March 31, 2000
Mr. Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549
Re: Privacy of Consumer Financial Information
(Proposed Regulation S-P)
File No. S7-6-00
Dear Mr. Katz:
The Investment Company Institute1 is pleased to comment on the Securities and Exchange Commission's proposed Regulation S-P relating to the privacy of consumer financial information.2 Financial privacy is an important issue and one that the Institute and its members take very seriously. The success of our industry relies on the industry's ability to maintain the confidence of investors. Thus, among other things, investors must remain confident that investment companies and investment advisers adequately protect the privacy of their personal financial information. With this in mind, the Institute supported the enactment of the privacy provisions in the Gramm-Leach-Bliley Act (the "G-L-B Act") last fall. We believe the G-L-B Act and the implementing rules will provide extensive and appropriate privacy protection to investment company shareholders and individual advisory clients.
In general, the Institute supports the Commission's proposal and believes that proposed Regulation S-P will effectively implement the privacy protections contained in the G-L-B Act. Set forth below are our specific comments on the proposal. Our comments address: (1) the use of examples in the rules; (2) several issues relating to the notices required under the rules; (3) certain definitional issues concerning what information triggers the notice requirements; (4) issues related to sharing information with nonaffiliated third parties; (5) the proposed effective date and transition rule; and (6) the proposal concerning procedures to safeguard customer records and information. We also have two minor technical comments on the text of the proposed rules.
I. The Use of Examples
Proposed Regulation S-P contains rules of general applicability followed by examples designed to provide guidance on how the rules are likely to apply in particular circumstances. This format is the same as that followed by the other federal financial regulators in their rule proposals. The Commission's examples differ from those used by the other federal financial regulators, however, in that compliance with the examples in proposed Regulation S-P would not necessarily constitute compliance with the applicable rule.3 In the other regulators' privacy rule proposals, compliance with the examples would be considered a safe harbor.
We support the use of examples in the rules to provide guidance to entities subject to the rules. In addition, in the absence of any clear reason for different treatment by the Commission, we believe it would be appropriate for the Commission to take the same approach to the use of examples as the other regulators. Thus, we strongly encourage the Commission to give the examples the force and legal effect of a safe harbor, as the other regulators' privacy proposals would do.4
II. The Required Notices
A. Method of Providing Notices
Proposed sections 248.4, 248.5 and 248.8 describe when initial, annual and opt out notices are required and how they may be provided. Each proposed section sets forth the general rule that these notices must be provided so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form.5
In a letter to the Commission staff last year, we urged the Commission to propose rules that would permit financial institutions to determine the most appropriate vehicle for providing the notice, so long as it is reasonably designed to reach investors.6 We noted, for example, that funds may want to include the notices as a part of transaction confirmations, account statements, prospectuses, profiles, shareholder reports or investor newsletters, or as one or more stand-alone documents in a mailing with any one of those documents.7 Similarly, investment advisers may want to incorporate the notice into their brochures.
We are pleased that the general rules set forth in proposed sections 248.4(d)(1), 248.5(b) and 248.8(b) adopt this flexible approach and we support those provisions as proposed. Additional examples would be helpful, however, to clarify that funds and advisers may satisfy the "reasonably designed to reach investors" standard by using any one of the methods outlined above. In particular, we urge the Commission to add an example stating that an investment company would satisfy its initial and annual notice obligations with respect to a customer if the customer receives a fund prospectus,8 annual report or investor newsletter that contains the relevant privacy disclosure in a clear and conspicuous manner. The Commission also should consider a similar example stating that initial notices may be included in account application forms, whether they are in print or electronic form.
The definition of "consumer" includes an individual's legal representative.9 We assume that if a financial institution has knowledge that an individual has a legal representative, any notice obligation owed to that individual could be satisfied by delivery of a notice to that individual's legal representative. The Commission may wish to consider whether a clarification of this point is necessary.10
We further recommend that the Commission specifically permit householding of privacy notices. The same justifications for allowing householding of prospectuses and shareholder reports (i.e., reducing the number of duplicate disclosure documents delivered to investors)11 would be equally applicable in this context (and, as noted above, some fund groups may elect to provide privacy notices in these documents).
In our earlier letter, we also recommended that the rules permit notices provided electronically to take a variety of forms, including e-mail, so long as the means chosen are reasonably designed to reach investors. We believe that the proposed rule appropriately provides this flexibility. However, we have two suggestions relating to the delivery of notices in electronic form.
First, we recommend that the example in proposed section 248.4(d)(5)(C) be clarified. That example states that a financial institution may reasonably expect that a consumer who conducts transactions electronically will receive a privacy notice if the notice is posted on the electronic site and the consumer is required to acknowledge receipt of the notice as a necessary step to obtaining the product or service. We recommend that the words "consumer who conducts transactions electronically" be changed to "consumer who obtains a financial product or service electronically." This would be consistent with the definition of consumer and the rest of the example, both of which refer to obtaining financial products or services rather than conducting transactions.
Second, as noted above, proposed sections 248.4(d)(1), 248.5(b) and 248.8(b)(1) require that initial, annual and opt out notices must be provided "so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form." We see no reason to require an agreement if there is evidence that the consumer has received actual notice. Accordingly, we recommend that the Commission clarify that where a financial institution can reasonably expect that a consumer has received a notice delivered electronically (e.g., in accordance with the example in proposed section 248.4(d)(5)(C) discussed in the previous paragraph), there is no separate or additional requirement under the proposed rules to obtain the consumer's consent to electronic delivery of that notice. This clarification would be consistent with the Commission's October, 1995 and May, 1996 interpretive releases on the use of electronic media, which indicate that evidence of delivery of electronic disclosure documents can be established through several means, including either initial consent or evidence of actual receipt.12
B. Timing of the Notices
Proposed section 248.4(a)(1) would require that a financial institution provide an initial notice to every individual who becomes its customer prior to the time that it establishes a customer relationship.13 The Institute urges the Commission to delete the "prior to" requirement, for several reasons.
First, there is no clear basis for it. In this regard, we note that Section 503(a) of the G-L-B Act requires the initial notice to be provided "[a]t the time of establishing a customer relationship with a consumer," not prior to establishing such a relationship. The Release does not discuss the Commission's rationale for diverging from the statutory requirement.
Second, it is not clear how investment companies, particularly those sold by non-affiliated broker-dealers, could comply with the proposed requirement to provide initial privacy notices "prior to" the establishment of the customer relationship. For example, a fund would not normally even have nonpublic personal information about its customers until their applications are processed.
Third, we believe that the goals of the G-L-B Act would be served by permitting investment companies to provide initial privacy notices at the time of the confirmation of a purchase of fund shares. This approach would be consistent with the Commission's intent to allow financial institutions to provide privacy notices at the same time that they are required to provide other notices, and thereby to "strike a balance between (i) ensuring that consumers will receive privacy notices at a meaningful point when `establishing a customer relationship' and (ii) minimizing unnecessary burdens on financial institutions that may result if a financial institution is required to provide a consumer with a series of notices at different times in a transaction."14 This timing would parallel prospectus delivery requirements, thus representing a "meaningful point" when establishing a customer relationship. It also would provide funds with appropriate flexibility to comply with the initial notice requirement by including their initial privacy notice in or with the prospectus or confirmation statement. The Commission could implement our proposed approach by revising proposed section 248.4(a) and the example in proposed section 248.4(c)(2)(iv) to provide that an investment company has a customer relationship with a consumer upon confirmation of the purchase of shares the investment company has issued (where the consumer is the record owner of the shares).
C. Persons Entitled to Receive Notices: Consumers and Customers
Consistent with the Act, proposed Regulation S-P draws a distinction between "consumers" and "customers." The proposed rules define "consumer" to mean an individual who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes.15 A "customer" is a consumer who has a customer relationship with a particular financial institution.16 While we support the adoption of these definitions, we have a number of comments relating to the examples that follow them. Our comments relate to: (i) when an individual should be considered a consumer of a financial institution; (ii) a fund shareholder's relationship to the fund complex; (iii) the status of transfer agents; and (iv) the use of joint notices by fund complexes.
"Consumers" of financial products or services. We have two comments relating to the definition of consumer. First, the example that immediately follows the definition of consumer should be deleted. That example indicates that an individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain brokerage services or investment advisory services is a consumer whether or not the financial institution actually provides such services or establishes an ongoing relationship with the individual.17 This would significantly expand the statutory and proposed regulatory definition of consumer by adding the words italicized above. Specifically, both Section 509(9) of the G-L-B Act and proposed section 248.3(g)(1) define consumer to mean an individual who obtains financial products or services.18 Neither definition would apply to an individual who seeks to obtain financial products or services but does not actually obtain them. Moreover, the example seems inconsistent with the next example in this section, which provides that an individual who provides certain information in connection with a request for a prospectus or investment adviser brochure is not a consumer.19 Accordingly, we strongly recommend that this example be deleted.
Second, we suggest that the Commission clarify the meaning of "financial product or service" as that term relates to activities on financial web sites. For example, it may be appropriate for a person who provides a financial institution with detailed personal financial information in order to utilize a web-based retirement planning calculator to be deemed a consumer who has obtained a financial product or service. It would not be appropriate, however, to deem every person who downloads retirement planning literature from a web site also to be a consumer.20 One or more examples may be appropriate to better describe who would be a consumer in this context.
The relationship between fund shareholders and a fund complex. We suggest clarifying that an investor that purchases shares of an investment company in his or her own name has, in effect, entered into a relationship with the entire fund complex of which the fund is a part. The Commission seems to have recognized this, at least in part, by stating that where an individual investor is the record holder of fund shares, he or she is a customer of the investment company and its principal underwriter.21 However, at least in some cases, the investor should be considered to have a customer relationship with the fund's primary investment adviser. While the principal underwriter of a fund is often affiliated with the adviser (and therefore part of the fund complex), this is not always the case. For example, bank-advised funds often employ a third party underwriter.22 In such cases, a fund shareholder is likely to consider himself a customer of the bank's fund complex, rather than a customer of the underwriter. Accordingly, we recommend that the Commission state in its release adopting Regulation S-P that, at least in some cases, a record holder of mutual fund shares would be considered a customer of the fund's primary investment adviser for purposes of Regulation S-P. In so doing, the Commission should make it clear that this customer relationship exists solely for purposes of the privacy rules, and does not create any other legal obligations between a fund's adviser and shareholders of the fund.23 In addition, to avoid confusion, the example in proposed section 248.3(k)(2)(i)(C) should be revised to include an express reference to the fund's principal underwriter, as well as to its primary investment adviser.24
Transfer agents. We recommend that the Commission clarify that a fund transfer agent is a service provider to the investment company and does not, by acting in that capacity, establish a customer relationship with fund shareholders for purposes of Regulation S-P.25 Of course, this clarification would in no way interfere with a transfer agent's ability to direct information to different entities within the fund complex. The Commission similarly should clarify that unitholders of a unit investment trust typically do not have a customer relationship under the rule with the trust's trustee.26 As noted above, investors generally view themselves as customers of the fund complex. Many would be baffled if they were to receive a privacy notice from a third party transfer agent or a UIT trustee.
Joint notices. Consistent with the statement in the Release that the proposed rules do not prohibit two or more institutions from providing a joint initial, annual, or opt out notice,27 the Commission should clarify that an investment company shareholder can be provided with a single notice on behalf of the fund complex. This approach would avoid potential confusion on the part of investors, eliminate the receipt of multiple, duplicative notices by investors and reduce administrative burdens on fund complexes. For this purpose, it may be necessary to define the term "fund complex" under the rules. We recommend that the term be defined to include a "family of investment companies" as defined in Form N-SAR, as well as the fund's principal underwriter and primary investment adviser.
D. Application of Notice Requirements to Purchases Through Intermediaries
In our December 1999 letter to the staff, the Institute recommended that the Commission define the customer relationship, with respect to fund shares sold through an intermediary, to mean the relationship between the shareholder and the intermediary.28 Although the proposed rule does not completely embrace this approach, it provides that an investment company shareholder who is not the record owner of fund shares does not have a customer relationship with the investment company. We are pleased that the Commission's proposal recognizes that there are instances involving intermediaries in which the investment company does not have a customer relationship with individual fund shareholders. We believe, however, that tying the existence of a customer relationship to record ownership of fund shares may be inappropriate in certain circumstances.
For example, some shareholders hold investment company shares in their own name that were purchased through a broker-dealer that is not affiliated with the investment company or its primary investment adviser. We understand that it is common in these circumstances for the fund complex to limit its use of a shareholder's information to that which is necessary to service or administer his or her account. As a result, all parties involved - the broker-dealer, the fund complex and the shareholder - view the shareholder's customer relationship as being with the broker-dealer, rather than the fund complex, and act accordingly. We recommend that the Commission take this situation into account by providing that such a shareholder is a consumer, rather than a customer, of the fund complex where the complex does not use that shareholder's personal information for any purpose other than servicing or administering his or her account.29 Thus, under these circumstances, the fund complex would not be required to send privacy notices to the shareholder unless it intended to disclose his or her nonpublic personal information to a nonaffiliated third party. Requiring the fund complex to provide privacy notices to the shareholder as a customer in these circumstances is not necessary to promote the goals of the G-L-B Act, given the complex's limited use of the information.30
E. Retirement Plans
Neither the Release nor the proposed rules specifically address the application of proposed Regulation S-P to retirement plans, such as 401(k) plans, where mutual funds can be used as investment options. We assume that retirement plans were never intended to be covered, based upon the definitions of "consumer" and "customer relationship," which reference individual purchasers who hold shares in their own name.31 Since a 401(k) plan purchases mutual fund shares on its own behalf and holds those shares in its own name, rather than in the name of individual plan participants, it cannot be a consumer or customer for purposes of the privacy rules. This is consistent with the Commission's proposal not to treat individual fund shareholders as customers of an investment company unless they are the record owners of fund shares. We recommend that the Commission clarify that the rules are not intended to apply in this context.32
III. Definitional Issues
A. "Nonpublic Personal Information"
The Commission invited comment on whether the definition of "nonpublic personal information" should cover information about a consumer that contains no indicators of a consumer's identity.33 It should not. The sharing of information that is not in any way personally identifiable does not pose any threat to consumers' privacy. Moreover, this information is extremely useful in developing new products and services or testing new technologies that benefit all consumers. It would not further any public policy to restrict its use.
Thus, we recommend that the final rule make clear that information that includes no personal identifiers is not "personally identifiable," and therefore is not "nonpublic personal information." Along these same lines, it would be helpful for the Commission to add an example to the Definitions section of Regulation S-P indicating that "nonpublic personal information" does not include information about an investor provided to a third party for the purpose of preparing market studies, developing new products or services, or testing new technologies or platforms, if the information contains no personal identifiers.
B. "Publicly Available Information"
Proposed section 248.3(w)(1) defines "publicly available information" as information the financial institution reasonably believes is lawfully made available to the general public, if the information comes from one of three sources: (i) official public records; (ii) widely distributed media; or (iii) disclosures required to be made to the general public by federal, State, or local law.
The proposed rules treat information as publicly available if it could be obtained from one of these three public sources, whether or not the institution actually obtains it from a publicly available source. However, the Commission invited comment on whether the definition of "publicly available information" should treat information that is publicly available as nonpublic if the institution does not actually obtain the information from a listed public source.34 We believe that the definition of publicly available information should be adopted as proposed. If information is available from a public source, the individual would not have a reasonable expectation that the financial institution would treat that information as nonpublic. In addition, the latter definition would create undue administrative burdens for financial institutions by requiring them to retain substantiation of the sources of their information in order to prove that publicly available information in their possession was actually obtained from a public source.
IV. Sharing Information with Non-Affiliates
A. Timing Issues Relating to the Opt Out
The G-L-B Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless, in addition to other things, the institution provides the consumer with a reasonable opportunity to opt out of that disclosure and the consumer does not opt out.35 The proposed rules set forth as an example of providing a "reasonable opportunity" mailing the required notices to the consumer and giving the consumer "a reasonable period of time, such as 30 days, to opt out."36 The Commission requested comment on whether 30 days is a reasonable opportunity to opt out in the case of notices sent by mail, and on whether an example in the context of transactions conducted using an electronic medium would be helpful.
We believe that 30 days generally would provide consumers and customers with a reasonable opportunity to opt out in the case of notices sent by traditional mail, and we support the inclusion of that example in the proposed rule. We also strongly support the addition of one or more examples relating to electronic media, since the length of time necessary to afford a reasonable opportunity to exercise an opt out may substantially differ according to the medium by which the opt out is offered. For example, it would be reasonable to assume that a consumer or customer who clicks through an opt out screen on a web site without opting out has, at that moment, made a choice. Accordingly, the financial institution immediately should be able to share information according to its opt out notice. We recommend that the Commission, at a minimum, provide an example in the rule to this effect.
The proposed rules also provide that consumers and customers have the right to opt out at any time and that, if they do so, the financial institution must stop sharing information as soon as reasonably practicable.37 The Commission sought comment on whether the rules should specify a time within which an institution must stop sharing information and, if so, what that time period should be. We strongly support the flexible, "as soon as reasonably practicable" standard as proposed. The wide variety of types and sizes of financial institutions and the various systems and procedures that they may employ to stop sharing information make a specific time period impracticable.38
B. Third Party Compliance with Limits on Redisclosure of Information
Section 248.12 of the proposed rules would implement the G-L-B Act's limitations on redisclosure and reuse of nonpublic personal information. Generally, these limitations prohibit a third party receiving information from a financial institution from disclosing that information unless the disclosure would be lawful if made directly by the financial institution. The Commission sought comment on whether financial institutions should be required to develop policies and procedures to ensure that third parties receiving information comply with the above-mentioned limits on redisclosure and reuse.39 We do not believe that such a requirement would be necessary or appropriate. It is our understanding that the financial institution's contract with the third party typically would place strict limits on the third party's ability to redisclose or reuse the information outside of the services that it is providing to the financial institution. These contractual provisions should be sufficient to ensure compliance with Regulation S-P in this regard.
C. Disclosure of Account Numbers
The G-L-B Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, account numbers or similar forms of access numbers or access codes for a consumer's account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or marketing through electronic mail to the consumer. The proposed rules apply this prohibition to disclosures made directly or indirectly by a financial institution. The Release notes that the conference report for the G-L-B Act encourages the federal financial regulators to adopt an exception to permit disclosures of account numbers or access codes "in an encrypted, scrambled, or similarly coded form, where the disclosure is expressly authorized by the customer and is necessary to service or process a transaction expressly requested or authorized by the customer," and seeks comment on whether the Commission should propose such an exception.
We support allowing disclosures of account numbers and/or access codes where a consumer consents. For example, two or more companies might provide a jointly managed service (such as a web-based service where advertising might be displayed), where a customer consents during the sign-up process to the use of his or her account number or password as the access code. Even if the Commission decides not to adopt an exception on this point, we suggest adding an example that clarifies that the prohibition is intended to prevent unaffiliated third parties from having access to account information while marketing their own products or services. The prohibition should not apply if the financial institution is using the marketing firm to assist the financial institution in marketing its own financial products or services.40
D. Joint Accounts
The Commission requested comment as to how the right to opt out should apply in the case of joint accounts.41 We believe that opt out rights should be afforded separately to each owner of a joint account. However, not all firms will be able to apply an opt out by one joint owner solely with respect to that owner's nonpublic personal information. Accordingly, we recommend that firms be given the flexibility to either apply such an opt out to the particular owner opting out or to the joint account as a whole.
V. The Effective Date and Transition Rule
Section 510 of the G-L-B Act provides an effective date for the Act's privacy provisions of six months after the rules implementing them are adopted, or such later date as prescribed in those rules. Section 504(a)(3) requires those rules to be issued in final form no later than six months after the day the G-L-B Act was enacted (November 12, 1999). Taken together, these provisions ensure that the privacy provisions in the Act will not take effect before the rules implementing them.
In accordance with these mandates, proposed section 248.16(a) provides an effective date for proposed Regulation S-P of November 13, 2000. The effective date is premised on adoption of a final rule by May 12, 2000, six months after the enactment of the G-L-B Act, as required by section 504(a)(3). In addition, under the proposal, initial privacy notices would have to be provided to consumers who are customers as of the effective date within 30 days of the effective date.42 The Commission invited comment on whether six months after adoption of final rules is sufficient to enable financial institutions to come into compliance with the rules, and whether 30 days after the effective date is enough time to permit a financial institution to deliver the required notices.
As the Release notes, in the first year after the rules are adopted, financial institutions will be required to: (i) prepare notices describing the institution's privacy policies; (ii) provide an initial privacy notice and opt out form to each consumer (if it intends to share nonpublic personal information about that consumer with a nonaffiliated third party); (iii) provide an initial privacy notice to each new customer (who did not receive a notice when he or she was a consumer); (iv) provide an annual privacy notice to each existing customer; and (v) adopt policies and procedures that address the protection of customer information and records.43 In addition, firms may spend significant additional time designing and printing the new notices, modifying account applications and web screens, modifying systems and software to account for receiving and tracking opt-outs, and addressing the regulatory requirements in contracts and with business partners and service providers. Personnel also must be trained to follow the new policies and procedures. There is no question that this will be a significant undertaking for financial institutions, requiring the devotion of substantial resources.
The Institute and its members appreciate, however, that implementing these extensive new privacy protections as soon as reasonably practicable is good public policy. Accordingly, we support the Commission's proposal to make Regulation S-P effective six months from adoption of the final rule.
We strongly recommend, however, that the Commission extend the proposed transition period for providing initial privacy notices to persons who are customers as of the effective date to allow these notices to be included in a regular mailing to shareholders or individual advisory clients. In this regard, we note that while some funds and investment advisers send monthly statements to investors, they are not required to do so. Virtually all funds (or the intermediaries that sell them) send year-end statements, as do virtually all investment advisers with individual clients. Thus, we strongly recommend that the Commission allow financial institutions to provide initial privacy notices to existing customers no later than with the year-end statement for 2000. This change could be implemented by extending the transition period to 90 days after the effective date of Regulation S-P. A 90-day transition period would avoid the substantial costs that a special mailing to fund shareholders and/or individual advisory clients would entail.44
VI. Procedures to Safeguard Customer Information and Records
Under section 501(b) of the G-L-B Act, the Commission must "establish appropriate standards" relating to administrative, technical and physical safeguards for nonpublic personal information. The Commission has proposed section 248.30 to implement this requirement. That provision would require every broker, dealer, investment company and registered investment adviser to adopt policies and procedures that address those safeguards. Consistent with the G-L-B Act, the proposed rule requires that the policies and procedures be reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
We strongly support proposed section 248.30 as proposed, particularly its flexible, process-based approach. Given the number and range of security systems and technologies that might be affected, the speed with which those systems and technologies are developing, and the need for individual firms to adopt safeguards that are appropriate to their particular circumstances, we believe that it is important to avoid prescriptive rules in this area. The Commission's approach will ensure that every fund complex has appropriate procedures in place to ensure the integrity, confidentiality and security of customer information, while allowing them the flexibility to tailor and amend those procedures as appropriate.
We recommend that the Commission add an example clarifying that the various financial institutions in a fund complex could (but are not required to) satisfy their obligations under this rule by adopting a single, complex-wide set of policies and procedures. The example should further clarify that these policies and procedures could be administered by the entity that maintains the information, which typically would be the fund's transfer agent.
VII. Technical Comments
We have two technical comments on the text of the proposed rules. First, proposed section 248.5(c)(2)(iii) provides an example that an investment company no longer has a continuing relationship with an individual who "no longer holds shares in the company." For consistency with the rest of the proposal, we recommend that this provision state that an investment company no longer has a continuing relationship with an individual who "no longer holds shares in the company in his or her own name." This would take into account a situation where, for example, a shareholder who owns fund shares in his or her name transfers those shares into street name in a brokerage account.
Second, proposed section 248.7(b)(2) states that unless a financial institution complies with the opt out provisions, it may not "disclose any nonpublic personal information about a consumer that [the financial institution has] collected." We recommend that this provision expressly reference nonaffiliated third parties to avoid any potential confusion as to whether a financial institution could disclose nonpublic personal information to affiliates. Specifically, we recommend that the provision state that a financial institution may not "disclose to any nonaffiliated third party any nonpublic personal information about a consumer that [the financial institution has] collected."
* * * * *
The Institute appreciates the opportunity to express its views on this important proposal. If you have any questions about these matters or need any additional information, please contact me at (202) 326-5815, Frances Stadler at (202) 326-5822, or Bob Grohowski at (202) 371-5430.
Very truly yours,
/S/ Craig S. Tyle
Craig S. Tyle
cc: Paul F. Roye, Director
Division of Investment Management
C. Hunter Jones, Assistant Director
Office of Regulatory Policy
Penelope W. Saltzman, Senior Counsel
Office of Regulatory Policy
1 The Investment Company Institute is the national association of the American investment company industry. Its membership includes 8,021 open-end investment companies ("mutual funds"), 496 closed-end investment companies and 8 sponsors of unit investment trusts. Its mutual fund members have assets of about $6.728 trillion, accounting for approximately 95% of total industry assets, and over 78.7 million individual shareholders. The Institute also represents the interests of investment advisers. Many of the Institute's investment adviser members render investment advice to both investment companies and other clients. In addition, the Institute's membership includes 402 associate members that render investment management services exclusively to non-investment company clients. A substantial portion of the total assets managed by registered investment advisers are managed by these Institute members and associate members.
2 SEC Release Nos. 34-42484, IC-24326, IA-1856 (March 2, 2000), 65 Fed. Reg. 12354 (March 8, 2000) (the "Release").
3 See Release, 65 Fed. Reg. at 12355, n. 5 ("The examples are intended to describe ordinary situations that would comply with the applicable rule, but the particular facts and circumstances relating to each specific situation will determine whether compliance with an example constitutes compliance with the rule.").
4 Many of our comments recommend additional examples or modifications to proposed examples. If the Commission does not give the examples the force and legal effect of a safe harbor, the Commission should interpret these comments, whenever possible, as asking for additions or modifications to the text of the rules rather than the examples.
5 See proposed sections 248.4(d) (initial notice), 248.5(b) (annual notice; cross-referencing section 248.4(d)) and 248.8(b) (opt out notice).
6 See Letter from Craig S. Tyle, General Counsel, Investment Company Institute, to Robert E. Plaze, Associate Director, Division of Investment Management, Securities and Exchange Commission, dated December 21, 1999 (the "December 1999 ICI Letter").
7 Of course, a financial institution may fulfill its notice obligations by making one or more separate mailings to consumers and customers.
8 For new customers, we believe that funds should be permitted to satisfy the initial notice requirement by providing a prospectus with the confirmation statement. See the discussion under "Timing of the Notices" below.
9 Proposed section 248.3(g)(1).
10 This could be done by adding a new section 248.4(a)(3) or a new example under section 248.4(d) relating to delivery of notices to legal representatives.
11 See SEC Release Nos. 33-7766, 34-42101, IC-24123 (Nov. 4, 1999), 64 Fed. Reg. 62540 (Nov. 16, 1999).
12 See SEC Release Nos. 33-7233, 34-36345, IC-21399 (Oct. 6, 1995), 60 Fed. Reg. 53458 (Oct. 13, 1995) and SEC Release Nos. 33-7288, 34-37182, IC-21945, IA-1562 (May 9, 1996), 61 Fed. Reg. 24644 (May 15, 1996).
13 Proposed section 248.4(c)(2)(iv) states that an investment company establishes a customer relationship with a consumer at the time that the consumer purchases shares issued by the investment company (if the consumer is the record owner of those shares).
14 Release, 65 Fed. Reg. at 12359.
15 Proposed section 248.3(g)(1).
16 Proposed section 248.3(j). The distinction between consumer and customer determines the notices that a financial institution must provide. If a consumer never becomes a customer, the institution is not required to provide any notices to the consumer unless the institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties (outside of the exceptions as set out in proposed sections 248.10 and 248.11) - in which case the institution would provide initial and opt out notices. By contrast, if a consumer becomes a customer, the institution must provide an initial notice before it establishes the customer relationship and an annual notice during the continuation of the customer relationship (as well as an opt out notice if necessary).
17 Proposed section 248.3(g)(2)(i).
18 Proposed section 248.3(g)(1) adds the words "or has obtained" to the regulatory definition of consumer.
19 Proposed section 248.3(g)(2)(ii).
20 This would be analogous to requesting a prospectus, as described in proposed section 248.3(g)(2)(ii).
21 Release, 65 Fed. Reg. at 12359.
22 As a result of passage of the G-L-B Act, some bank-advised funds may begin to utilize principal underwriters that are affiliated with the fund's primary adviser. Many others, however, may not choose to do so.
23 A similar statement should be made with respect to the customer relationship between a principal underwriter and a fund shareholder.
24 In the Release, the example under the definition of "customer relationship" (proposed section 248.3(k)(2)(i)(C)) only refers to a record owner of investment company shares as being a customer of the investment company and does not mention the investment company's principal underwriter. The Commission should revise this example to be consistent with the statement in the Release referring to the principal underwriter, even if it chooses not to take our recommendation also to include an express reference to the fund's primary investment adviser.
25 Alternatively, the Commission may choose to simply clarify that transfer agents are not financial institutions subject to Regulation S-P. This seems to be implied by proposed section 248.3(x) (defining "you" to include broker-dealers, investment advisers and investment companies, but not transfer agents). See also Release, 65 Fed. Reg. at 12354 (noting that the proposed rules "include requirements for brokers, dealers, and investment companies, as well as investment advisers registered with the Commission") and section 505(a)(3)-(5) of the G-L-B Act (giving the Commission enforcement authority with respect to brokers, dealers, investment companies, and investment advisers, with no mention of transfer agents).
26 Some unitholders hold their shares in certificated form and thus are "registered holders" with the trustee. These unitholders should be deemed to have a customer relationship with the trustee.
27 See Release, 65 Fed. Reg. at 12359.
28 December 1999 ICI Letter, supra n.6.
29 Another possible approach would be to treat the fund complex in this scenario as a service provider under proposed section 248.10(b)(ii). We believe, however, that defining the shareholder to have a consumer relationship with the complex would be more appropriate, given that the shareholder holds the fund shares directly in his or her own name.
30 We note that there also may be situations where the broker-dealer and fund complex in our example are reversed: where all parties involved - the broker-dealer, the fund complex and the shareholder - view the shareholder's customer relationship as being with the fund complex, rather than the broker-dealer. For example, as the Securities Industry Association points out in its comment letter, some fund shares sold by broker-dealers are carried by the fund complex in the investor's name and future transactions between the investor and the fund complex occur directly without the involvement of the broker-dealer. In such a case, the broker-dealer merely acts as the initial sales conduit and does not independently have a continuing obligation with the investor. In those instances, the shareholder should be a customer of the fund complex and a consumer of the broker-dealer.
We also note that a shareholder's status as a consumer or a customer may change over time, as his or her relationship with the broker-dealer and the fund complex changes. For example, assume a shareholder terminates his or her relationship with a broker-dealer and initiates a direct relationship with the fund complex. Under our recommended approach, that shareholder would have initially been a customer of the broker-dealer and a consumer of the fund complex, but would have become a customer of the fund complex and a consumer (or former customer) of the broker-dealer.
31 See section 509(9) of the G-L-B Act and proposed section 248.3(g)(1) (defining consumer) and proposed section 248.3(k)(1)(C) (providing an example of a customer relationship in the investment company context).
32 We recognize that, by performing plan recordkeeping services, a fund complex may have individual plan participant information. If the Commission disagrees with our conclusion that the rule does not apply in the retirement plan context, we urge the Commission to treat these situations in a manner analogous to our recommendation above with respect to purchases of fund shares through intermediaries. Thus, where a fund complex has nonpublic personal information about individual retirement plan participants, those participants would be considered consumers of that complex, rather than customers.
33 Section 509(4) of the G-L-B Act defines "nonpublic personal information" to mean "personally identifiable financial information" (which the Act does not define) that (i) is provided by a consumer to a financial institution, (ii) results from any transaction with the consumer or any service performed for the consumer, or (iii) is otherwise obtained by the financial institution. "Nonpublic personal information" also includes any list, description, or other grouping of consumers -- and "publicly available information" pertaining to them -- that is derived using any nonpublic personal information. Proposed section 248.3(t)(1) restates these general categories. Proposed section 248.3(t)(2) provides that "nonpublic personal information" does not include publicly available information when the information is part of a list, description, or other grouping of consumers that is derived without using personally identifiable financial information. The definition also excludes any other publicly available information, unless the information is part of a list, description, or other grouping of consumers that is derived using personally identifiable financial information.
34 The banking agencies' privacy rule proposal (other than the Federal Reserve Board's, which proposed the same definition as the Commission) includes this alternative definition. See 65 Fed. Reg. 8770 at 8773-774.
35 Section 502(b) of the G-L-B Act.
36 Proposed section 248.7(a)(3)(i).
37 Proposed section 248.8(d).
38 See Release, Fed. Reg. at 12363 (noting the Commission's decision that "the wide variety of practices of financial institutions made one limit inappropriate").
39 Release, 65 Fed. Reg. at 12364.
40 This latter situation would fall under proposed section 248.9, which provides an exception from the opt out requirements for the disclosure of information to non-affiliated third parties for use in certain marketing arrangements.
41 Release, 65 Fed. Reg. at 12362.
42 The Release further indicates that "If a financial institution intends to disclose nonpublic personal information about someone who was a consumer before the effective date, the institution must provide the notices required by sections 248.4 and 248.7 and provide a reasonable opportunity to opt out before the effective date." Release at 46, 65 Fed. Reg. at 12365. According to the Release, if an institution is already disclosing information about such a consumer, it may continue to do so until the consumer opts out, in which case the institution must stop sharing nonpublic personal information about that consumer with nonaffiliated third parties as soon as reasonably practicable. The Release does not cite, and we are not aware of, any statutory basis for these requirements. It is not clear on what authority the Commission could impose a notice and opt out requirement that would take effect before the G-L-B Act and implementing regulations. We recommend that the Commission clarify this matter by formally withdrawing these statements in its release adopting Regulation S-P.
43 Release at 49, 65 Fed. Reg. at 12366.
44 One Institute member complex estimates that the incremental cost of doing a stand-alone mailing in December, as compared to including the notices with their year-end statement mailing, would be approximately $2,000,000.