March 31, 2000
|Jennifer J. Johnson
Board of Governors of
The Federal Reserve System
20th & C Streets, NW
Washington, D.C. 20551
Docket No. R-1058
|Robert E. Feldman
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, D.C. 20429
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
Gramm-Leach-Bliley Act Privacy Rule
16 CFR Part 313 - Comment
Office of the Comptroller of the Currency
250 E. Street, SW
Washington, D.C. 20219
Docket No. 00-05
|Jonathan G. Katz
Securities and Exchange Commission
450 5th Street, NW
Washington, D.C. 20549-0609
File No. S7-6-00
Dear Sirs and Madams:
First National of Nebraska, Inc. appreciates the opportunity to comment to the Board of Governors of the Federal Reserve System, the Federal Trade Commission, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission (collectively, "the agencies") on the proposed privacy regulations authorized and required under Title V of the Gramm-Leach-Bliley Act ("Financial Modernization Act") adopted on November 12, 1999.
First National of Nebraska, Inc. ("FNN") is a Nebraska-based interstate bank holding company. Its principal subsidiaries include First National Bank of Omaha and its wholly-owned subsidiaries; First National Bank and Trust Company of Columbus; First National Bank, North Platte; Platte Valley State Bank and Trust Company, Kearney; The Fremont National Bank and Trust Company and its wholly-owned subsidiary: Nebraska Trust Company, N.A.; First National Bank of Kansas, Overland Park, Kansas; First National Bank South Dakota, Yankton, South Dakota; and First National of Colorado, Inc., and it wholly-owned Colorado subsidiaries which primarily include: First National Bank, Fort Collins; Union Colony Bank, Greeley; The Bank in Boulder; and FNC Trust Group, N.A.
General Comment on Notices
FNN strongly encourages the agencies to adopt model forms for both the initial and annual notices that are required by the Financial Modernization Act and proposed regulations. We believe that the proposed regulations require us to develop a privacy notice that will include a tremendous amount of detailed information. While we only have begun the process of gathering the information necessary to draft such a disclosure, we believe that the proposed rules will require extensive disclosure.
Initial Notice for Existing Customers
Section __.16(b) requires that we provide an initial Privacy notice and opportunity to opt out to customers with existing relationships as of the effective date. We must deliver the notice within 30 days of the effective date. Given the expected level of detail in this disclosure, we believe it will be difficult for us to have our notice prepared and ready to send by then. We urge the agencies to extend the date by minimum of six months.
If that is not acceptable, we propose an alternative to expand the 30-day period to an effective date of February 15, 2001. We have many customers who will receive a regular mailing (e.g., quarterly savings statements, 1099-INT, 1098, Fair Market Value Statement, etc.) within 30 to 60 days of the proposed December 13, 2000 deadline. A delay will not harm the customer. We are aware that we cannot share information until we provide a notice and allow the customer 30 days to opt out of the proposed sharing.
The February 15, 2001 deadline allows us to include the initial disclosure in a regularly scheduled mailing. We feel we can insert a disclosure in a scheduled mailing with little increased postage. If February 15, 2001 is not acceptable, we suggest an extension to at least December 31, 2000. Many financial institutions send year-end, month-end and quarter-end statements on that date.
Initial Notices to New Customers
FNN urges that Section __.4(a)(1) of the proposed regulations be revised to mirror the language in Section 503 of the Financial Modernization Act which requires that customers be provided notice "[a]t the time of establishing a customer relationship...." In addition, the privacy regulations should clarify that a financial institution may provide the privacy disclosure and opt-out notice with initial disclosures under Regulation Z.
Section __.5 requires us to provide annual notices and states, "Annually means at least once in any period of 12 consecutive months during which that relationship exists." We feel that this definition implies that "annually" is measured on a customer by customer basis. We do not believe that was the intent of the agencies or Congress. This regulation proposed broad definitions consumers and customers. The combination of broad coverage and individual tracking creates a significant regulatory burden. We urge the agencies to change this language to allow institutions to provide annual notices every calendar year following the year the initial notice is provided. This will allow us the flexibility to provide notices to all customers at one time.
Record Retention when Customer Revokes a Decision to Opt-Out
Section __.8(e) indicates that a consumer's decision to opt-out of information sharing remains in force until revoked in writing. We feel this implies that we must retain such written permission in some form. We are concerned that there is no retention limit, implying that we must keep such records permanently. We understand that retention of records is necessary for the agencies to judge an institution's compliance with the regulation. However, we do not feel the need to retain such records indefinitely. We suggest a retention period of 24 months or since the last compliance examination, whichever period is shorter. This allows the agencies to assess compliance and allows an institution reduce retention requirements.
Notice to Customers Who Request Not to Receive Notices
The agencies invited comment on those situations where customers request that an institution send no documents. Our experience is that these individuals are financially sophisticated and very protective of their financial information. Typically, they are aware of an institution's privacy policies and generally decline to participate in any activity that involves sharing private information with third parties. FNN suggests that if a customer requests no mail, we could honor this request, including a special waiver of disclosure notices except for the initial notice. We feel most of these customers will immediately opt-out of information sharing except to process transactions according to their instructions. We feel that an annual notice to a customer who opts-out would provide no benefit to the consumer. Accordingly, we suggest that the agencies could effectively deal with this issue by exempting those customers who opt-out from annual disclosure requirements.
Consumer Credit Counseling Programs
The privacy regulations should clarify that the exception in Section __.11(a)(2)(iv) to providing the privacy disclosure and opt-out notice applies to consumer credit counseling entities, both public and private. In order to effectively and efficiently maintain the consumer credit counseling programs, financial institutions must be able to provide information to consumer credit counseling entities, whether public and private, without having to determine whether the consumer has received a notice or has opted-out.
Definition of Consumer
The examples in Section __.3(e) broaden the definition of "consumer" in both the privacy regulation and statute. The examples should not include a person who has only sought to obtain a financial product but for whom the financial institution has not provided a financial product. The privacy regulations should clarify that a person only becomes a consumer if the financial institution approve them for a product or actually provides another financial service. Additionally, the privacy regulations should clarify that a person is not a consumer if a financial institution sends a solicitation but the person does not respond (and as set forth above, is not approved for a product).
Definition of Publicly Available Customer Information
The agencies propose two possible definitions of nonpublic personal information. FNN urges the adoption of Alternative B, which recognizes that certain information, is in the public domain and, therefore, should not be as stringently protected.
Because FNN is governed by various regulatory agencies, including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve, and the Federal Deposit Insurance Corporation, we support further efforts to bring consistency to the final rules. Such uniformity is consistent with the standard in Section 504(a)(2) of the Financial Modernization Act which requires the agencies to assure "that the regulations prescribed by each agency and authority are consistent and comparable with the regulations prescribed by the other such agencies and authorities."
FNN urges that the privacy regulations clarify the inactive consumer exception in Section __.5. If a consumer is inactive when a financial institution sends out the annual privacy disclosure, the financial institution should not have to send that same consumer a privacy disclosure if and when he/she then becomes active. The privacy regulations should clarify that a financial institution only needs to send a privacy disclosure to an inactive consumer who then becomes active when the financial institution sends out the next year's annual privacy disclosure.
Joint Accounts & Account Numbers for Opt-Out Notices
FNN believes it is essential that the privacy regulations clarify how joint accounts are treated. The final rule should state that a financial institution only has to provide one privacy disclosure per account to the primary accountholder, regardless of how many joint accountholders exist. The privacy regulations also should state that a consumer's opt-out can be required to include the account number so that only information related to that account will not be disclosed. If one of the accountholders has additional accounts on which they want to exercise the opt-out, those additional account numbers should be provided.
The privacy regulations should clarify that a financial institution can provide information to a third party that provides a product to the customer for the financial institution (e.g., First Bankcard Center can provide information about a customer to the insurer who provides credit insurance to Bankcard's cardmembers).
FNN has concerns about allowing an oral revocation of an opt-out. An accountholder could call to revoke an opt-out, but we are concerned that accountholder later could make a claim that he or she never revoked the opt-out. FNN would then have no means of proving the cardholder did revoke the opt-out.
Bankcard Privacy Issues
Below are areas of particular concern to the First Bankcard Center, a division of First National Bank of Omaha and First National Bank of South Dakota and a top 25 issuer of bank credit cards:
Agent Bank and Affinity Partner Programs (Co-Branding Programs)
The breadth of the privacy regulations has severe implications on Bankcard's agent bank and affinity partner programs. Bankcard needs to share information about its cardholders with agent banks and affinity partners and those agent banks and affinity partners need to be able to share information with Bankcard (e.g., agent banks need to be able to provide Bankcard with their customer lists so Bankcard can offer cards that bear agent banks' logos). The privacy regulations should clarify that the agent bank and affinity partner relationships fall within the exceptions in either Section __.9 or Section __.10.
Bankcard issues cards to its agent bank and affinity partner customers who Bankcard solicits using information the agent banks and affinity partners provide. In order to obtain information from those agent banks and the affinity partners that meet the definition of financial institution, Bankcard will have to make certain that those agent banks and affinity partners include in their privacy disclosures the information Bankcard needs to solicit their customers. Many of the agent banks and affinity partners, especially small community banks, will not have the resources for the necessary disclosures and therefore may choose to not participate in the program. Those agent banks and affinity partners that do not then participate will lose a competitive service for their customers that they cannot otherwise provide as well as a revenue source. For this reason, it may not be beneficial enough for the exception in Section __.9 to apply. The privacy regulations should clarify that the agent bank and affinity partner relationship falls within the exception in Section __.10.
Once a customer of an agent bank or an affinity partner opens an account with Bankcard, Bankcard needs to share information about that cardmember with the agent bank or affinity partner. The privacy regulations should either clarify the relationship is covered by the exception in Section __.10 or clarify that if a customer is able to opt out of either the issuing financial institution or the agent bank/affinity partner providing information to the other, the cardmember's account can be closed. The privacy regulations should also clarify that the issuing financial institution and the agent bank/affinity partner may share information with each other in order to collect on the account.
Fraud Investigation Purposes
The privacy regulations should clarify that the exception in Section __.11(a) allows financial institutions to provide information to third parties for fraud purposes without providing a privacy disclosure or opt-out notice whether the fraud is in connection with that financial institution's account or for other fraud purposes (e.g., Bankcard has provided information to other financial institutions and law enforcement agencies when fraud has been suspected at other financial institutions; other financial institutions have provided Bankcard or law enforcement agencies with information when fraud has been suspected at Bankcard).
The privacy regulations should clarify that the exception in Section __.10 applies to financial institutions sharing information with benefit providers and third parties that the information must be provide to in order to provide a benefit. For example, if the customer opts out and benefits are included, Bankcard would have to turn off any benefit that requires Bankcard to provide information to third parties that provide the benefit to Bankcard's cardmembers (such as reward programs and Visa programs). Turning off the benefits provided with an account may not be possible without closing the account.
Name and Address Information
It is essential important that the privacy regulations allow financial institutions to provide names and addresses of their customers (and other non-financial information regardless of its source) without providing the privacy disclosure and opt-out notice. Bankcard uses third party service providers that only obtain names and addresses (or other non-financial information) but who may not fall within the privacy regulation's definition of service provider. Bankcard shares names and addresses with agent banks and affinity partners (and agent banks and affinity partners share names and addresses with Bankcard). Bankcard is considering additional revenue sources that may include providing names and addresses on a broader basis.
The scope of the privacy regulations must not include a financial institution disclosing non-personalized information to third parties. For example, Bankcard provides aggregate information to third parties so that those third parties can provide statistics about Bankcard's customer base. Bankcard uses this statistical information for a variety of purposes, including determining new products and offers, finding fraud characteristics, analyzing the effectiveness of a solicitation, reviewing the quality of its customer base, predicting delinquency and charge-off rates, and many other purposes.
Providing Privacy Disclosures and Opt-Out Notices
The privacy regulations should clarify that the examples under Section __.4(d)(1) and Section __.5(c)(2) are not the only reasonable means of providing the initial and annual privacy disclosure. The examples for may be too burdensome depending on the circumstances. For example, if a customer applies for a credit card on the Internet, the financial institution should be able to provide the privacy disclosure on-line as part of the application process without having to obtain an acknowledgment that the consumer received the privacy disclosure as a requirement for obtaining the credit card. A financial Institution should also have the option of providing the privacy disclosures with the initial disclosures provided under Regulation Z.
The privacy regulations should clarify that a consumer who applies for a financial product on the Internet should be considered to agree to obtain the initial privacy disclosure and opt-out notice electronically when both are provided as part of the application process.
The privacy regulations should clarify that the examples under Section __.8(a) are not the only reasonable means of providing the opt-out notice. The examples for opt-out are too burdensome. The privacy regulations should clarify that the opt-out notice can require the consumer to send a writing to an address in order to opt-out, which is similar to the dispute process under Regulation Z (e.g., the notice could state, "If you do not want us to share information with third parties, please write to us at ______.").
Use of Encrypted Account Numbers for Privacy Purposes
It is essential that the privacy regulations clarify that the restriction in Section __.13 does not prohibit financial institutions from providing encrypted account numbers to third parties for marketing purposes. It would also be beneficial if the encryption routine could be provided for use in limited circumstances. For example, Bankcard has provided encrypted account numbers to third parties for identification and tracking purposes and so the marketing representatives do not have access to the account numbers; however, the encryption routine is provided to the marketing firm's management for identification purposes and so the account number can be included on an order if the consumer wants the product and authorizes the charge to his or her account. Bankcard may not have an adequate alternative for identifying and tracking consumers if it is not allowed to provide encrypted account numbers.
The privacy regulations should define the term "demographic information."
The privacy regulations should clarify how a product similar to Bankcard's Card Registry of America program does not fall within the scope of the privacy regulations. If a consumer has registered accounts with Card Registry of America and the consumer loses his or her cards, Bankcard must notify all of the institutions with which the consumer has an account.
If you have any questions, please do not hesitate to contact Maureen O'Connor at (402)633-3106 or me at (402)633-3107.
Richard A. Buchanan
Vice President - First National Bank of Omaha