First Union Corporation
Legal Division, NC0630
301 S. College Street
Charlotte, NC 28288-0630
VIA ELECTRONIC SUBMISSION
(Copies Via Overnight Delivery)
March 31, 2000
Department of the Treasury
Office of the Comptroller of
250 E Street, SW.
Washington, DC 20219
Attention: Docket No. 00-05
Ms. Jennifer J. Johnson
Federal Reserve Board
20th and C Streets, NW
Washington, DC 20551
Docket No. R-1058
Robert E. Feldman
Federal Deposit Insurance Corporation
550 17th Street, NW.
Washington, DC 20429
Manager, Dissemination Branch
Information Management & Services Division
Office of Thrift Supervision
1700 G Street, NW.
Washington, DC 20552
Attention Docket No. 2000-13
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549
File No. S7-6-00
Re: Proposed Regulations: Privacy of Consumer Financial Information
First Union Corporation ("First Union "or "the Company") submits this letter in response to the requests by each of the above regulatory agencies (collectively, the "Agencies") for comments on their proposed regulations ("collectively, the Proposals") implementing Title V of the Gramm-Leach-Bliley Act ("GLB Act").
First Union is a diversified financial holding company with approximately $253 billion in assets and financial center offices in approximately 41 states. Through its bank and non-bank subsidiaries, First Union is a leading provider of a wide variety of financial services to approximately 16 million retail and corporate customers throughout the nation. Many of the Company's services are also available by telephone, through a large network of automated teller machines and the Company's website, www.firstunion.com.
First Union recognizes the difficulty faced by the Agencies in attempting to craft regulations within the rather broad legislative mandate and the stringent deadlines of the GLB Act. We are also mindful of the expectation that the Proposals will elicit a large number of detailed comments from a wide variety of constituencies. Further, First Union representatives have participated actively in the development of comments by many of the industry organizations of which the Company is a member, such as the Securities Industry Association and the Investment Company Institute. We therefore do not believe it would be helpful to the Agencies to merely reiterate wholesale the points made in those submissions. We note the particularly detailed and thoughtful letter submitted by VISA, U.S.A., Inc. and commend each of the Agencies' staffs.
There are, however, some overarching concerns which transcend differences among affected industries and are worthy of repetition by individual companies such as First Union.
The Need for Uniformity and Simplicity
We commend the Agencies' efforts, which have been largely successful, to comply with the GLB Act's mandate that they develop substantively uniform definitions and standards. We strongly encourage each of the Agencies to build on this exemplary cooperation and focus on material differences among their respective Proposals with an eye toward eliminating or harmonizing these differences in the final regulations.
Negative consumer and competitive effects will result from inconsistent regulations. First Union's market research has consistently demonstrated the fundamental consumer expectation that information of the type covered by the GLB Act will be treated as confidential, regardless of the type of entity to which it is disclosed. A large percentage of consumers deal with multiple "financial institutions". As such, consumers have a reasonable expectation that the appropriate treatment will be accorded their private financial information by any company to which it is given. It will be difficult and confusing for customers to understand the nuances of different rules among different sorts of "financial institutions".
Among diversified financial services providers, of course, a requirement that personnel follow different rules for different affiliates also increases the risk of errors.
First Union also urges the Agencies to carefully consider the impact their decisions will have upon the "user friendliness" of disclosures. Various legally-mandated disclosures are already an inherent part of virtually any transaction between a financial institution and a consumer. The GLB Act's required disclosures will thus be competing with these other disclosures for the consumer's attention. By restricting the required content both simple and limited, the Agencies can help ensure that consumers don't routinely disregard or discard the GLB Act notices.
First Union supports the concept of informed consumer choice with regard to many types of information sharing with third parties. Recent news stories of unauthorized sharing of information have raised both consumer awareness and concern. However, forcing First Union and the thousands of other companies affected by the GLB Act to unduly rush development and implementation of strategies for compliance will do little to meaningfully respond to this heightened concern and much to engender errors which will only serve to erode consumer trust. Other foreseeable outcomes of an unrealistically aggressive timetable will be a reduced ability of institutions to adequately train employees and test the essential operational and systems changes which compliance with the GLB Act will require.
It may be argued that compliance by the November deadline is merely a matter of financial institutions' committing adequate resources to the task. There is, however, a significant convergence of factor that is entirely beyond the institutions' control, namely the advent of the winter holiday season and its concomitant huge increase in mail volume. Although the mailing of the annual notice can be timed to avoid the holiday mailing season for 2001 and after, the initial notice mailed in 2000 will clearly come up against at least the early stages of the year-end rush.
While First Union is mindful of the congressional mandate and public demand for increased privacy protection, we believe the inclusion in Section 510 of the GLB Act of specific regulatory authority to set a different effective date signifies Congress' awareness of the concerns summarized above. We urge the Agencies to consider either a reasonable extension of the effective date or at least a "voluntary compliance" period of 12 months with respect to existing customers. For existing customers, the Proposals require financial institutions to provide the Section 503 privacy notices within 30 days of the effective date of the final regulations. This 30-day transition period is simply too short a time frame for financial institutions to provide Section 503 privacy notices to all of their existing customers, with many of whom they do not regularly correspond.
Joint and Representative Accounts
The final Rule should make it clear that if there is more than one party to an account, a financial institution is required to provide only one copy of the initial Section 503 privacy notice to the parties at the address specified by the parties for the account, or to the individual personally present at the institution or otherwise initiating the new customer relationship. Similarly, where the relationship requires an annual privacy notice, only one such notice should be required and that notice should be provided to the address specified for the relationship. This clarification is entirely consistent with other federal consumer protection regulations, such as Regulation Z and Regulation E, which generally require that only one set of disclosures be sent to the parties to the account. Likewise, a financial institution should be required only to provide the Section 502 opt-out notice to one party to the account.
Further, even where a financial institution provides the Section 502 opt-out notice to one party to the account, the financial institution should be prepared to honor an opt out from any party to the account. Nonetheless, the final Rule should provide flexibility to financial institutions with respect to how opt-out notices are provided to, and received from, the parties to a joint account. For example, if a financial institution is willing and has the operational capability to do so, it should be allowed to give joint account customers the opportunity to exercise different options, so that one customer might elect to have nonpublic personal information regarding that customer shared with third parties, while the other customer elects to opt out of such sharing.
Finally, First Union urges the Agencies to state clearly that all required notices will be deemed effectively given if delivered to a custodian or other party holding an account (e.g., a minor's or "in trust for" deposit account) on behalf of another individual
Timing of Initial Privacy Disclosure
Section 503(a) of the GLB Act requires the initial privacy disclosure to be given "at the time of establishing a customer relationship," and not "prior to" as proposed in Section 4(a)(1). We are concerned by the Agencies adoption of a significantly more burdensome rule and urge that the "at the time" standard be retained.
The proposed "prior to" standard, tempered only by the two narrow exceptions (for oral agreements and portfolio sales) is too restrictive. Privacy disclosures, unlike most required disclosures, will apply to multiple business lines, and may therefore be given to customers who normally do not receive periodic notices or statements, as well as to certain non-customers. We believe an inflexible "prior to" standard is unreasonably restrictive and will only serve to inundate customers with multiple mailings as well as create a risk of at least technical noncompliance, particularly in connection with on-line, telephone and other automated forms of banking.
The GLB Act sets forth the general principle that a bank's privacy policies should be one of the factors to be considered when a consumer obtains a financial product or service. Therefore, a disclosure should be provided at the inception of the relationship, as determined under applicable state or other law. This is the same general principle applicable to other disclosures required by other consumer protection statutes (e.g., the Truth in Lending Act/Regulation Z's "at or before consummation" standard).
Content of Initial Disclosure
Section 503(b) of the GLB Act requires disclosure of categories of information collected and persons to whom information is disclosed. We believe the Act's intent was that individuals receive a meaningful but concise list of general categories rather than a detailed "laundry list". Indeed, this premise seems self-evident when one considers non-customer ATM users and cashier's check purchasers. It seems extremely unlikely that Congress intended such persons to receive anything more than a concise privacy disclosure.
First Union believes the Agencies have ignored the GLB Act's clear intent, however, by requiring the listing of the sources of information collected and examples of information disclosed, and by prohibiting use of general terms. Aside from the fact that this formulation appears to exceed the Act's statutory intent, we believe it will only result in a more extensive set of disclosures with no concomitant value of the information conveyed to consumers.
The Agencies propose to require customer agreement as a condition to using electronic disclosures. This raises the same practical concerns regarding conflicting state laws which banks, particularly those which operate in more than one state, have raised in connection with the Federal Reserve Board's pending electronic disclosure proposals. We ask the Agencies to review those earlier comments and, at a minimum, adopt a federal test of what constitutes adequate customer agreement.
Alternatively, we ask the agencies to consider eliminating the agreement requirement altogether. If a consumer is obtaining a product or service through the Internet and has provided an email address, then very little additional consumer benefit is achieved by seeking consent to deliver a disclosure electronically. Rather, consent should be assumed and physical delivery of the disclosure can be provided upon request.
We also note some confusion with Sections 4(d)(4)(i)(C) and (D), which require consumers to acknowledge "receipt" of the disclosure given through a web site or an ATM. As to a web site, receipt might mean that the disclosure is downloaded, printed, or simply acknowledged with a click. We believe that as long as the consumer cannot bypass the disclosure page, the initial disclosure requirement is fulfilled. The consumer is still free to print or download the disclosure on a web site.
The GLB Act itself does not clearly distinguish the Section 502(b)(2) exception (that includes joint marketing agreements) from the key general exception under 502(e)(1), which is generally understood to refer to third parties on whom banks rely for core processing and other services. Section 502(b)(2) information sharing is subject to heightened disclosure requirements. We believe the unfortunate use of the phrase "services for or functions on behalf of the bank" in this section was not intended to cover the 502(e)(1) processing exception, which poses minimal privacy concerns. The Regulations should state clearly that the heightened requirements set forth in Sections 9 and elsewhere apply only to information disclosures incident to marketing activities and not to Section 10 services and processing activities.
Disclosure of Account Numbers
The Proposals restate the GLB Act's prohibition against the disclosure of account numbers and the like for marketing purposes. However, the final Regulations should provide that a consumer may consent to such a disclosure. Also, encrypted or otherwise "disabled" account numbers (i.e., any "number" which, as disclosed, cannot be used to access the customer's account) should be exempted from the general prohibition.
Need for An "Inadvertent Error" Provision
The GLB Act and the Regulations impose significant additional responsibilities and burdens upon all financial institutions. However, while a small community or regional bank or an independent securities brokerage can in most cases implement a system which results in a high confidence level of near-perfect compliance, the complexity of managing customer information within an organization the size of First Union or larger makes occasional inadvertent errors a distinct possibility.
First Union therefore urges the Agencies to adopt provisions absolving a financial institution from liability, provided it has adequate policies, systems and procedures designed to avert such errors are in place and further provided that the institution corrects the underlying problem promptly following its discovery. A similar provision is found in Section 202.14(c) of Federal Reserve Regulation "B". To the extent errors of disclosure or improper sharing of information occur solely as a result of inadvertence and in spite of apparently adequate systems designed to prevent them, the institution should have no liability, provided it promptly corrects the underlying cause.
First Union hopes the Agencies will find its comments to be constructive and useful and thanks each of the Agencies again for the opportunity to communicate its concerns and suggestions.
FIRST UNION CORPORATION
William H. Finlay
V.P. and Assistant General Counsel
First Union Corporation
Legal Division, NC0630
301 S. College Street
Charlotte, NC 28288-0630