulation is generally consistent with the goals of the G-L-B Act. We set forth below comments and recommendations that we believe will further enhance the effectiveness of this regulation and carry out the legislative mandate of the G-L-B Act. In Section I, we highlight certain comments made by the Securities Industry Association ("SIA") in its comment letter on the proposed regulation. In Section II, we offer our additional comments on selected sections of the regulation that we believe would further clarify the regulation.
Section I: SIA Comment Letter
MSDW generally endorses the comments made by the SIA to the SEC in its letter dated March 31, 2000. We believe that the SIA's letter provides a thoughtful and meaningful analysis of the issues presented in the proposed rules. In particular, we concur with the SIA's requests regarding the following points.
A. Safe Harbor Status
The examples in the proposed rules should be treated as non-exclusive safe harbors. However, we caution that although compliance with the examples should be deemed as compliance with the rules, deviation from the examples should not automatically be viewed as violations per se.
B. Definition of "Personally Identifiable Financial Information"
We agree with the SIA that the SEC went beyond the mandate of the G-L-B Act by defining "personally identifiable financial information" to include "any information (i) provided by a consumer to [the firm] to obtain a financial product or service from [the firm]; (ii) about a consumer resulting from any transaction involving a financial product or service between [the firm] and a consumer; or (iii) [the firm] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that customer." Rule 248.3(v). We do not believe that the legislative history supports expanding the definition to protect more than financial information relating to consumers.
In addition, we agree that the definition of "personally identifiable financial information," which includes "other information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer," is overly broad and leads to the conclusion that all information in the possession of a firm constitutes personally identifiable financial information. We believe that such a sweeping definition was never contemplated by the G-L-B Act. Therefore, we echo the SIA's recommendation that the rule be amended and that additional examples be included to clarify that not all information relating to a consumer or customer that is in the possession of a firm necessarily falls within the scope of the rule. Rule 248.3(v)(2)(i)(D).
Finally, we agree with the SIA that aggregated information or other "blind" information that does not contain any personal identifiers should be explicitly excluded from the definition of "personally identifiable financial information" since we believe that the use of such information does not implicate the privacy concerns of customers or consumers. As noted by SIA, aggregated data allows firms to conduct market analysis and research to improve the products and services they provide to customers. Rule 248.3(v).
C. Liability for Actions of Former Employees
The SEC should clarify that a firm's obligation to protect the privacy of customers does not impose liability on the firm for the actions of former employees in violation of such firm's policies and procedures. We believe that a firm should not be penalized for the independent actions of former employees (e.g., registered representatives or financial advisers) if they disclose nonpublic personal information concerning that firm's customers in violation of their duties to the firm. Rule 248.3(g).
D. Definition of "Nonaffiliated Third Parties"
The merchant banking example under the definition of "nonaffiliated third parties" should be amended to clarify that, for the purposes of Regulation S-P, a merchant banking fund or partnership would be an affiliate of the firm that established it. We believe that the example was intended to apply only to the portfolio companies in which an institution or its affiliated funds invest in the course of their investment or merchant banking activities, and we would concur with that determination. Rule 248.3(s)(2).
In addition, the definition of "nonaffiliated third party" should not cover temporary employees, directors, or other agents of the firm who carry out the business of the firm but may not necessarily fall within the classification of an "employee." To the extent that such persons are engaged in performing functions for the firm that the firm would otherwise perform directly for itself, they should not be distinguished from the firm's employees. Rule 248.3(s)(1)
E. Definition of "Publicly Available Information"
The SEC should adopt the proposed definition of publicly available information rather than the more restrictive alternative definition. We believe that the definition of publicly available information should include all publicly available information, regardless of the source. We also believe that all information that is disclosed or required to be disclosed by operation of law (foreign or domestic) should be considered publicly available information. Rule 248.3(w).
F. Definition of "Consumer"
The definition of "consumer" should be limited to natural persons and exclude trusts, personal holding companies, 401(k) plan participants, and limited liability partnerships. The definition should also provide further clarification of the term "legal representative" and of a firm's obligations where an individual has a legal representative. We share the SIA's belief that a firm satisfies its responsibilities under Regulation S-P by providing the requisite information to an individual's legal representative. Rule 248.3(g).
G. Definition of "Customer"
The definition of "customer" should be clarified to exclude situations where a broker acts as the initial conduit between a consumer and a mutual fund, but has no continuing relationship with the customer, and to exclude a de minimus number of sporadic, infrequent transactions. Rule 248.3(j).
H. Definition of "Clear and Conspicuous"
We do not believe that there is a need to detail in regulatory language examples of "clear and conspicuous" notice. The financial services industry has already developed standards of "clear and conspicuous" language in response to existing laws and regulations in other contexts. The examples provided in the proposed rule would only create confusion and second-guessing in those contexts. Rule 248.3(c).
I. Content, Timing and Presentation of Privacy Notices
Notices should be "reasonably understandable" and the SEC should clarify that securities firms are not discouraged from using general "boilerplate" disclosure in appropriate circumstances in which such disclosure is not "imprecise or readily subject to different interpretations." For example, boilerplate disclosure may be appropriate in the case of a firm that does not share nonpublic personal financial information about consumers with nonaffiliated third parties, excluding the excepted categories contained in rules 248.9, 248.10 and 248.11. Rule 248.3(c)(2)(i)(E).
Notices should be required to be provided at the time an account is established, not before. Rule 248.4.
Firms should also have the flexibility to provide the privacy notice separately or combined with other notices, depending upon the business' needs. Rule 248.8(b)(3)
Finally, we concur with the SIA's view that the G-L-B Act does not require disclosures with regard to sharing of affiliate information and that such disclosures should be limited to the requirements under the Fair Credit Reporting Act.
J. Simplified Notice
MSDW believes that the rule should permit firms sharing information only with affiliates to provide a simplified notice, rather than a longer notice detailing categories of information collected and an explanation of the opt-out right and procedures. We do not believe that the G-L-B Act is intended to impose new requirements on the sharing of information with affiliates. Rule 248.6(d)(4).
K. Joint Accounts
The rule should specify that opt-out notices need only to be provided to the primary account holder in a joint account in order to avoid cumbersome and duplicative notices to consumers. Rule 248.7.
L. Non-Conforming Opt-Out Notices
The rule should provide that firms are not obligated to process and adhere to non-conforming opt-out notices. Firms should have the ability to require their customers to follow a simple procedure clearly set out in its opt-out notice. In addition, the rule should be clarified to provide that opt-out notices will only be effective if given directly to the firm or its designee by a consumer or customer. Rule 248.7.
M. Joint Marketing and Servicing Agreements
The rule should grandfather prior joint marketing and servicing agreements or, in the alternative, permit a firm to comply with the rule's existing contractual relationship requirements by providing a notice of the rule's requirements to vendors. Requiring firms to audit all existing vendors agreements would result in large expenditures resulting in little, if any, additional protections for consumers. Rule 248.9.
N. Exceptions to Opt-Out Requirements
An example should be added to proposed rule 248.11(a)(2) to clarify that a firm may share nonpublic personal financial information with vendors that provide certain account opening services, without needing to provide an opt-out notice. These vendors (such as CDC and MIS) provide critical background information about securities market participants that enable firms to meaningfully assess such participants. Requiring firms to allow consumers to opt-out from such background inquiries unduly opens firms to fraud and prevents them from discharging their know-your-client responsibilities. Rule 248.11(a)(2)(ii).
Section II: Additional Comments
A. Increased Flexibility
MSDW generally supports the proposed regulation and in particular applauds the SEC for its efforts to provide flexibility in the regulation in a manner that protects the privacy interests of consumers and customers. In that spirit, MSDW requests that the SEC provide for additional flexibility with respect to the manner in which notices are given and opt outs may be exercised.
MSDW appreciates that proposed rule 248.4 provides firms with the flexibility to deliver the required notices to consumers electronically. This approach will undoubtedly reduce the regulatory burden imposed by the rule while enabling consumers to receive the notices in a convenient, easily accessible manner. MSDW suggests, however, that the examples provided in the initial notice rule should refer to "the consumer who communicates or conducts transactions electronically." Prior to the establishment of a relationship, no transactions will have taken place, only communications. In addition, some electronic systems through which customers have access to various information and communicate with firms do not have actual trade execution capabilities. Rule 248.4(d)(5)(i)(C).
In addition, MSDW suggests that the "electronic site" reference in that same paragraph is too specific as to the technology. We believe that the broader "electronic means" language found in the opt-out rule (Rule 248.8(a)(2)(ii)(C)) better ensures that the language in the rule does not only recognize processes that may become obsolete. Rule 248.4(d)(5)(i)(C).
Finally, MSDW requests that the SEC specifically authorize telephonic opt-outs. The proposed rules do not mention telephone requests or the maintenance of a toll-free number. Telephonic opt-outs have been recognized as an economical and efficient means of managing opt- out processes for financial institutions as well as their customers. In fact, the draft rules proposed by the Federal Trade Commission acknowledge that a toll-free number is a reasonable opt-out method. 65 Fed. Reg.11,174, 11,193 (2000) (to be codified at 16 C.F.R. 313.8(a)(2)(ii)(D)).
B. Definitions of "Consumer" and "Customer"
Because the scope of the privacy provisions of the G-L-B Act is based on determinations as to who is a "consumer" or a "customer," the SEC has properly invested significant effort in defining both terms. MSDW respectfully requests that the SEC make the additional clarification that the rule applies to investment advisers only with respect to their consumer relationships with natural persons. By contrast, an investment adviser to an investment company does not maintain a customer relationship with the investment company's underlying shareholders, and should not be subject to the rule with respect to those shareholders. Rule 248.3(m).
MSDW also requests that the SEC include an additional example to make clear that in order to be deemed a consumer of a financial institution, an individual must take steps to obtain a product or service. Accordingly, an individual who receives an unsolicited mailing or advertisement from a financial institution should not be deemed to be a consumer of the institution simply by virtue of having received such material. Similarly, an individual would not be deemed a consumer of a financial institution solely because he or she is included in a list of potential prospects.
Finally, MSDW requests that the SEC clarify that, in the context of the mortgage and asset securitization business, the underlying mortgage holder or borrower does not become a "consumer" or "customer" of the firm that purchases the mortgage or assets for purposes of securitization activities. Therefore, we request that the SEC provide an example in the definition of "consumer" and "customer relationship" to reflect this particular situation. Rule 248.3(g) and (k).
On a related point, MSDW endorses the SEC's proposal to permit nonpublic personal information to be disclosed in connection with proposed or actual securitizations and secondary market sales or similar transactions. As the SEC knows, the asset securitization business promotes liquidity in the lending market by purchasing and securitizing pools of mortgage, credit card and other loans. As part of the securitization process, firms engaged in this activity must receive a large amount of personally identifiable information from the originating financial institution. Such information includes payment history and related information about the underlying mortgage holders that enable the firm to accurately value the mortgage asset. Without the exception provided by proposed rule 248.10(a)(4), Regulation S-P would cripple this business. MSDW requests that the SEC add an example to illustrate this point. Rule 248.10(a)(4).
C. Definition of "Collect"
MSDW believes that the proposed definition of "collect," which includes any personally identifiable information that is "retrievable . . . irrespective of the source of the underlying information," is overly inclusive and could encompass virtually all information in a firm's possession. MSDW therefore recommends that the definition be narrowed to include only "personally identifiable information that is organized or retrieved in the ordinary course of business." This approach would enable firms to provide meaningful disclosures to its customers of the information actually collected, not a description of all information the firm or any of its employees may obtain incidentally. Rule 248.3(d).
D. Annual Notice and Changes in Policy
MSDW understands from the SEC's proposing release that if a firm provides 30 days to opt out after the initial notice, the consumer or customer will have received a reasonable opportunity to opt out. MSDW requests clarification that if the consumer or customer delivers an opt-out notice at any time after that initial 30 day period (including at any time after the receipt of an annual notice), the firm may continue to disclose nonpublic personal information in accordance with the policy described in that notice during the time before it implements the opt-out request. Thus, the delivery of an annual notice that reiterates existing policy does not trigger a 30 day or other opt-out period that would impose a moratorium on the disclosure of nonpublic personal information. Rule 248.7(a).
Finally, we suggest that the SEC include a materiality condition to the requirement that a change-in-terms notice be issued. Rule 248.8(c) provides that a change-in-terms notice must be issued before any disclosure is made "other than as described in the initial notice." To the extent that the disclosure is made in a manner that departs from the initial notice in a nonmaterial way, we do not believe that a change-in-terms notice would be warranted. Rule 248.8.
E. Processing and Servicing
MSDW strongly urges the SEC to provide examples of situations that would fall within the processing and servicing exceptions found in Rule 248.10. In particular, we request the SEC to clarify that disclosures to outsourced call center services and other core customer servicing operations are captured by this exception, as are disclosures to debt collection agencies retained to collect amounts owed to the firm by particular customers. Rule 248.10.
F. Limits on Redisclosure and Reuse by Third Parties
The SEC has asked whether the rules should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. We do not believe that such a provision is necessary or appropriate. MSDW and other financial institutions routinely enter into written agreements with third parties prior to the sharing of information. These agreements contain provisions that require the third party to protect the confidentiality of any information disclosed in connection with the agreement and strictly limit the use of the information by the third party. We believe that these types of contractual provisions should be sufficient to ensure compliance by third parties (and their own agents and subcontractors) with the rules. Rule 248.12.
G. Effective Date
Finally, MSDW respectively requests that the SEC defer enforcement of Regulation S-P until August 1, 2001. Our preliminary steps to ensure that all of the MSDW operating units subject to the new law are in compliance with it have revealed that firm-wide compliance may require considerable changes to internal procedures and support systems.
We are in the process of compiling information (not currently maintained centrally) concerning the data collection practices of all affected business units and their procedures for safeguarding customer information. This data (essentially a compendium of all personally identifiable information collected from any source by each business unit) must be evaluated to determine the extent to which any such information that is disclosed to third parties is subject to the opt-out requirement, or is within one of the exceptions to that requirement, or whether it may be appropriate to change exiting information sharing practices pertaining to it. Once this is completed and the final G-L-B rules are promulgated, the content and format (and any required foreign-language versions) of the privacy policies and notices can be developed, and decisions made as to the best manner to communicate them to consumers and customers. Compliance will also require the implementation of a system to monitor information practices in the future (so that privacy policies will conform with actual practices), as well as systems to implement and update customer opt-out requests. These steps will require, at a minimum, systems changes and the development and implementation of training materials for customer service employees. Enhancements to telephone systems, data entry capabilities and personnel levels may also be required.
MSDW intends to work diligently towards full compliance with the new rules at the earliest time practically achievable, but we believe that a November, 2000 compliance date may not be achievable. We urge the Commission to defer enforcement efforts in the initial months and focus instead on assisting industry members with the formidable task of understanding the requirements of the new law and rules and establishing appropriate policies and procedures to comply with them.
Thank you for the opportunity to comment on the proposed rule. Please do not hesitate to contact the undersigned at (212) 392-2486 if you have any questions or would like to discuss our comments.
Morgan Stanley Dean Witter & Co.
1 A separate letter has been submitted to the Federal Deposit Insurance Corporation ("FDIC") by Greenwood Trust Company, a subsidiary of MSDW that engages principally in the issuances of consumer credit cards, such as Discover Card and the Private Issue card, in response to the FDIC's proposed privacy rules. In addition, Morgan Stanley Dean Witter Trust, FSB has submitted a letter to the Office of Thrift Supervision in response to its proposed privacy rule.