Student Loan Servicing Allicance
March 31, 2000
|Mr. Donald S. Clark
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
| Communications Division
Office of the Comptroller
of the Currency
250 E Street, SW
Washington, DC 20219
Docket No. 00-05
|Mr. Robert E. Feldman
Attention: Comments/OES (RIN 3064-AC32)
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
|Manager, Dissemination Branch
Information Management &
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2000-13
|Ms. Jennifer J. Johnson
Board of Governors of the
Federal Reserve System
20th and C Streets, NW
Washington, DC 20551
Docket No. R-1058
| Mr. Jonathan G. Katz
Securities and Exchange
450 5th Street, NW
Washington, DC 20549
File No. S7-6-00
|Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314
Re: Gramm-Leach-Bliley Act Privacy Rule, 16 C.F.R. Part 313 -- Comment
Dear Sirs and Madams:
This letter is submitted to the Federal Trade Commission ("FTC") on behalf of the Student Loan Servicing Alliance ("SLSA") in response to the FTC's request for comment on the proposed privacy regulations (the "Proposed Rule") published March 1, 2000 implementing Title V of the Gramm-Leach-Bliley Act ("G-L-B Act"). In addition, this letter is being submitted to the Federal Reserve Board ("FRB"), the Office of the Comptroller of the Currency ("OCC"), the Federal Deposit Insurance Corporation ("FDIC"), the Office of Thrift Supervision ("OTS"), and the Securities and Exchange Commission ("SEC") (collectively, the "Agencies") because their proposed privacy regulations present many of the same issues as the FTC's proposal.
SLSA is an alliance of more than 30 organizations, which have responsibility for servicing and collecting approximately 80 percent of all outstanding federal students, a portfolio currently valued at more than $170 billion. SLSA's main focus is on operational and technical issues that impact customer service and administration of the federal student loan programs. SLSA works with other national education loan organizations, the U.S. Department of Education, and other interested parties to support the continuing enhancement and streamlining of the federal student loan programs.
* * * *
Following are our comments on the Proposed Rule, organized according to the Section number to which they relate.
SECTION ___.1. PURPOSE AND SCOPE.
SLSA believes that the Proposed Rule should not apply to entities whose primary role is to provide services pursuant to Title IV of the Higher Education Act. We also believe it is critical that if the Proposed Rule does not apply to the U.S. Department of Education as it administers the William D. Ford Direct Loan Program, then the Proposed Rule should not apply to participants under the FFELP. Currently, FFELP borrowers receive disclosures on the Privacy Act of 1974, the Right to Financial Privacy Act of 1978, and the Paperwork Reduction Act of 1995. We do not believe that the additional notification mandated here provides substantial information to the FFELP borrower that warrants the additional administrative burden and costs involved. Furthermore, due to the extensive statutory and regulatory guidelines that are already in place for the FFELP program, Congress has exempted FFELP participants from other consumer protection provisions. For example, FFELP loans are exempt from the requirements of the Federal Truth in Lending Act. We seek like treatment and clarification in Section ___.1(b) Scope or Section___.3(b) Definitions that participants in the FFELP and entities that provide services to participants in the FFELP are not "financial institutions" under the G-L-B Act.
SECTION ___.2. RULE OF CONSTRUCTION.
The Proposed Rule uses examples to provide guidance regarding how the privacy requirements would apply in specific situations. The Commission asks whether such examples are useful and should be included in the final version of the Rule. The use of examples should be retained in the final Rule. The use of examples provides invaluable guidance to financial institutions on how to comply with the obligations of the G-L-B Act. In addition, the Commission should retain in the final Rule the statement that the examples are not intended to be exhaustive and that compliance with an example, to the extent applicable, constitutes compliance with the requirements of the Rule.
SECTION ___.3. DEFINITIONS.
Definition of "Clear and Conspicuous"
The Proposed Rule states that a notice is "clear and conspicuous" when it is "reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice." The Proposed Rule supplements this definition of "clear and conspicuous" with several detailed examples.
Similar to the Proposed Rule, the Federal Reserve Board's Regulation Z (which implements the Truth-in-Lending Act) requires that disclosures made in connection with open-end credit must be given "clearly and conspicuously." 12 C.F.R. 226.5(a)(1). However, Regulation Z does not contain as detailed a definition of the term "clear and conspicuous" as the Proposed Rule. Although Regulation Z does provide that some terms must be more conspicuous than others, the general definition of the term "clear and conspicuous" is provided by the following Official Staff Commentary:
"The `clear and conspicuous' standard requires that disclosures be in a reasonably understandable form. It does not require that disclosures be segregated from other material or located in a particular place on the disclosure statement, or that numerical amounts or percentages be in any particular type size . . ."
Regulation Z Commentary § 226.5, Paragraph 5(a)(1).
The Regulation Z standard has been a workable standard for many years, is familiar to industry members and has served consumers well. The standard in the Proposed Rule is less flexible than Regulation Z and has the potential to create unnecessary confusion.
We recommend that the Commission amend the definition of "clear and conspicuous" in Section __.3(b) of Proposed Rule to track the Regulation Z Commentary quoted above. Consistent with this recommendation, we also recommend that the Commission (a) delete the phrase, "and designed to call attention to the nature and significance of the information contained in the notice" from Section __.3(b)(1) and (b) delete the examples listed in Section __.3(b)(2).
If the Commission nevertheless retains the proposed language (including the proposed examples) in the final regulation, then the following comments are provided with regard to the examples in Section __.3(b)(2). As a general matter, although Section __.3(b)(2) is entitled, "Examples," the examples given seem more to be prescriptions or rules of construction. This may lead to those examples becoming, either formally or de facto, examination standards. Accordingly, it is critical that these examples not create unduly burdensome or inappropriately vague standards or invite unwarranted litigation.
With regard to the specific examples, we have five comments:
First, Section __.3(b)(2)(i)(E) should be changed to read: "Avoids inappropriate use of complex legal and technical business terminology." The use of some legal or technical business language is unavoidable.
Second, Section __.3(b)(2)(i)(F) should be deleted as vague. Almost any written notice may be subject to differing interpretations.
Third, Section __.3(b)(2)(ii)(C) should be deleted. Whether a margin is "wide" and whether line spacing is "ample" are subject to differing interpretations and are unnecessary invitations to frivolous and possibly expensive litigation under, for example, state unfair and deceptive practices laws.
Fourth, in Section __.3(b)(2)(iii)(A), the term "larger" should be deleted and replaced with "distinctive." Without this change, financial institutions that choose to put more than one "clear and conspicuous" disclosure in the same document may find themselves in the predicament of having to have each disclosure be in "larger" type than the other.
Fifth, Section __.3(b)(2)(iii)(C) should be revised to read: "Shading, sidebars or other graphic devices to highlight the notice, whenever possible."
Definition of "Consumer"
In Section ___.3(e), the Proposed Rule defines the term "consumer" to include an individual who merely applies for credit regardless of whether credit is extended. By including such individuals, the Proposed Rule's definition of "consumer" is inconsistent with the G-L-B Act. Congress -- by defining the term "consumer" to mean an individual who "obtains" a financial product or service from a financial institution -- intended the term "consumer" to include only individuals who actually obtain a loan or account from the institution. To make the final Rule consistent with the G-L-B Act, the Rule should make clear that the term "consumer" does not include an individual who merely submits an application but never actually obtains a financial product or service.
In the Proposed Rule, the phrase "and that individual's legal representative" is confusing. Although we recognize that the G-L-B Act uses the word "and," we believe Congress's intention was to make it possible for a consumer to have a legal representative stand in the consumer's shoes. The word "and" in the Proposed Rule should be replaced with the word "or."
In an example, the Proposed Rule states, "An individual who makes payments to you on a loan where you own the servicing rights is a consumer. An individual is not your consumer, however, solely because you service the individual's loan on behalf of a financial institution that made the loan to the individual." This example is problematic to third-party servicers in the FFELP. FFELP lenders typically retain third-party servicers. Under the example, an individual who makes payments to a third-party servicer for the originating lender would not be a consumer of such third-party servicer. However, an individual who makes payments to a third-party servicer for a subsequent holder of the loan would be a consumer of such third-party servicer. This distinction seems unnecessary. We request clarification that an individual making payments to a third-party servicer, whether or not the lender made the loan to the individual, is not a consumer of the third-party servicer.
Definition of "Financial Institution"
SLSA believes that participants in the FFELP should not be considered "financial institutions" under the G-L-B Act. See discussion above under the heading "Purpose and Scope."
Even if some participants in the FFELP are considered "financial institutions," e.g., lenders and secondary markets, guarantee agencies should be excluded from the definition. Guarantee agencies are established pursuant to the Higher Education Act. They are regulated and reinsured by the Department of Education. All are either state agencies or private, non-profit organizations designated by the various states to serve as such states designated guarantor. For this reason, they are not engaging in a business, and therefore would not appear to come within the definition of "financial institution." The primary functions of guarantors are to provide loan insurance and default aversion assistance to lenders. If guarantee agencies were deemed to be "financial institutions," then borrowers of FFELP would receive two sets of disclosure notices, one from their lender, and one from the guarantee agency. This would undoubtedly be confusing to the borrowers.
There is one circumstance where a guarantee agency becomes a holder of a FFELP loan and thus, enters into a more direct relationship with the borrower. This occurs when the borrower defaults on his or her loan and the guarantee agency pays an insurance claim filed by the lender and takes assignment of the loan. Even here, however, the guarantee agency is acting under contract with the Department of Education, which reinsures the guarantee agency, regulates how the guarantee agencies maintain the loan, and may have the option to take assignment of a defaulted, nonperforming loan under a subrogation requirement. For this reason, we do not believe guarantee agencies should be treated as "financial institutions" even where they hold a defaulted loan.
Definition of "Nonpublic Personal Information"
Under Section 509(4) of the G-L-B Act, the term "nonpublic personal information" is defined to mean "personally identifiable financial information" that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution. Under the Proposed Rule, however, the Commission essentially treats any personally identifiable information of a consumer as "financial information" if it is obtained by a financial institution in connection with providing a financial product or service to the consumer.
As a result, the Proposed Rule's interpretation of the term "financial information" is overly broad and is not supported by the statute or its legislative history. As explained in a colloquy between Senator Allard and Senator Gramm on Title V, Congress only intended the term "personally identifiable financial information" to include information that describes a consumer's "financial condition."1 Thus, the final Rule should adopt the narrower definition of "financial information" intended by Congress -- that is, only information that describes an individual's "financial condition," such as an individual's assets and liabilities, income, account balances, payment history and overdraft history. SLSA agrees in toto with the more extensive discussion of this topic included in the comments of Citigroup.
Under Section 509(4)(B) of the G-L-B Act, "publicly available information" is expressly excluded from the definition of nonpublic personal information. Nevertheless, in the Joint Notice, the Agencies seek comment on two alternatives of the definition of "nonpublic personal information" -- Alternative A and Alternative B -- which differ in their treatment of information available from public sources. Under Alternative A, information is public information only if it is actually obtained from a publicly available source (i.e., government records, widely distributed media or government-mandated disclosures). On the other hand, under Alternative B, information is public information if it can be obtained from a publicly available source, even if it was obtained from a customer or other source.
The final Rule should adopt the concept expressed in Alternative B -- that is, information which otherwise is generally available public information should not become nonpublic information merely because it is provided to a financial institution by a consumer or customer, or from some other third-party source. To do otherwise would elevate source over substance and foster needless factual disputes over the immediate origin of information which, by definition, is available to anyone and everyone.
The Agencies invited comment on whether the term "nonpublic personal information" should cover information about a consumer that contains no indicators of a consumer's identity when it is communicated to a nonaffiliated third-party recipient (so-called "depersonalized information"). Under Section 509 of the G-L-B Act, the term "nonpublic personal information" only includes "personally identifiable financial information." By using the term "personally identifiable," Congress clearly intended to exclude information that contains no indicators of a consumer's identity when communicated to a nonaffiliated third-party recipient. A consumer's privacy cannot be compromised by disclosing depersonalized information, because that information, by definition, does not identify any individual consumer.
The Commission invites comment on what information is appropriately considered publicly available, particularly in the context of information available over the Internet. In this regard, the Proposed Rule defines the term "publicly available information" to include information from an Internet site that is available to the general public without requiring a password or similar restriction. With respect to the requirement relating to "password or similar restriction," the Commission should make clear that this requirement does not include an access fee or logon password that any individual can obtain. Many websites allow access to the information on the site to any individual that registers with the site. Also, often passwords are issued to document users rather than exclude anyone. As long as the website is available to all, even if users must register and receive a password, the information on the site should be considered publicly available.
SECTION ___.4. INITIAL NOTICE TO CONSUMERS OF PRIVACY POLICIES AND PRACTICES REQUIRED.
Timing of the Initial Section 503 Privacy Notice to Customers
The Proposed Rule in Section ___.4(a)(1) provides that a financial institution must provide the initial notice to an individual "prior to the time" that the institution establishes a customer relationship with the individual. However, this "prior to" standard is inconsistent with the statutory language of Section 503 of the G-L-B Act, which clearly states that a financial institution is expected to provide the initial privacy notice to a customer "at the time of" establishing a customer relationship.
Although in most cases financial institutions will choose to provide the Section 503 privacy notice with other required disclosures, the final Rule should provide financial institutions additional flexibility regarding the timing of the initial privacy notice. Financial institutions need this flexibility to address situations where it might be impossible or impractical to provide its initial privacy notice to a customer at the time of establishing a customer relationship. Specifically, the final Rule should provide that a financial institution may deliver the initial Section 503 privacy notice within a reasonable period after the customer relationship is established, so long as no nonpublic personal information relating to that customer is disclosed to a nonaffiliated third party before the initial privacy notice and the Section 502 opt-out notice are provided, and the customer is given a reasonable amount of time to opt out before any such disclosure can occur.
The manner in which federally-insured student loans are made in the United States presents a number of unique problems under the Proposed Rule. In the FFELP, students apply for a loan using the Free Application For Student Aid form through the Department of Education. Later, the student signs a promissory note and mails the note to the lender, school, or guarantor for processing. Loans are made without face-to-face contact, on Office of Management and Budget approved common forms and with lenders often chosen by the student-borrower from a list maintained by the borrowers' school. The lender may not be aware that the student has signed a promissory note naming it the lender until days later. Due to the variability of the processes used by the numerous schools, it would be difficult for the lender to ensure that the student has the most recent copy of the lender's privacy notice, and that the notice was actually given to the customer when the customer relationship was established. Sections __.4(d)(2), __.8(b)(1), and __.8(b)(3) should be amended to allow subsequent delivery of the initial and opt out notices for student loans. The regulations should also recognize that in such situations an opt out notice may be delivered subsequently and still conform to the requirements in the regulation. We recommend the addition of a new subsection to __.4(d)(2) and a change to __.8(b)(3) as follows:
"(iii) you and the customer establish a customer relationship under a program authorized by Title IV of the Higher Education Act of 1965 (20 U.S. C. 1070 et seq.) or similar federally insured student loan program."
"(3) Same form as initial notice permitted. You may provide the opt out notice together with or on the same written or electronic form as the initial notice you provide in accordance with Section __.4, including situations where you are allowed to delay the delivery of the initial notice pursuant to Section __.4(d)(2)."
How to Provide Notice
Methods of Providing Notice
The Proposed Rule indicates that a financial institution must provide its Section 503 privacy notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form. With respect to consumers who have agreed to receive information electronically, the final Rule should specify that a financial institution may satisfy its obligation to provide the initial and annual Section 503 privacy notice to such consumers, by simply posting the institution's Section 503 privacy notice on its Web site. Thus, a financial institution should not be required to send the initial or annual Section 503 privacy notice to such consumers via e-mail or require such consumers to access the Web site page on which the Section 503 privacy notice is posted in order to obtain the product or service in question.
Requiring a financial institution to provide its initial and annual Section 503 privacy notice to consumers via e-mail or through required access to the Web site page containing the Section 503 privacy notice, imposes unnecessary costs on the financial institution, with no accompanying benefits to consumers. By posting the Section 503 privacy notice on its Web site, a financial institution has provided consumers continual access to its Section 503 privacy notice. A financial institution should not be required to essentially "spam" consumers who have agreed to receive information electronically from the institution with unnecessary e-mails on either an initial or annual basis, when the consumer can access the institution's Web site at any time to obtain the institution's Section 503 privacy notice. Thus, the final Rule should provide that with respect to a consumer who has agreed to receive information electronically, a financial institution meets its obligation to provide an initial and annual Section 503 privacy notice to such consumer, by either posting its Section 503 privacy notice on its Web site or providing the notice via e-mail to the consumer.
Notice to Customers
The Commission requests comment on whether and how the Proposed Rule should address situations where a customer has requested a financial institution not to send statements, notices or other communications to the customer. The final Rule should make clear that customers can essentially "opt out" of receiving the initial Section 503 privacy notice, the annual privacy notice and the Section 502 opt-out notice by opting out of receiving any communications from the institution. In this regard, the final Rule should not require a financial institution to alienate its customers by forcing the institution to provide notices to a customer where the customer has specifically instructed the institution not to communicate with the customer with respect to the account.
Retention or Accessibility of Notice for Customers
The Proposed Rule specifies that in the case of customers, the Section 503 privacy notice must be given in such a way that the customer may either retain it or access it at a later time. In this regard, the Agencies should make it clear that it is the financial institution that has the option to provide the Section 503 privacy notice by either (i) giving the notice in a form that a customer can retain, or (ii) allowing the customer to obtain another copy of the institution's current privacy notice at a later time. In certain circumstances, such as in electronic transactions, it may be difficult for financial institutions to provide the Section 503 privacy notice to a customer in a form that the customer can retain in written form - the financial institution does not know whether the customer has a printer. Thus, it is critical that the final Rule provide financial institutions with the flexibility either to provide the Section 503 privacy notice in a form that the customer can retain or to allow the customer to obtain another copy of the institution's then current privacy notice at a later time. It is unreasonable to require a financial institution to keep track of which version of the Section 503 privacy notice was given to a particular customer.
SECTION ___.5. ANNUAL NOTICE TO CUSTOMERS.
The Proposed Rule states that a financial institution is not required to send the Section 503 privacy notice annually to a customer with whom it no longer has a continuing relationship. Additionally, the Proposed Rule sets forth examples of when there is no longer a continuing relationship, such as: (1) closed-end accounts that have been paid in full, charged off or sold without the institution retaining servicing rights; and (2) other types of accounts, where the institution has not communicated with the customer about the relationship for a period of 12 consecutive months. The Commission requests comment on whether the examples are adequate and on whether the proposed standard deeming an account relationship to have terminated after 12 months of no communication is appropriate.
The final Rule should retain the examples, including the standard contained in the Proposed Rule deeming certain account relationships to have terminated after 12 months of no communication from an institution to a customer. As the Agencies correctly point out, certain customer relationships (such as obtaining investment advice from a financial institution) do not present a clear event after which there is no longer a customer relationship. The 12-month standard provided in the Proposed Rule sets forth a bright-line test that financial institutions can apply in determining when these types of account relationships have terminated. Without this bright-line test, financial institutions would face substantial uncertainty regarding whether many types of account relationships have terminated. Example ___.5(c)(2)(i) should be expanded to include a transfer of an account, not just a sale. Often guarantors transfer account to the Department of Education. This is not a sale, as no funds are exchanged, but the transaction ends the relationship between the guarantor and the borrower.
Section __.5(a) states that a financial institution must provide a disclosure to "customers." Therefore, use of "consumer" in the Section __.5(c)(2) examples is confusing and inconsistent with the rest of Section __.5. By definition, this Section governs an annual disclosure process to a financial institution's customers and the examples clearly contemplate a "customer relationship" when they refer to deposit account, closed-end loan or credit card relationship. Changing "consumer" to "customer" in these examples is consistent with the language of Section __.5(a) and a practical interpretation of the relationship between a financial institution and its account holders and borrowers.
SECTION ___.6. INFORMATION TO BE INCLUDED IN SECTION 503 PRIVACY NOTICE.
We urge the Commission to adopt uniform model form disclosures that comply with the initial and annual disclosures required under Section __.6 of the Proposed Rule. Financial institutions should be given these model disclosures as a safe harbor because of the complexity of the current legal and regulatory environment concerning consumer privacy. The model disclosures should be issued for public comment and adopted sufficiently prior to the effective date of the regulation. This will allow financial institutions time to design, print, distribute and implement their own forms. Model forms may be prepared and issued in conjunction with the standards required under Section 501 of the G-L-B Act as referred to in the last paragraph of the Preamble regarding Section __.6.
The Proposed Rule sets forth examples of ways in which a financial institution may meet its Section 503 obligation to describe in its privacy notice: categories of information collected; categories of information disclosed; categories of nonaffiliated third parties to whom information is disclosed; disclosures of nonpublic personal information of former customers; and protecting the nonpublic personal information of customers.
However, the examples set forth in the Proposed Rule would require a financial institution to include in the institution's Section 503 privacy notice so much detail about the institution's policies on collecting, disclosing, and protecting nonpublic personal information of consumers that such notices could not possibly be meaningful to most consumers. In fact, the Proposed Rule, by requiring overly detailed privacy notices, would actually be counterproductive to the privacy interest of consumers. As a practical matter, a consumer is far less likely to read an institution's privacy notice if it is lengthy and detailed. Also, because consumers are likely to receive Section 503 privacy notices from a broad range of financial institutions (typically 20 or more of such notices per consumer), the consumer will be overwhelmed if he or she receives lengthy, detailed notices from every "financial institution" with which the consumer has some type of relationship. A consumer is not likely to read any of the many Section 503 privacy notices he or she receives, because of the sheer length of each such notice.
Thus, unless the Commission revises the examples, as discussed below, to reduce significantly the level of detail required for the Section 503 privacy notices, the final Rule will have the unintended consequence of harming consumers and financial institutions alike.
Categories of Information Collected
The example in Section ___.6(d)(1) provides that a financial institution adequately discloses the categories of nonpublic personal information that the institution collects if the institution categorizes such information according to the source of the information, such as application information, transaction information and credit reports. This example should be revised to provide that a financial institution is only required to give examples of the categories of information that the institution collects. Requiring a financial institution to identify every possible category of information that the institution collects unnecessarily increases the length and complexity of the Section 503 privacy notice, resulting only in confusion on the part of consumers.
Categories of Information Disclosed to Nonaffiliated Third Parties
The example in Section ___.6(d)(2) provides that a financial institution adequately categorizes nonpublic personal information that the institution discloses when the institution categorizes such information according to source and provides illustrative examples of the content of the information. This example should be revised to make it clear that a financial institution is required to provide only examples of the categories of nonpublic personal information that the institution discloses. Requiring a financial institution to list each and every category of nonpublic personal information that may be disclosed would unnecessarily increase the length and complexity of the Section 503 privacy notice, without any accompanying benefit to consumers.
Information Sharing Practices with Affiliates
The Proposed Rule requires a financial institution's Section 503 privacy notice to include a detailed discussion of the institution's information sharing practices with respect to the institution's affiliates. In particular, under the Proposed Rule, a financial institution would be required to provide in its Section 503 privacy notice information about the categories of nonpublic personal information that may be disclosed to affiliated third parties and the categories of affiliated third parties to whom such information may be disclosed. The inclusion of these affiliate-sharing provisions in the Proposed Rule is entirely inconsistent with the G-L-B Act. Section 503 of the G-L-B Act provides that except for the FCRA opt-out notice, a financial institution is not otherwise required to include in its privacy notice information relating to the institution's information sharing practices with affiliates.
Right to Opt Out
Under Section ___.6(a)(6) of the Proposed Rule, a financial institution would be required to provide in its Section 503 privacy notice information about the consumer's right to opt out under Section 502, including the methods by which the consumer may exercise that right. The final Rule should not require the inclusion in the Section 503 privacy notice of a duplicative explanation of the consumer's right to opt out under Section 502; the explanation of this opt-out right should be reserved for the Section 502 notice. Requiring the Section 503 privacy notice to contain an additional explanation of the Section 502 opt-out right would unnecessarily increase the length and complexity of the Section 503 privacy notice, potentially confusing consumers without providing them with meaningful additional information.
If the final Rule continues to discuss the Section 502 opt-out right in connection with the Section 503 privacy notice, the Agencies should make it clear in the final Rule that they are not suggesting that this is an additional Section 503 privacy notice requirement, but only that when the Section 502 opt-out notice is provided, it should be accompanied by the Section 503 privacy notice.
Confidentiality, Security and Integrity of Information
The example in Section ___.6(d)(5) indicates that a financial institution adequately describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if the institution explains who has access to the information and the circumstances under which the information may be accessed. The example further provides that a financial institution adequately describes its policies and practices with respect to protecting the integrity of nonpublic personal information if the institution explains the measures it takes to protect that information against reasonably anticipated threats or hazards.
This example regarding confidentiality and security should be revised to provide that a financial institution need only provide examples of the types of limitations, if any, that the institution places on access to information. Requiring a financial institution to provide detailed information in its Section 503 privacy notice regarding who has access to nonpublic personal information of consumers and the circumstances relating to such access would unnecessarily add to the length and complexity of the Section 503 privacy notice, without providing meaningful information to consumers. In addition, the example regarding integrity should be deleted entirely in the final Rule as it is confusing and duplicative.
SECTION ___.7. SECTION 502 OPT-OUT NOTICE.
The Commission seeks comment on whether an example in the context of transactions conducted using an electronic medium would be helpful. The final Rule should include an example which specifies that a financial institution may provide the Section 502 opt-out notice (and the Section 503 privacy notice) to a consumer by using electronic mail if the consumer has agreed to receive information by electronic delivery. In addition, the final Rule should make it clear that if a financial institution provides the Section 502 opt-out notice to such a consumer by using electronic mail, the consumer has a reasonable amount of time -- such as 30 days -- to exercise the opt-out right before information may be shared.
SECTION ___.8. FORM AND METHOD OF PROVIDING SECTION 502 OPT-OUT NOTICE.
Examples of Reasonable Means to Opt Out
The example in Section ___.8(a)(2)(ii) of the Proposed Rule specifies that a financial institution provides a reasonable means of opting out if it: (1) designates check-off boxes on the relevant forms with the Section 502 opt-out notice; (2) includes a detachable reply form and self-addressed stamped envelope together with the opt-out notice; or (3) provides an electronic means to opt out, if the consumer agrees to the electronic delivery of information. The Agencies' Proposed Rule specifies that a financial institution does not provide a reasonable means to opt out by requiring consumers to send their own letter to the institution to exercise their right, although an institution may honor such a letter if received. The Commission makes the same point in the analysis section only. The Agencies are silent on whether toll-free telephone numbers is a reasonable means of opting out, while the Commission says it is. The Commission is correct.
The regulations for the Agencies should be revised to make it clear that the use of toll-free telephone numbers provides a reasonable means to opt out. The Commissions' Proposed Rule contemplates that a self-addressed stamped envelope would be included with the detachable reply form. This is excessive and would impose enormous costs on financial institutions, without benefiting the vast majority of consumers. In fact, requiring a financial institution to provide any type of reply form, even if a self-addressed, stamped envelope is not required, to each and every consumer to whom the institution mails a Section 502 opt-out notice would be extremely costly to financial institutions. Thus, the example referencing a detachable form should be replaced with one indicating that providing an address for opt out, together with clear instructions on how to do so, is sufficient. Specifying an address where a consumers can write to opt out provides consumers with a meaningful means to exercise their opt-out rights, without imposing enormous costs on financial institutions in providing detachable forms.
In the analysis section of the Proposed Rule, the Commission requests comment on whether financial institutions should be required to accept opt outs through any means the institution has already established to communicate with consumers. The final Rule should make it clear that a financial institution is not required to accept opt outs through any means the institution has already established to communicate with consumers, but instead can designate a specific contact point for this purpose. Requiring a financial institution to accept opt outs through any means would force the institution to incur the enormous costs of establishing and implementing procedures to train all employees (and third party servicers) who interact with consumers in any way to handle opt-out requests, and would make it far more likely that consumer opt-out requests will not be properly processed.
Continuing Right to Opt Out
The Proposed Rule explains that a consumer may exercise the right to opt out at any time, and a financial institution must comply with the consumer's direction as soon as reasonably practicable after receiving the customer's request. The Commission requests comment on whether the final Rule should specify a specific time period within which a financial institution must implement these opt outs. The final Rule should not specify a specific time period, and should retain the "reasonably practicable" standard set forth in the Proposed Rule. Because the operational structure and practices of financial institutions vary widely, the setting of one time period with which all financial institutions must abide is inappropriate and would be extremely difficult to implement. The "reasonably practicable" standard adequately protects the privacy interests of consumers without placing undue operational and cost burdens on financial institutions.
Duration of Consumer's Opt-Out Direction
The Proposed Rule provides that a consumer's direction to opt out under Section 502 of the G-L-B Act is effective until revoked by the consumer in writing, or in electronic form, if the consumer has agreed to accept notices in electronic form. The final Rule should allow a consumer to revoke an opt-out direction orally. If a consumer can opt-out via a toll-free telephone call, the consumer should be able to opt-back-in via a telephone call.
SECTION ___.9. EXCEPTIONS RELATING TO SERVICE PROVIDERS AND JOINT MARKETING AGREEMENTS
Agents, Processors and Service Providers
The Commission requests comment on whether third-party contractors should be permitted to use information received pursuant to Section ___.9 to improve credit scoring models or analyze marketing trends, so long as the third party does not maintain the information in any way that would permit identification of a particular consumer; that is, to use depersonalized or aggregate information for modeling purposes. Yes. First, the use by third-party contractors of such aggregate information for the purpose of improving credit scoring models falls within the "necessary to effect, administer or enforce a transaction" exception under Section 502(e)(1). In addition, because the information would be depersonalized, the privacy interests of consumers are not lessened in any way by allowing third parties to use information received under Section ___.9 for such purposes.
SECTION ___.10. EXCEPTIONS RELATING TO TRANSACTION PROCESSING.
Sections ____.10(a)(2) and (a)(3), respectively, provide that the Section 502's obligations in providing the privacy notice and the opt-out notice to a consumer do not apply when an institution is disclosing the consumer's nonpublic personal information: ... "(2) [t]o service or process a financial product or service requested or authorized by the consumer; [or] (3) [t]o maintain or service the consumer's account with [the financial institution] ... ." To be consistent with Section 502(e) of the G-L-B Act, the phrase "in connection with" should be added to the beginning of the clauses in Sections ___.10(a)(2) and (a)(3). This "in connection with" language is essential because it makes it clear that the exceptions in Sections 502(e)(1)(A) and (B) (as implemented by Sections ___.10(a)(2) and (a)(3) respectively) include activities that relate to servicing or processing a financial product or service or maintaining or servicing the consumer's account, even where these activities are not absolutely necessary to service or process the financial product or financial service or to maintain or service the consumer's account.
Section 313.10(a)(4) sets forth routine uses relating to loan sales and certain types of asset financing. SLSA believes that this exception should be expanded to make clear that all disclosures relating to loan sales and loan financing transactions are covered by the routine exception. We recommend that the following be provided, by way of further example, at the end of this section:
"Included as recognized entities who are covered by the exception are parties involved in a proposed or completed asset securitization, asset sale, financing transaction or similar transaction, including loan servicers, investment bankers, financing lenders (including parties holding a security interest in the assets), financial advisors, rating agencies, credit providers and enhancers, auditors, loan purchasers, loan sellers, attorneys, bond counsel and trustees."
SECTION ___.11. OTHER EXCEPTIONS.
With Consent or Direction of the Consumer
The Commission seeks comment on whether safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. The Commission indicates that such safeguards might include, for instance, a requirement that consent be written or that it be indicated on a separate line in a relevant document or on a distinct Web page, or that may be effective for a limited period of time.
The final Rule should provide financial institutions with flexibility with respect to the methods by which financial institutions may obtain consent from a consumer. Specifically, the final Rule should not require that a consumer's consent be in writing or indicated on a separate line in a relevant document or on a distinct Web page. Instead, the final Rule should only require that the consent provision be presented in a clear and conspicuous manner to the consumer. Also, the consent should be effective until terminated.
With respect to standards relating to the scope of consent, the Agencies, at most, should only require that the consent provision be specific in its terms, such that the consent provision identifies the particular purposes for which information will be disclosed and the types of information that will be disclosed. In particular, the consent provision should not be required to identify nonaffiliated third parties to whom the information will be disclosed, other than by type of business, because the identity of the third party may differ based on the circumstances and the consumer's geographical location.
SECTION ___.12. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.
Redisclosure of Information by a Third Party
The Commission invites comment on whether the final Rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. A financial institution should not be required to affirmatively ensure the activities of such nonaffiliated third parties, other than to contractually limit redisclosure of the information and enforce those contractual provisions should evidence of a violation arise.
Reuse of Information by a Third Party
The Proposed Rule provides that a nonaffiliated third party may use nonpublic personal information about a consumer that it receives from a financial institution in accordance with an exception under Sections ___.9, ___.10 or ___.11 only for the purpose of that exception. The final Rule should allow the nonaffiliated third party to reuse the information if the so-called "secondary use" falls within one of the exceptions in Sections ___.10 or ___.11. Because the "secondary use" falls within one of the exceptions in Sections ___.10 or ___.11, the nonaffiliated third party could simply re-obtain the information from the financial institution for the "secondary use" purpose. The final Rule should not require the nonaffiliated third party to undergo this additional step of obtaining the information from the financial institution. Instead, the final Rule should allow a nonaffiliated third party to reuse information for a secondary purpose if this secondary purposes falls within one of the exceptions in Sections ___.10 or ___.11.
SECTION ___.13. LIMITS ON SHARING OF ACCOUNT NUMBERS FOR MARKETING PURPOSES.
Agents, Processors and Service Providers
The Proposed Rule should make it clear that the providing of account numbers by a financial institution to its agent, processor or service provider that is supplying operational support for the financial institution, including marketing products on behalf of the financial institution itself, is not prohibited under Section 502(d) of the G-L-B Act. Congress did not intend the Section 502(d) prohibition to restrict the ability of a financial institution to provide account numbers to the institution's agents, processors and other service providers that perform services on the institution's behalf or otherwise assist the institution in servicing its own customers and prospective customers. Instead, Congress intended Section 502(d) to restrict the ability of a financial institution to provide account numbers for a credit card account, deposit account or other transaction account of a consumer to a nonaffiliated third party for use by that nonaffiliated third party in marketing that third party's good or services. We do not believe it was Congress' intent to interfere with longstanding routine servicing and outsourcing practices of banks and other financial institutions.
However, without a clarification in the final Rule that the providing of account numbers by a financial institution to the institution's agents, processors or service providers is not prohibited by Section 502(d), financial institutions may be required to discontinue certain routine practices of using agents, processors and service providers because of the uncertainty surrounding whether such practices are prohibited under Section 502(d). For example, financial institutions often disclose account numbers to a service provider who handles the preparation and distribution of monthly checking account and credit account statements for the institution. In many cases, the institution also directs the service provider to include marketing literature with the statement about a product; in some cases, the account number may be preprinted on the response form to ensure proper account posting. Section 502(d) does not apply to this type of practice. First, a financial institution -- in making information available to its processors and service providers engaged in activities on the institution's own behalf -- should not be viewed as "sharing" information with a nonaffiliated third party. Instead, the processor or service provider should be viewed as an extension of the financial institution itself. In addition, for this particular practice, a financial institution would be providing the account numbers to service providers for its own statement and marketing purposes.
Encrypted Account Numbers and Reference Numbers
The final Rule should make it clear that the term "account number or similar form of access number or access code" does not include an account number or other similar number, so long as that number is encrypted when provided to the nonaffiliated third-party marketer and the nonaffiliated third-party marketer is not given the information or device needed to decode or unscramble the encrypted number.
The final Rule should specify that a financial institution may provide an account number to a nonaffiliated third party for use in marketing to the consumer, if the financial institution has obtained the consumer's prior consent to provide that information to that nonaffiliated third-party marketer.
SECTION ___.16. EFFECTIVE DATE; TRANSITION RULE.
The Commission invites comment on whether six months following the adoption of the final Rule is sufficient time to enable financial institutions to comply with the regulations. The final Rule should provide that while the obligations of Sections 502 and 503 of the G-L-B Act and the implementing regulations become effective six months following the adoption of the final Rule, compliance with such obligations is voluntary until 18 months after the effective date. Sections 502 and 503 of the G-L-B Act place numerous new obligations on financial institutions. Indeed, financial institutions will not know the true extent of the obligations imposed under Sections 502 and 503 until the final Rule is released; thereafter, financial institutions need adequate time to analyze the final Rule, implement operational changes and audit procedures which are necessary to comply with these obligations. In addition to developing Sections 502 and 503 notices, financial institutions must establish and implement new procedures for delivering such notices to consumers. Moreover, financial institutions must establish and implement new procedures for providing opt-out methods to consumers and for receiving and handling opt-outs received from consumers. Financial institutions also must design and implement effective employee training programs for satisfying all of these new procedural requirements, and must establish compliance systems to adequately monitor the institutions' performance in complying with these requirements. Furthermore, financial institutions also must evaluate all of their existing contracts with nonaffiliated third parties, to determine if they comply with the obligations imposed under Sections 502 and 503. Most of these activities require significant computer system changes that financial institutions need time to implement.
For existing customers, the Proposed Rule provides that a financial institution is required to provide the Section 503 privacy notices within 30 days of the effective date of regulations. This 30-day transition period is simply too short a time frame for financial institutions to provide the Section 503 privacy notice to existing customers. With this 30-day transition period, financial institutions would be required to provide a Section 503 privacy notice to each and every one of their existing customers by December 13, 2000. Thus, financial institutions would be required to provide these Section 503 privacy notices during the holiday season -- one of the busiest times for mail during the year. In addition, guarantor and lenders are already overburdened this time of year preparing to send year-end tax disclosures to consumers. We ask that this initial transition period be extended to 90 days.
In the final Rule, the Commission should make it clear that if an institution attempts to establish and implement reasonable procedures to comply with the obligations of Sections 502 and 503 of the G-L-B Act, as implemented by the final Rule, the institution's failure to comply with such obligations should not be considered a violation of the statute if the violation results from an inadvertent error. This concept of a safe harbor from inadvertent errors is essential if financial institutions are not given adequate time after the final Rule is released to comply with the obligations under Sections 502 and 503.
* * * *
SLSA appreciates the opportunity to comment on this important subject. If any additional information is needed, please contact me via telephone at (317) 576-6495 or e-mail at firstname.lastname@example.org.
Daniel L. Yost
1 145 Cong. Rec. S13,902-03 (daily ed. November 4, 1999)