March 30, 2000
Jennifer J. Johnson
Robert E. Feldman
Manager, Dissemination Branch
Jonathan G. Katz
Re: Proposed Regulations - Privacy of Consumer Financial Information
On behalf of the Chase Manhattan Bank and its affiliates, including Chase Manhattan Bank USA, N.A., Chase Bank of Texas, N.A. and Chase Manhattan Mortgage Corporation, Chase Investment Services Corp., Chase Manhattan Automotive Finance Corporation, and Chase Insurance Agency, Inc. (collectively, "Chase"), we welcome the opportunity to provide comments in connection with the proposed rules ("Proposed Rule") to implement Title V of the Gramm-Leach-Biley Act (the GLB Act"), published for comment on various dates in the Federal Register by the Board of Governors for the Federal Reserve System ("FRB"), the Office of the Comptroller of the Currency ("OCC"), the Federal Deposit Insurance Corporation ("the "FDIC"), the Office of Thrift Supervision ("OTS"), the Securities and Exchange Commission ("SEC"), the Federal Trade Commission ("FTC") and the National Credit Union Administration ("NCUA")(the FRB, OCC, FDIC and OTS are collectively referred to as the "Banking Agencies;" the SEC, FTC and NCUA, combined with the Banking Agencies, are collectively referred to as the "Agencies").
We commend the Agencies for their efforts in developing the Proposed Rule under the GLB Act. We recognize the difficulties faced by the Agencies and believe that the Proposed Rule, with some exceptions, is substantially consistent with the statute. Chase is eager to work with the Agencies towards creating balanced rules that protect consumers while minimizing burdens on financial institutions. It is in that spirit that we offer these comments on ways in which the Proposed Rule ought to be improved.
After initially addressing our general and key concerns, this letter comments on specific issues in the order in which they are addressed in the Proposed Rule.
SUMMARY OF KEY COMMENTS
Our key concerns center on 1) resolving inconsistencies between the Proposed Rule and the statute and among variations of the Proposed Rule issued by the Agencies and 2) providing sufficient flexibility for financial institutions to comply with the GLB Act.
We believe that it is critical to achieve consistency among the regulations to be promulgated by the Agencies, as well as in the application of the regulations to all entities involved with consumer nonpublic personal information.
We acknowledge that diligent efforts resulted in nearly consistent regulations among the Agencies, but additional efforts are needed to minimize variations in the Proposed Rule among the Agencies. We urge that the remaining differences in the proposals also be reconciled as contemplated by Section 504(a)(2) of the GLB Act. Congress required the Agencies to work together to assure "to the extent possible, that the regulations ... are consistent and comparable" among the Agencies. In addition, uniformity benefits financial institutions and consumers alike and is essential to maintaining and promoting competitive balance among entities in the financial services industry. Uniformity in the privacy regulations will ensure that consumers' basic privacy rights are the same under the GLB Act, regardless of the type of institution with which they choose to deal. The privacy rights of consumers and the privacy obligations of financial institutions should not depend upon which primary regulator happens to regulate the particular financial institution. Thus, it is crucial that the final rules adopted by the Agencies treat all financial institutions in a uniform manner.
For these reasons and for consistency among the various regulations, the Banking Agencies definitions of "financial institutions," and "financial product or service" should be adopted by all Agencies. After all, any institution that offers financial products or services and thereby obtains non-public personal financial information about consumers should be subject to the privacy requirements of the GLB Act in order to afford consumers consistent treatment regardless of the institutions with which they choose to deal. (For further discussion see page 10.)
Similarly, consistent treatment should be afforded in the definitions affecting which information is covered by the Proposed Rule. Alternative B proposed by the Agencies is preferable but requires further revision. (For further discussion see page 11.) We believe it is imperative for the Agencies to fashion consistent definitions for these terms in the regulations, otherwise the Agencies will create an anomalous structure which covers non-financial information maintained by a traditional financial institutions but does not cover actual financial information maintained by a non-traditional financial institutions. This is not what Congress intended when enacting the GLB Act's privacy protections.
Under the Proposed Rule, any personally identifiable information of a consumer is "financial information" if it is obtained by a financial institution in connection with providing a financial product or service to the consumer. As a result, the Proposed Rule's interpretation of the term "financial information" is overly broad and is not supported by the statute or its legislative history. As explained in a colloquy between Senators Allard and Gramm, Congress only intended the term "personally identifiable financial information" to include information that describes a consumer's "financial condition." This narrower definition of "financial information" intended by Congress, which would describe an individual's assets and liabilities, income, and account history, etc., ought to be adopted by the Agencies. Furthermore, the existence of a customer relationship and the nature of the relationship (e.g., deposit account or credit account), should not be considered "financial information because it is not information about the individual's "financial condition." (For further discussion see page 12.)
Another example of an inconsistency which needs to be remedied is that the Proposed Rule provides that a financial institution must provide the initial notice to an individual "prior to the time" that the institution establishes a customer relationship with the individual. This "prior to" standard is entirely inconsistent with the statutory language of Section 503 of the GLB Act, which clearly states that a financial institution is expected to provide the initial privacy notice to a customer "at the time of" establishing a customer relationship. (For further discussion see page 14.)
Revisions to sections of the Proposed Rule discussed below provide financial institutions needed flexibility in meeting their compliance burdens without compromising the consumer protection afforded under the GLB Act.
The Agencies have proposed an effective date of November 13, 2000, the earliest date permitted by the Act. The Act, however, clearly authorizes the Agencies to delay the effective date. In fact, the Agencies ask whether the effective date should be delayed. For the reasons stated below, we strongly urge the Agencies to substantially delay the effective date and to permit staggered mailings to customers for a time period greater that 30 days.
Assuming that the regulations become effective six months following adoption of the Proposed Rule, we suggest that compliance be made voluntary until at least nine months after the effective date (i.e., August 13, 2001) and preferably 15 months. The GLB Act places numerous new obligations on financial institutions and financial institutions will not know the full extent of the obligations imposed until the final Rule is released. Thereafter, financial institutions need adequate time to implement numerous changes to comply with all new obligations. If financial institutions are forced to complete all the enormous system and operational changes within six months, there are bound to be mistakes on the part of institutions, to the detriment of both institutions and consumers. Also, given the proposed effective date, the 30-day notice period would fall in the holiday season, which is one of the busiest times for mail, other special year-end disclosures, and notices for tax purposes.
A short 30-day notification period also would place tremendous pressure on financial institutions in finding third-party servicing organizations to print these notices and provide them to consumers on behalf of the institutions. This 30-day notification period is simply too short a time frame in which to provide notices to all existing customers, since institutions do not regularly correspond to all of them. There needs to be flexibility to allow notices to be included with regular account statements to the extent reasonably practicable in order to minimize costs.
Therefore, a voluntary compliance rule of at least nine months would provide financial institutions with the flexibility they need to develop and provide accurate notices to all existing customers and to implement the significant regulatory requirements. (For further discussion see page 28.)
Institutions also need flexibility as to the content of notices. The examples set forth in the Proposed Rule require a financial institution to include in the institution's notice too much detail about the institution's policies on collecting, disclosing, and protecting nonpublic personal information of consumers. Such notices would be difficult to produce and keep accurate. More importantly, they would not be meaningful to consumers. In fact, the Proposed Rule, by requiring overly detailed privacy notices, would be counterproductive because consumers would be less likely to read lengthy and detailed notices. (For further discussion see page 18.)
In many cases financial institutions will choose to provide the initial notices with other required disclosures, accordingly the final Rule should provide financial institutions additional flexibility regarding the timing of the initial privacy notice. This flexibility is needed where it might be impossible or impractical to provide the notice at the time of establishing a customer relationship. The final Rule should provide that an institution may deliver the initial notice within a reasonable period after the customer relationship is established, so long as no nonpublic personal information relating to that customer is disclosed to a nonaffiliated third party before the initial notice and opt-out notice are provided, and the customer is given a reasonable amount of time to opt out. Customers would be protected because, unless an exception applied, no information would be disclosed to any nonaffiliated third party until the customer receives the notice and has a reasonable opportunity to opt out. (For further discussion see page 14.)
The final Rule should make it clear that financial institutions have flexibility with respect to the methods they use to obtain consent from a consumer. The final Rule should not require or suggest that a consumer's consent be in writing or indicated separately. Instead, the final Rule should permit any reasonable means for obtaining consent that is sufficient to reflect the consumer's election to do business with an institution. The consent provision should merely be required to broadly identify the particular purposes for which information will be disclosed and the types of information that will be disclosed.
Purpose and Scope.
1. Foreign Financial Institutions.
The Proposed Rule indicates that it would apply to domestic offices of U.S. banks and domestic branches and Agencies of foreign banks. We support this provision and agree that the Proposed Rule should not apply to foreign financial institutions that solicit business in the U.S., but do not have an office in the U.S. The Proposed Rule should apply only to institutions with offices in the U.S. because enforcement mechanisms may not exist for foreign domiciled institutions. Additionally, an extra-territorial application of the Proposed Rule might cause other countries to seek to have U.S. domiciled institutions become subject to a patchwork of privacy laws, particularly in connection with those institutions' doing business on the internet.
2. Insurance Companies.
We understand that the Agencies do not intend to include "insurance companies" within the scope of the new rules and, under the Banking Agencies' Proposed Rule, insurance companies would be specifically excluded. We support this exclusion and believe it is necessary to comport with the expressed intent and language of the GLB Act pertaining to "functional regulation" by state insurance authorities. We suggest, however, that clarification be provided on two points. First, the term "insurance companies" should be understood to include insurance underwriters, agents and brokers.
Second, the exclusion should not be limited by the Proposed Rule to these entities' "insurance activities" and "activities incidental to insurance activities." Bank-affiliated insurance entities of all types and insurance-licensed individuals affiliated with banks should be completely outside the scope of the Banking Agencies' privacy regulations where they are subject to state insurance laws and state regulatory authority relating to privacy. Given the historic opposition in some states to bank-affiliated insurance providers, we request that the Agencies eliminate any possible notion that bank-affiliated insurance providers are subject to both federal banking and state insurance privacy regulations, which of course would be discriminatory and could result in duplicative and inconsistent regulation. This clarification would be consistent with the GLB Act, and particularly with Section 104's objective of preventing discrimination against bank insurance providers.
Rule of Construction.
We applaud the Agencies for making expansive use of examples in the Proposed Rule. Additional or different examples may be helpful in illustrating the wide variety of ways compliance can be effected, and as you will see below, we suggest some further examples in connection with specific topics addressed by the Proposed Rule. We endorse the position of the Banking Agencies that compliance with the examples constitutes compliance with the applicable rules. The SEC's position would not provide the same "safe harbor" and we urge the SEC to adopt a position consistent with the Banking Agencies' approach. Indeed, since examples used by the various Agencies may differ, we recommend that clarification should be provided that compliance with any one Agency's examples will constitute compliance with the Proposed Rule for all Agencies.
1. Clear and Conspicuous.
The Proposed Rule defines this term, which is used in relation to various notices, to mean that a notice is reasonably understandable and calls attention to the nature and significance of the information in the notice, (emphasis is added). The Proposed Rule also provides examples of ways for notices to meet this requirement. We urge the Agencies to delete the words, "the nature and significance." These words could be interpreted to create an additional and onerous standard with respect to information required in the notice and they add little to improve the clear and conspicuous aspects of the notice.
The term "clear and conspicuous" already is used without extensive definition in other federal and state regulations and there is no need for a more onerous definition or interpretation of that term here. Since this proposed definition is different from existing and historically utilized terminology, the proposed definition would create new uncertainty for compliance with the existing standards. We also are concerned that this definition of the term, by requiring adherence to multiple criteria, could have a "spillover" effect in other regulatory areas (e.g., TILA) or be cited in litigation.
We support the use of examples generally, but we have several concerns with the particular examples here. Our suggestion is to delete the examples for this definition and, indeed, we believe there is little need for the definition itself. Unlike other examples used throughout the Proposed Rule that address new subject matter and are appropriate, this concept of clear and conspicuous disclosures does not cover any new ground and, therefore, the examples are unnecessary and should be deleted. In this case, the examples are very detailed and cumulatively are difficult, if not impossible, to meet. A notice could easily be considered not to meet one or more of the requirements of the examples. If the Agencies decide to retain the examples for this definition, we have several recommendations.
First, in the "lead-in" language to the first two sets of examples the words "to the extent applicable" should be deleted or replaced with "to a substantial extent." Such a change will help clarify that compliance with each of the examples is not necessary (though each example is potentially applicable) in order to comply with this requirement.
Second, to further clarify that a notice need not meet all the criteria set forth in the examples in order to meet the requirement, the conjunction "and" should be replaced with "or," consistent with the approach used in the third set of examples in this definition.
Finally, if the definition and examples are retained, we suggest that the following revisions be made in the examples:
- (b)(2)(i)(B) should read, "uses short explanatory sentences or bullet lists." There is no need for explanatory sentences and bullet lists. Deleting the "whenever possible" is more consistent with this item being an example rather than a requirement.
- (b)(2)(i)(C) should also delete the words "whenever possible" for the same reason.
- (b)(2)(i)(E) should read, "avoid inappropriate legal and highly technical business terminology." (emphasis added). The word "inappropriate" is needed because many words and phrases can be considered "legal terminology" that may be necessary and/or appropriate.
- (b)(2)(i)(F) should be deleted. This example relating to boilerplate explanations could itself be the subject of conflicting interpretations.
- (b)(2)(ii)(C) should read, "provide adequate margins and line spacing." (emphasis added). The words "wide" and "ample" are too susceptible to varied interpretations and are an inexact attempt to quantify what is required. "Adequate" is a qualitative term, which would be less likely to result in a challenge to the notice.
- (b)(2)(iii)(A) should read, "distinctive type, bold face or italics in the text." (emphasis added). When multiple notices are used each cannot be larger than the other(s).
- (b)(2)(iii)(B) should read, "different margins and line spacing in the notice." (emphasis added). With multiple notices margins and line spacing of each cannot be larger.
- (b)(2)(iii)(C) should read, "shading, sidebars or other graphic devices to highlight the notice." (emphasis added.) The type of highlighting should not be limited. Also, deleting the words "whenever possible" reinforces that this is an example and not a requirement.
- (b)(2)(iii)(D) should be added and should read, "distinctive headings." to allow for another way to call attention to information.
For your reference we have incorporated the above suggestions into a revised definition and attached it as Exhibit A to this letter.
A related point for the Agencies to consider is that the thrust of the "clear and conspicuous" notice requirement is brevity, simplicity and readability. These goals could be fostered, we believe, by the Agencies providing for a short form of notice of the required disclosures coupled with the availability of a full and complete notice upon request. We recommend that such an approach be considered because it might better accommodate the needs and desires of the recipients of such notices.
Information that an institution "collects" is defined to include any data that is "retrievable." Since virtually any information can be retrieved (perhaps manually and at a significant cost), we suggest a more narrow definition of "collects" to limit it to information for a particular class of consumers that the institution systematically collects and maintains in an accessible format to facilitate efficient disclosure to third parties. The problem with the Proposed Rule is that it would cover, for example, notes about a client kept in an employees "personal" file (a Rolodex, for example). Though this information is not maintained in a database, and the institution may not even know of its existence, it is theoretically "retrievable." Obviously, it is not possible for the institution to disclose all such information that is collected and, in a case where an employee leaves the institution and takes the information with him or her (possibly in violation of the institution's policy or an employment contract), the institution should not be considered to have violated the privacy of a customer who had "opted out" of information sharing.
The Proposed Rule's definition and examples include as a "consumer" a person who submits a credit application to a financial institution. We believe the Proposed Rule goes beyond the provisions of the GLB Act. The Proposed Rule should be revised, consistent with the definition in the GLB Act, to specify that an individual who merely submits an application or provides information to a financial institution, but does not actually obtain a products or services (such as a loan or account) from the financial institution, is not a "consumer" of the financial institution.
We urge the Agencies to replace the word "and" with "or" in this definition with respect to an individual's legal representative. An institution does not have a stand-alone relationship with a person's legal representative, but the definition appears to create two such relationships out of one. If applicable in a particular transaction, either the individual or the legal representative, but not both, ought to be considered a "consumer" and institutions should not issue multiple notices for a single relationship and should not have to have to deal at their peril with potentially conflicting instructions from the individual and the representative.
We recommend that the Agencies provide a broader example where an individual would not be considered to be a "consumer" of that financial institution. The example(s) should encompass services beyond "processing information" and should include any situation where a financial institution receives information about an individual with whom it has no direct relationship and the information is received in order to provide services to an entity with which the institution has a contractual relationship.
Lastly, we suggest that the Agencies should confirm, by way of an example or otherwise, that a person should not be considered a "consumer" where the institution merely responds to an inquiry, such as by providing an informational brochure or a current rate on a credit or deposit product.
4. Customer Relationship.
In the Proposed Rule, a "customer relationship" requires a continuing relationship and the explanatory materials provide that repeated isolated transactions do not establish a customer relationship (e.g., periodic use of an institution's ATM machines, or repeated purchaser of traveler's checks or money orders). This point about isolated examples should be articulated directly in the examples in the Proposed Rule by including the words, "or a series of isolated transactions" after the words "isolated transaction" in the first and third example. Furthermore, credit card advances and currency purchases should be included as additional examples should be included in the Proposed Rule.
We recommend that situations in which a financial institution acts as fiduciary either should be deemed not to create a "customer relationship" or should be considered exempt from the notice requirements. Common law fiduciary duties already substantially restrict a fiduciary's disclosure of information concerning fiduciary accounts. If the Agencies agree that acting as a fiduciary does not, in its own right create "customer relationships," then the reference to "trust" account in clause (i)(A) of the customer relationship examples should be deleted or appropriately clarified.
However, if the agencies decide that fiduciary accounts are not exempt and do create customer relationships, we recommend that the Proposed Rule identify the categories of individuals that are considered customers as well as those that are not. We would propose that beneficiaries with current interests be identified as customers. Beneficiaries with contingent interests should not be considered customers because the fiduciary does not even attempt to identify these individuals until such contingencies occur. To the extent charitable organizations receive fiduciary services, we submit that the services are not received for "personal, family or household purposes" and thus charities should not be considered customers.
5. Financial Institution.
The definition in the GLB Act includes institutions that engage in activities that are financial in nature and this definition is made consistent with current interpretations by the Banking Agencies' definition in the Proposed Rule, which includes institutions engaging in activities that are incidental to activities that are financial in nature. The FTC definition, on the other hand, constricts the one in the GLB Act by defining a financial institution as one that is "significantly engaged in financial activities."
We support the definition of the Banking Agencies and urge the FTC to adopt the same definition. We believe that it is important for the regulations of the various Agencies to be uniform to the extent possible. At minimum, each Agencies' definition should include an entity to the extent that the entity engages in activities that are financial in nature or incidental thereto. Also, the FTC definition's use of the term "significantly" is vague and will result in institutions being unsure whether they are subject to the regulation.
The Banking Agencies' definition provides greater certainty and therefore, is preferable. In addition, the Banking Agencies definition appropriately creates a level playing field inasmuch as entities that provide particular services are treated alike in terms of being subject to the Proposed Rules. In contrast, the FTC's definition would unfairly distinguish among entities providing the same exact services, and would subject some to compliance with the Proposed Rules while exempting others based on a vague standard tied to the entity's mix of business.
Furthermore, the Banking Agencies definition, as opposed to the FTC's, would better serve to promote the GLB Act's purposes of informing consumers about company privacy practices and would allow consumers to prevent disclosure of certain information. Thus, with a consistent definition among the Agencies, consumers would receive consistent treatment with respect to their financial information regardless of with which entities they deal.
6. Financial Product or Service.
The Proposed Rule's definition includes the evaluation of information in a consumer's application as a "financial service." The definition should be revised to exclude this item because the mere consideration of an application is not a "financial service" in its own right. Essentially, it is a condition precedent to a decision whether to provide a financial service, which can lead to establishing a relationship where the application is accepted.
7. Nonpublic Personal Information.
The Proposed Rule sets forth two alternative definitions of this term that are interrelated with the definitions of "personally identifiable financial information" and "publicly available information."
Alternative A focuses on the source of the information and provides that information is public information only if it is actually obtained from a publicly available source (i.e., government records, widely-distributed media, or government-mandated disclosures).
Alternative B, however, focuses on the information itself and where it is available. (In other words information is public information if it could be obtained from a publicly available source - the same categories identified in Alternative A - even if it was obtained from a customer or other source.)
As between Alternatives A & B; the concept in Alternative B should be adopted together with our other related recommendations. Where the information is available, rather than where it was obtained, should control. Any other result would be an injustice to the words "publicly available." There are other cogent reasons why Alternative B is preferable. First, under Alternative A, information which otherwise is public information would be transformed into nonpublic information merely because it is provided to a financial institution by a consumer, customer or by another third-party nonpublic source. For example, the fact that a customer has a mortgage loan is a quintessential public record and the definitional structure of the Proposed Rule should recognize this reality. There is no benefit to consumers by treating such information as other than public, since it is public.
Second, adopting Alternative A would create onerous record keeping burdens. Rather than a simple factual matter of whether or not information is publicly available under Alternative B, institutions would need to keep records of the source of the information and to distinguish publicly available information obtained from public sources from that obtained elsewhere. Such efforts would be of little or no value because, in any case, the information would be public and otherwise not protected. Indeed, a financial institution, could reconfirm all information it received regarding a consumer through public sources, thereby converting protected information to publicly available information at an additional cost to the institution, but without providing any additional protection to consumers. The SEC's proposal recognizes this and by excluding information that is reasonably believed to be publicly available, obviates the need for reconfirming the availability of the information.
Third, providing an opt out right with respect to such information would be confusing to consumers. In the example of the mortgage loan mentioned above, a consumer who submits an opt-out request to the lender might think the lender did not honor the request if the consumer gets a solicitation from a third party who obtains the information from the public record or sources other than the lender.
Finally, since some of the Agencies proposed only Alternative B and no other approaches, adopting Alternative A will create an inconsistency among the Agencies. Such an inconsistency is undesirable and contrary to the GLB Act's mandate that to the extent possible the regulations be consistent.
In addition, we believe that the definition of "nonpublic personal information" clearly should not cover information about a consumer that contains no indicators of a consumer's identity (e.g., a mortgage lender that provides de-personalized aggregate information about its loans to a nonaffiliated third party). The term should not cover information without any identifier because without such an indicator the information lacks the "personal" component of the defined term and, thus disclosure of such information could not harm the consumer.
8. Personally Identifiable Financial Information
The definition of "personally identifiable financial information" should be revised to specify that the mere fact of a customer relationship, with no specific information about that relationship, is not considered "financial information" and that mere identification information, such as name, address and telephone number, is not considered "financial information," even if received from the consumer. The nature of the information, rather than the source, should be used to characterize the type of information. Similarly, demographic information and other information that does not itself describe an individual's "financial condition" should not be considered "financial information," even if received from the consumer.
The Proposed Rule's definition of "personally identifiable financial information" ignores the word "financial." Under the GLB Act, only financial information is included. Nevertheless the Agencies have arbitrarily defined the term as meaning "any information" an institution obtains in certain circumstances involving the providing of financial services or products by the institution. We submit that the circumstances surrounding how the information was obtained cannot be controlling, and the definition must be revised to refer to the nature and substance of the information itself, in order to meaningfully take into account the word "financial."
Also, we believe that further examples of information that is not considered "personally identifiable financial information" would be helpful. The examples could include illustrations of information unrelated to financial condition and a general exception should exist for any information that is publicly available.
Furthermore, the fact that a customer relationship exists need not be considered financial information, particularly if that information is also publicly available. For example, checking account customers routinely issue checks with their names (and addresses) on them and customers with credit cards routinely display and use their cards in public. There would appear to be no compelling reason why this limited information ought to be protected, particularly when, by such issuance and displays, customers publicly acknowledge the existence of the relationships and no information regarding the accounts or the customers' financial condition is involved.
9. Publicly Available Information.
The definition of "publicly available information" under Alternative B is preferable for the reasons mentioned above (see definition of "non public information"), but the definition and accompanying examples ought to be expanded in several ways. First, rather than limiting the term to information that is lawfully made available to the general public, we endorse the definition put forth by the SEC's proposal that would deem information to be publicly available if the institution reasonably believes it lawfully could be obtained from a public source. The SEC's proposal is a more workable definition of "publicly available information," because it comports with reasonable expectations of privacy. Thus, it should be adopted in each final rule.
In many cases, a financial institution simply may not know the source of its information. When a financial institution buys a portfolio of accounts, the institution may not be able to determine the source of the account information. However, it will know that the information can be obtained from a public source and, thus, the institution should not be required to treat it as if it were nonpublic information.
Also, the final rules should clarify that financial institutions may reasonably believe that certain basic categories of information - such as name, address, telephone number, real property ownership, mortgage lender and mortgage amount - are publicly available.
Next, the words "widely distributed" in the second clause of the definition ought to be deleted. The focus should be on whether or not information is publicly available and not necessarily the ease of accessibility.
Also, in the second example, the words "widely distributed" and the words "without requiring a password or similar restriction" should be deleted. The fact that a password must be used in order to obtain the information ought to be irrelevant. In fact, most internet access requires use of a password and that factor should not cause public information to be considered non-public. Information on the internet should be considered publicly available regardless of whether its accessibility is restricted by password or otherwise, so long as a segment of the general public could obtain access to it.
Initial Notice of Privacy Policies and Practices.
1. General Rule - Timing of Initial Notice to Customers.
The Proposed Rule specifies that the initial notice must be provided to an individual "prior to" establishing a customer relationship. This language should be changed to "at the time" of establishing a customer relationship to conform to the requirement of the GLB Act. Doing so would also make the Proposed Rule consistent with language in the explanatory materials, where the Agencies specify that the notice may be provided at the same time a financial institution is required to give other required notices (e.g., TILA "initial disclosures") in order to minimize unnecessary burdens on financial institutions.
The Proposed Rule ought to be revised to specify that a financial institution may deliver the initial notice within a reasonable period after the customer relationship is established, so long as no nonpublic personal information relating to the customer is disclosed to a nonaffiliated third party before the notice and the opt-out notice are provided, and the customer is given a reasonable amount of time to opt out. Providing the initial notice at this time will still afford a consumer a meaningful opportunity to make an informed decision on the privacy aspects of the relationship with the institution. For example, the need for delayed delivery of the notice exists in the situation where a financial institution mails preapproved credit card solicitations to consumers and consumers who accept the solicitation can use the credit line on the account immediately (such as for a balance transfer), before the credit card on the account is sent to the consumer. Requiring the institution to send a notice with each solicitation would impose enormous costs on the institution, without any benefits to consumers. The customer's would be protected in such circumstances because no information would be disclosed to any nonaffiliated third party until the customer received the notice and had a reasonable opportunity to opt out.
We believe that such a need for delayed delivery is particularly important for purposes of indirect credit transactions where there is no face-to-face or direct contact between the institution and the consumer, and there is no contractual relationship whatsoever at the time the transaction is consummated. In such transactions, an institution purchases a consumer's obligation from a seller of goods or services (e.g., an automobile dealer) before it has an opportunity to provide disclosures. Indeed, where the institution has outsourced its data entry or other functions, information could be shared with a service provider before the disclosures can be made to the consumer.
2. When the Bank Establishes a Customer Relationship.
We support the Agencies' use of examples for this provision, but suggest that they be reformatted to indicate that the relationship is established when the financial institution rather than the consumer takes specified actions, such as provides credit, receives a deposit, etc. The mere execution of a form agreement by the consumer (whether or not part of the application process, as is the case for federally guaranteed student loans) should not be deemed to create any continuing relationship.
If the Agencies decide that acting as a fiduciary is not exempt from the notice requirements and is deemed to establish a customer relationship, we suggest that an example be added to clarify that a customer relationship is established only after funding is provided to the fiduciary. Typically, fiduciary accounts are not set up on the financial institution's system until funds are received, so it would be particularly burdensome and costly to generate notices before account funding.
3. How to Provide Notice.
In situations where there is more than one party to an account, e.g., joint account, notice to either party ought to be sufficient. That would be consistent with other consumer protection laws (e.g., Regulations B, E, Z, DD,CC) that require disclosure to only one party. Notice should not be required to co-signers, guarantors, or authorized users of credit card accounts. For deposit accounts, brokerage accounts, investment management and custody accounts established at a financial institution by a trustee or other fiduciary, notice to the fiduciary should be sufficient and it should not be necessary to notify beneficiaries because the fiduciary is the party to the account. As with any correspondence on a particular account, sending the notice to one individual at a single address to which account statements are directed should be sufficient. If there are multiple fiduciaries on an account, notice to one should be deemed sufficient.
4. Exceptions to General Rule.
We support the provisions that allow delayed notification under certain specified circumstances. If the financial institution and the consumer orally agree to enter into a customer relationship, the institution should be able to provide the initial notice to the consumer within a reasonable time thereafter if the consumer agrees.
Likewise, we agree that if a financial institution purchases a loan or assumes a deposit liability from another financial institution or in the secondary market and the customer does not have a choice about the purchase or assumption, the acquiring financial institution should be able to provide the initial notice within a reasonable time thereafter. In addition, this exception should be expanded to open-end credit, leases, investment, custody, insurance and similar accounts. It should also be expanded to fiduciaries if they are not exempt from the notice requirements and are deemed to create customer relationships. Furthermore, we suggest that the language about customer choice be deleted. The institution may have similar difficulties in providing notice upon acquiring the account regardless of whether the customer has a choice about the institution that acquires the account.
The Proposed Rule should address situations where a customer has requested a financial institution not to send statements, notices or other communications to the customer, to hold such communications or to send them to a particular address. In these circumstances the customer's wishes should be respected and sending a notice should not be required. For example, it is not unusual that some private banking customers, including those living abroad, may prefer not to receive correspondence directly.
5. Retention or Accessibility of Notice for Customers.
Annual Notice to Customers.
The Proposed Rule defines "annually" as at least once in a consecutive 12 month period. We urge the Agencies to allow institutions the option of providing the notice at least once in a calendar year. Such an option would help institutions avoid technical non-compliance that could result from the vagaries in the calendar, billing cycles, etc. For example, where an institution wants to send the notice in each account holder's statement mailings each October, a delay of a few days in a particular year could result in more than 12 months elapsing between notices. Allowing the notice to be sent anytime within a calendar year would obviate the difficulty of assuring 12 consecutive months did not elapse without a notice being sent.
2. How to Provide Notice.
The Proposed Rule should be similarly revised to provide that a financial institution is not required to provide a notice annually to a customer if the customer has previously exercised his or her right to opt out of the financial institution sharing information with nonaffiliated third parties. In the case of a customer who already opted out, no useful purpose is served in sending additional notices. Indeed, receipt of such notices might cause the customer to question whether the institution failed to properly process the previous opt out request.
3. Termination of Customer Relationship.
The Proposed Rule provides that a financial institution is not required to provide the annual notice to a customer with whom it no longer has a continuing relationship and sets forth examples of when there is no longer a continuing relationship. We agree that notices should not be required for deposit accounts that are dormant under the institution's policies; closed-end accounts that have been paid in full, charged off or sold without the institution retaining servicing rights; open-end credit accounts where periodic statements are no longer sent or where such accounts are sold without the institution retaining servicing rights; and for other type of accounts, where the institution has not communicated with the consumer about the relationship for a period of 12 consecutive months. For investment and custody accounts (and fiduciaries if they are not exempt from the notice requirements), the example should be expanded to provide that those account relationships are deemed not to continue when all assets and funds have been transferred out of the account or periodic statements are no longer sent.
The above examples are welcome and additional examples would be helpful. For instance, in the case of closed-end accounts, institutions sometimes retain or acquire servicing rights as a master servicer when the account is sold (e.g., in a securitization), but the master servicer engages a sub-servicer to handle the account and the account may no longer be on the master servicer's computer system. Under these circumstances, the master servicer would be unable to send notices to the customer in the ordinary course of business. Furthermore, the customer's contact in such a situation is with the sub-servicer, and the customer is probably unaware that servicing rights were retained. We suggest that where servicing rights are retained by the master servicer but actual services are performed by a sub-servicer, the master servicer should not be required to send notices so long as it does not share information about the affected customers with non-affiliated third parties. Instead, the parties should have the flexibility to agree that the consumer will receive notices from the sub-servicer rather than from the master servicer.
In the example of dormant accounts, the applicable standard should be the institution's policies as provided in the Proposed Rule, rather than state law, which the explanatory materials indicate the Agencies may be considering. Institutions will presumably take state law into account, but the law might not be identical to their policies. Institutions operate across state lines. Applying more than one state's law would be burdensome and determining which states' law controls is often difficult. Therefore, institutions should not have to differentiate for purposes of the annual notice among accounts they treat, under their policies, as dormant/inactive. Because the word "dormant" may have specific connotations under state law, we recommend that it be changed to "inactive."
Information to be Included in Initial and Annual Notices of Policies and Practices
1. Categories of Information Collected.
The Proposed Rule focuses on the source of the information rather than the content of the information. The Proposed Rule should be revised to provide greater flexibility by enabling institutions to comply by giving examples of the categories and allowing a financial institution to categorize information collected by source, by content or by a combination of both.
2. Categories of Information Disclosed.
The Proposed Rule focuses on the content of the information. The Proposed Rule should be revised to provide that a financial institution may give examples of categories and may categorize information disclosed by source, by content or by a combination of both. Also, there should be a recognition that broad categories or examples are acceptable and that not every element of information needs to be referenced.
3. Categories of Affiliates and Non-affiliates to whom Information is Disclosed
There is no need to provide this information with respect to affiliates. FCRA notice should suffice. Under Section 503(b)(4) of the GLB Act the notices are to include the FCRA disclosures. We believe that no other disclosure should be required with respect to information shared with affiliates because such other disclosures would be confusing to customers. Furthermore, adding to the FCRA disclosure requirements would appear to be contrary to section 506(c) of the GLB Act, which provides that the privacy provisions of the GLB Act are not intended to modify the FCRA. Indeed, requiring any FCRA disclosures in the notices could be deemed to modify the FCRA because under the FCRA the opt out notice need be given once (if at all). The Proposed Rule seeks to transform the FCRA disclosure into an annual notice requirement, which could be considered contrary to the congressional mandate that the FCRA not be modified.
The Proposed Rule focuses only on the type of business in which affiliates and non-affiliates are engaged. The Proposed Rule should be revised to provide that a financial institution may give examples of categories of nonaffiliated third parties (and affiliates, if it is determined that the FCRA notice alone does not suffice) to whom information is disclosed by type of business in which such entities engage, by type of products offered by those entities or by a combination of both.
The Proposed Rule provides that a financial institution need only inform consumers that it makes disclosures as permitted by law (i.e., exceptions under the GLB Act) to nonaffiliated third parties in addition to those described in the notice, without listing those parties. We support this provision and believe it is unnecessary to require further information to be included. This notice is adequate with respect to disclosures permitted by law because consumers will not be able to act on this information and further extraneous information in the notices will detract from the other information that is required to be disclosed.
4. Information Disclosed to Service Providers.
The Proposed Rule requires the notices to specify categories of information and entities to whom the information will be disclosed. As mentioned elsewhere in connection with the exceptions applicable to certain service providers, clarification should be provided on how to distinguish these service providers (other than marketing services), for which notice is required under Section 502(b)(2) of the GLB Act, from service providers for which disclosure is permitted and no notice is required pursuant to the general exceptions under Section 502(e)(1)(B) of the GLB Act.
5. Right to Opt Out.
The Proposed Rule requires the initial and annual notices to explain the right to opt out. We believe this expands the requirement of Section 503(b) of the GLB Act, which contains no such requirement for the initial and annual notices. The explanation of the opt-out right should be required solely for the opt out notice.
6. FCRA Disclosures.
The Proposed Rule requires the initial and annual notices to include disclosures the institution makes under the FCRA. The FCRA discussion above, in connection with categories of affiliates to whom information is disclosed, applies here, too. If the requirement set forth in the Proposed Rule is to apply, we request clarification on how to handle FCRA disclosures to customers where the institution intends to provide a single initial/annual notice for affiliated companies and only some of the companies share information with affiliates and provide FCRA opt out notices.
7. Confidentiality, Security and Integrity.
The Proposed Rule requires the initial and annual notices to include disclosures of the institution's policies and practices of protecting information and the Proposed Rule provides examples of what constitutes an adequate description. We recommend that the example regarding confidentiality and security should be revised to provide that a financial institution may explain who has access and under what circumstances, the types of limitations (if any) that the institution places on access to information, or a combination of both.
With respect to the example regarding integrity, we suggest it be deleted because the GLB Act contains no reference to "integrity" apart from "security." If, however, the Agencies choose not to delete this example, it should be revised to provide that a financial institution may explain the measures it takes to protect the integrity of information, provide examples of the types of measures the institution takes to protect against reasonably anticipated threats or hazards, or a combination of both.
The notices are to include an institutions policies and practices relating to confidentiality, security and integrity of nonpublic personal information. We urge the Agencies to clarify that technical information need not be included in the notices. Instead, institutions should be able to indicate broad categories of the type of individuals who have and/or do not have access to the information and the type of measures (without providing details) used to protect the information. For example, we would urge that it be sufficient to indicate that information may be available to employees of a business/functional unit who may have a need for the information in performing duties related to the product or service.
The explanatory materials accompanying the Proposed Rule indicate that the Agencies expect that the security and confidentiality standards they must establish under the GLB Act will be in place when the final rule is issued. The standards are needed for institutions to develop the notices. As discussed further below, in connection with the effective date of the Proposed Rule, the delay in issuing standards will increase the lead time that will be needed to comply with the requirements of the Proposed Rule.
Opt Out Notice-Limitations on Disclosures.
1. Joint Accounts.
The Proposed Rule sets out the criteria that an institution must satisfy prior to disclosing non-public personal information to nonaffiliated third parties. There are several issues concerning how the right to opt-out should apply in the case of joint accounts and they are mentioned briefly above, in connection with the discussion on how to provide the initial notice. To reiterate, a financial institution should not need to require all parties to an account to opt out before the opt out becomes effective. As a matter of common law and/or contract, and consistent with other federal regulations, any joint owner of an account is able to bind the other joint account owner(s). Any joint account owner should be able to opt out for the other(s).
If only one of the parties opts out, the opt out should apply to information about all parties to the account, at the option of the financial institution, because it may not be possible to segregate information between the parties. If the parties to a joint account do not agree on the appropriate treatment of information, they are free to open separate accounts and obtain their preferred treatment.
Subject to certain exceptions an institution, however, must honor a request from a consumer not to disclose nonpublic personal information to unaffiliated third parties. This requirement should be limited to the account of the consumer in connection with which the request was made. For a joint account, an institution should be able to share information on the other, non-requesting joint accountholder with respect to any other accounts of that individual in the absence of a specific request not to share account information by that individual. Many institutions maintain records on an account-by-account, rather than customer-by-customer, basis and would find it difficult to comply with an opt-out request with respect to only one accountholder or to apply the opt out to other accounts at the institution.
Institutions also need the flexibility of making a single disclosure, and providing a single opt-out right, applicable to all account relationships of a customer with any institutions within the organization. Alternatively, the financial institution should be able to provide notices for each account and, in such a case, the opt-out would not apply to other existing account relationships.
With respect to the applicability of an opt-out right to commingled trust accounts, where a trustee manages a single account on behalf of multiple beneficiaries, notices should be sent to the trustee. Also, the right to opt out should be with the trustee since the trustee manages other aspects of the account. If the trustee elects to opt out, the opt out should apply, at the option of the institution, to the particular account or all accounts of the trustee for the same trust with the institution.
2. Reasonable Opportunity to Opt Out.
We support 30 days as a reasonable opportunity to opt out in the case of a notice sent by mail.
In the example for a isolated transaction, a financial institution is considered to provide a reasonable opt out opportunity if it provides the opt-out notice at the time of the transaction and requests the consumer to decide whether to opt out before completing the transaction. We support this provision; however, the example should be expanded to allow institutions to have the additional flexibility to provide an opt out immediately following the transaction or at a later time, so long as no nonpublic personal information of the consumer is disclosed to a nonaffiliated third party before the opt-out notice is provided and the consumer is given a reasonable amount of time to opt out. Such added flexibility for the institution could be achieved without adversely affecting the consumer.
Form and Method of Providing Opt Out Notice.
1. Reasonable Means to Exercise the Right to Opt Out.
The Proposed Rule sets out examples of what constitutes reasonable means. Although perhaps implicit, the Proposed Rule should be amended to include an example of the use of toll free numbers, at the institution's option, for opt out purposes. There should be no requirement, however, that a toll-free number must be made available or that an institution be forced to accept opt outs through particular means of communication. An institution should be able to designate the means through which the opt out may be communicated to it. In addition, the institution should not be required to accept opt out from persons other than the "consumer," such as from list processors.
One example states that a financial institution does not provide a reasonable means to opt out by requiring consumers to send their own letter to the institution to exercise their right. Section 502(b)(1) of the GLB Act requires that consumers be given an "opportunity" to opt out, but does not limit the available means. The Agencies should not impose a requirement beyond the statutory mandate in order to restrict the means that may be required for exercise of the opt out right. Furthermore, we note that the opt out "opportunity" language in the GLB Act is similar to that used in the FCRA, and there is no FCRA requirement on the means by which an opt out is to be exercised. Thus, there appears to be no reasonable basis for distinguishing the means of exercising the opt out here from the affiliate-sharing opt out under the FCRA.
2. How to Provide Opt Out Notice.
The Proposed Rule provides that if a financial institution and a consumer orally agree to enter into a customer relationship, the institution may provide the opt out notice within a reasonable time thereafter if the consumer agrees. There is no need for the Agencies to provide a more specific time by which the notice must be given. Institutions should be allowed to provide the opt-out notice to a consumer at any time before nonpublic personal information of the consumer is shared, provided the consumer is given a reasonable amount of time to opt out.
3. Duration of Consumer's Opt-Out Direction.
The Proposed Rule provides that an opt-out direction is effective until revoked by consumer. The Proposed Rule should be revised to allow oral notice by a consumer to revoke the opt out decision, in addition to a written or electronic form of notice. This option would complement the consumer's ability, at the election of the institution, to opt out by calling a toll-free number, as suggested above.
Exception to Opt Out Requirements for Service Providers and Joint Marketing Agreements.
The Proposed Rule creates an exception to the consumer's right to opt out of information sharing if the institution satisfies the enumerated requirements. We recommend that the Proposed Rule be revised and that the requirements of full disclosure and confidentiality agreements between the institution and the service provider only ought to apply to joint marketing agreements, and not to arrangements with other service providers. We see a clear distinction between joint marketing arrangements and other services and believe that Congress did not intend to interfere with longstanding essential outsourcing arrangements of financial institutions. Rather, Congress exempted servicing activities in two separate places: in Section 502(b)(2) and in Section 502(e) of the GLB Act. The combination of these two provisions was designed to allow institutions to continue to outsource activities that the financial institution could perform itself. Our view is that under Section 502(b)(2) of the GLB Act the notice and opt-out requirements of the Act do not apply where information is provided to third parties who perform services for, or functions on behalf of, the financial institution. However, the Proposed Rule inappropriately applies the disclosure and confidentiality requirements intended for joint financial institution marketing arrangements, to traditional bank outsourcing arrangements.
We request the Agencies to correct this inappropriate treatment of outsourcing arrangements, which if left as is would result in substantial costs for financial institutions without benefiting consumers. There is no reason why similar outsourcing activities should be treated differently. In either case, a financial institution is making information available to perform activities that the institution would otherwise do itself. In neither case should this be viewed as the "sharing" of information with a nonaffiliated third party; instead, the servicer should be viewed simply for what it is -- an extension of the financial institution, performing services that the financial institution itself would otherwise perform.
The special disclosure and confidentiality requirements should be restricted to their intended application -- information shared between two or more financial institutions in connection with a joint marketing arrangement involving those nonaffiliated financial institutions.
To the extent the Agencies may disagree with this view, we respectfully urge the Agencies, under the authority of Section 504(b) of the GLB Act, to except arrangements with service providers from disclosure and confidentiality agreement requirements.
We believe nothing needs to be added to the Proposed Rule to implement the "fully disclose" requirement of the GLB Act with respect to information to be provided to the nonaffiliated third party. However, as indicated above, we seek clarification as to which types of service arrangements are and are not subject to this requirement.
Pre-existing Contracts and Confidentiality.
We request relief from the confidentiality requirement on contracts that pre-date the effective date of the regulations under the GLB Act. The Proposed Rule permits the sharing of information with certain nonaffiliated third parties that perform services, provided a financial institution fully discloses that arrangement to consumers and the third party is contractually required to maintain the confidentiality of the information. The Proposed Rule is silent regarding pre-existing contracts. If the Agencies do not make the revisions to except service providers as suggested in number one above, then requiring existing agreements to be amended would be burdensome and "open the door" for providers to renegotiate for an increase in their prices. Financial institutions might have little choice in capitulating to unfavorable terms. Thus, an exemption or clarification ought to be made to the effect that nothing requires a financial institution to renegotiate an existing contract in order to comply with the confidentiality requirement.
3. Credit Scoring.
In response to the Agencies request, we believe that if a financial institution contracts with credit scoring vendors to evaluate borrower creditworthiness, the vendor should not be prohibited from using the consumers' information without indicators of personal identity in order to re-validate the underlying model. The vendor's use of information in this manner would not be beyond the lender's purpose of validating the consumer's propensity to perform acceptably. We believe that an implicit requirement to conducting a credit evaluation is having the appropriate tools with which to do so, which is the purpose of the revalidation by the vendor. In addition, we believe that aggregate, non-identifiable data is not protected and its use should not be restricted.
4. Additional Requirements.
No additional requirements should be imposed on the disclosure of information pursuant to the exception for service providers beyond those imposed in the statute. The Agencies note, for instance, that joint agreements have the potential to create reputation risk and legal risk for a financial institution entering into such an agreement. We believe that, in the context of the Proposed Rule, the financial institution should not be required to take steps to assure itself that the product being jointly marketed and the other participants in the joint marketing agreement do not present undue risks for the institution. Our view is that risks to the institution are adequately addressed in the context of other regulations relating to safety and soundness and it would be inappropriate to address them here.
5. Definition of Joint Agreement.
Ensuring that the financial institution's sponsorship of the product or service in question is evident from the marketing of that product or service would appear to run counter to espoused regulatory positions that require financial institutions to make clear they do not endorse, sponsor or guarantee various insurance products and non-deposit investment products. Nevertheless, institutions may enter into arrangements to make such products available to their customers. Therefore, we suggest that to clarify that such arrangements are included in the definition, it should be revised at the end to read "jointly cooperate to introduce, offer, endorse or sponsor a financial product or service." (emphasis added).
Exceptions to Opt Out Requirements for Processing and Servicing.
We propose that the Agencies specifically address, by way of example or otherwise, typical situations where institutions have traditionally responded to inquiries about customers. Such situations include inquiries related to checks in collection, wire transfers, requests for references where specific or general account information is to be shared. We believe that one or several potentially applicable exceptions to the disclosure and opt out requirements apply. One is the exception for the effecting, administering or enforcing a transaction requested or authorized by the customer. Other exceptions, such as the ones for consent and fraud, could apply, too. We request that the Agencies confirm our view of the applicability of exceptions with respect to such traditional inquiries.
2. Technical Corrections.
The Agencies explain that only stylistic changes were made to the statutory text. However, to be consistent with the statute, the phrase "In connection with servicing or processing" should replace "To service or process" at the beginning of clause (a)(2) and "In connection with maintaining or servicing" should replace "To maintain or service" in clause (a)(3) in this section of the Proposed Rule. A grammatical correction should be made to clause (b)(2)(vi) of this Section by inserting the word "or" before the clause, and the words "In connection with the settling" should be revised to "To settle."
Other Exceptions to Opt out Requirements.
The Proposed Rule provides an example of consent with respect to referring a loan customer to a nonaffiliated insurance company. We believe that there are situations where consent ought to be implied. For example, the Proposed Rule should make clear that co-brand and affinity programs are subject to notice and consent (and/or other exceptions), rather than notice and opt out. Thus, given the nature of the program, a consumer participating in co-brand or affinity program should not be able to opt out of sharing. If the Agencies disagree with this point and believe the consumer may later opt out, the Agencies should acknowledge that the financial institution, as a matter of contract, should be able to terminate the account or shift the consumer to another account, since the sharing is an integral aspect of the co-brand or affinity program.
The Agencies seek comment on whether safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. The Agencies indicate that such safeguards might include, for instance, a requirement that consent be written or that it be indicated on a separate line in a relevant document or on a distinct webpage. We oppose any such requirements. Additional safeguards are not needed. Written consent ought not be required, particularly since many consumers enjoy and expect the convenience of conducting transactions by telephone.
2. Consultants and Temporary Employees.
The exception to the opt out requirements providing information to attorneys, accountants and auditors should be expanded to include consultants and temporary employees of the institution. Such an expansion is needed to clarify that the exception applies to these individuals, which need unfettered access to information related to their assignments for the institution to properly function.
Limits on Redisclosure and Reuse of Information.
1. Third Party Compliance.
The Agencies seek comment on whether the Proposed Rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. We strongly oppose any such requirement. Institutions are not in a position to ensure or enforce compliance of the parties except as may be agreed to as a matter of contract. The GLB Act imposes restrictions on recipients of the information and provides the Agencies with enforcement authority.
2. Post-Disclosure Opt Out.
The Agencies raise the possibility that since a consumer can opt out at any time, the effect of such an opt out on information that was previously disclosed to a third party would be to preclude further disclosure. We believe that the question of whether further disclosure by the third party recipient is permitted should be determined based on the third party recipient's rights as of the time it received the information. The third party should not be prevented from disclosing the information previously received once the disclosing institution receives the opt out request. It is unreasonable to expect the recipient to monitor subsequent opt outs. The purpose of Section 502(c) of the GLB Act is met by prohibiting the recipient from disclosing information to another person unless the disclosing institution could have disclosed that information to the other person when it disclosed it to the recipient.
The above interpretation meets the consumer's reasonable expectations of privacy. The customer would have been provided proper disclosures and given a reasonable opportunity to opt-out. The customer should reasonably be expected to understand that a later opt-out does not apply to information that has already been disclosed.
We do not believe the Agencies should adopt an interpretation that the recipient cannot disclose information to another person because of a subsequent opt-out. Adopting such an interpretation would effectively limit the recipient to disclosures that are exempt. Congress could easily have imposed such a limit by stating as much in the statute. It did not and the Agencies should not impose any such additional restrictions.
3. Third Party.
Agencies seek comment on the meaning of the word "lawful" as that term is used in Section 502(c) of the GLB Act. The term need not be further defined and the Proposed Rule should allow the nonaffiliated third party to reuse the information if the "secondary use" falls within one of the exceptions in Sections 9, 10 or 11 or to the same extent permitted for the disclosing institution.
Limits on Sharing of Account Numbers for Marketing Purposes.
1. Flat Prohibition.
We believe that there are circumstances where a flat prohibition against disclosing account numbers, as provided in section 502(d) of the GLB Act might unintentionally disrupt certain routine practices that promote efficiency in the financial system without harming customers. For example, the prohibition would disrupt the disclosure of account numbers to a service provider who handles the preparation and distribution of monthly checking account statements for a financial institution coupled with a request by the institution that the service provider include literature with the statement about a product. The Proposed Rule should make clear that the providing of account numbers by a financial institution to a service provider, agent or processor that is providing operational support for the financial institution, including marketing products on behalf of the financial institution itself, is not prohibited under Section 502(d) of the GLB Act. In these instances, a service provider, agent or processor should be viewed as an extension of the financial institution itself, so in essence there is no "sharing" of information with a nonaffiliated third party.
2. Consent and Sharing Post Marketing.
A consumer ought to be able to consent to the disclosure of his or her account number, notwithstanding the general prohibition in section 502(d) of the GLB Act. The Proposed Rule should be revised to specify that a financial institution may provide an account number to a nonaffiliated third party for use in marketing to the consumer, if the financial institution has obtained the consumer's prior consent. Also, the Proposed Rule should make clear that Section 502(d) does not preclude a financial institution from providing an account number of a consumer to a nonaffiliated third-party after the consumer has already agreed to use the account to purchase the goods or services being offered. In these circumstances the account number is simply used to effectuate a transaction requested by a consumer after the marketing aspect has been completed.
3. Encrypted Account Numbers.
An institution may not disclose an account number for marketing purposes to a nonaffiliated third party, other than to a consumer reporting agency. However, we believe that section 502(d) of the GLB Act does not prohibit the disclosure by a financial institution to a non-affiliated third party for marketing purposes of encrypted account numbers if the financial institution does not provide the marketer the key to decrypt the number.
The Proposed Rule should make clear that the term "account number or similar form of access number or access code" does not include (i) an actual account number or other number that can be used to post a charge or debit against a consumer's account, so long as that number is encrypted and the device or other information needed to decode or unscramble the encrypted number is not provided, and (ii) a reference number used by the financial institution to identify a particular account holder, including a partial or truncated account number, provided the reference number cannot be used to post a charge or debit against the particular account. Neither of these situations involve disclosure of an account number or similar form of access number or access code that a third party can use to directly post charges or debits to a customer's account.
If the Agencies do not agree with this view, we believe they should create an exception to this prohibition to permit nonaffiliated third parties access to account numbers under the circumstances set forth in the Statement of Managers cited in the explanatory material to the Proposed Rule. Such an exception is permitted under the GLB Act and is desirable.
Effective Date; Transition Rule
1. Six Months Insufficient.
Section 510 of the GLB Act authorizes the Agencies to specify an effective date later than six months after the date on which the rule is to be prescribed. Six months following the adoption of the Proposed Rule, i.e., November 13, 2000 is not sufficient time to enable financial institutions to comply with the regulations even assuming that the Agencies will have then issued the standards required by Section 501 of the GLB Act. More time is needed to craft institutional policies, test those policies, adopt procedures to facilitate compliance with such policies, rewrite existing agreements, work with outside vendors (e.g. software and technology companies, as well as mail distribution houses - many of which will be called upon to assist several financial institutions resulting in limited resources), develop opt out procedures and notices, train service representatives and compliance personnel, and develop appropriate compliance control and audit procedures, etc.
Furthermore, an effective date of November 13, 2000 would result in a blizzard of mail in December 2000 and every December thereafter for annual notices. A delay of a month or two would still create a conflict with IRS-mandated tax notices. From the standpoint of consumers, notices received in the mail at a time when they are being inundated may be lost in the clutter and will not be as likely to be read. Consideration ought to be given to establishing a period of at least 9 months (preferably 15 months) from the effective date during which compliance is optional before becoming mandatory.
2. Existing Customers.
For existing customers, the Proposed Rule provides that a financial institution is required to provide the notices within 30 days of the effective date of regulations. The 30-day notification period is far from a sufficient time to permit a financial institution to deliver the required notices to existing customers. Institutions will encounter logistical problems in coordinating mailings within such a short period and would have to incur unnecessary cost to the extent they are unable to insert the notices in account statement mailings.
* * *
Chase appreciates the opportunity to comment on the Proposed Rule. If you have any questions regarding this comment letter or wish to discuss the issues, please call me at the number indicated above.
Very truly yours,
(b)(1) Clear and conspicuous means that a notice is reasonable understandable and designed to call attention to the information contained in the notice.
(2) Examples. (i) You make your notice reasonably understandable if, to a substantial extent, you:
(A) Present the information contained in the notice in clear, concise sentences, paragraphs and sections;
(B) Use short explanatory sentences or bullet lists;
(C) Use definite, concrete, everyday words and active voice;
(D) Avoid multiple negatives; or
(E) Avoid inappropriate and highly technical business terminology.
(ii) You design your notice to call attention to the information contained in it, if to a substantial extent, you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read; or
(C) Provide adequate margins and line spacing.
(iii) If you provide a notice on the same form as another notice or other document, you design your notice to call attention to the information contained in the notice if you use:
(A) Distinctive type, boldface or italics in the text;
(B) Different margins and line spacing in the notice;
(C) Shading, sidebars or other graphic devices to highlight the notice; or
(D) Distinctive Headings.