Metropolitan Life Insurance Company 1 Madison Ave. New York, New York 10010 March 31, 2000 Jonathan G. Katz Secretary Securities and Exchange Commission 450 5th Street, NW Washington, DC 20549 File No. S7-6-00 Gramm-Leach-Bliley Act Privacy Rules Dear Mr. Secretary: Metropolitan Life Insurance Company (MetLife) appreciates the opportunity to comment on the proposed privacy regulations required by Title V of the Gramm-Leach-Bliley Act (the Act). We recognize the effort put forth by the Securities and Exchange Commission (the Commission) to meet the requirements of the Act, including the expedited rule-making requirements of Title V, and congratulate you on your work thus far. As you know, state insurance regulators face a similar task in drafting regulations to implement the terms of the Act. We believe that state insurance regulators, among other things, will carefully consider the regulations developed by the Commission in the course of developing their insurance regulations, particularly as to variable life and annuity contracts which are also subject to regulation by the Commission. In addition, the Act provides for the federal agencies to consult with the state authorities designated by the National Association of Insurance Commissioners in the course of prescribing regulations. It is with this background that we submit our comments for your consideration. MetLife is a leading provider of insurance and financial products and services to a broad spectrum of individual and group customers. The company, with $418.8 billion of assets under management as of December 31,1999, provides individual insurance and investment products to approximately 9 million households in the U.S. MetLife is also the largest provider of group life insurance to corporations and institutions in the U.S., as well as providing pension and retirement savings plans to this market. MetLife is synonymous with reliability, accessibility and security. Our reputation is key because people put money into financial products to achieve distant goals that require a level of trust and experience that MetLife provides. This trust is based on both financial soundness and the relationship between the customer and MetLife. MetLife has traditionally treated information about its insureds as confidential and has a a long-standing privacy policy relating to the use of such personal information to MetLife. The policy was established voluntarily and was developed to reflect the reasonable expectations of insureds with respect to the confidentiality of personal information and MetLife's legitimate need to collect and use such information. It is this experience that we hope to bring to the discussion of the proposed rule. We will limit our comments on the specific sections of the proposed rule where clarification is would be desirable rather than attempting to comment on all the provisions and the various questions raised by the proposed rule. Where appropriate, we have included rule language or additional examples for your consideration. §248.2 Rule of Construction The proposed rule seeks input on the usefulness of the examples provided. The examples are very helpful in understanding the Commission's interpretation of the Act and the proposed rules. In some cases, examples of what is not covered provide the most insight as to the application of the Commission's view on the application of the underlying policy. The rule proposed by the Securities and Exchange Commission includes additional specific negative examples in several areas. The inclusion of some additional examples will improve the clarity of the proposed rule. §248.3(g) Definition of Consumer The definition of consumer includes "an individual that obtains or has obtained a financial product or service." from a financial institution. The examples indicate that in order to meet the definition, the individual must provide nonpublic personal information to the financial institution in connection with obtaining or applying for a financial product or service. By implication, an individual is not a consumer of the financial institution if that institution does not receive any nonpublic personal information on the individual. An example to make this point directly will add clarity to the proposed rule. An individual should not be considered a consumer simply because she received a payment from a financial institution. The payment of money is not obtaining a financial service. In addition, third party beneficiaries or payees under a financial product or other third parties who claim a benefit under a financial product purchased by a consumer from a financial institution are not themselves consumers because they have not obtained a financial product or service from a financial institution. They are merely claiming proceeds of a product that another individual has obtained. Third parties have no direct relationship with the institution. To clarify that such individuals are not consumers for the purposes of the rule we suggest adding the following example following §248.3(g)(2)(iv): "(v) An individual is not your consumer solely because you receive information regarding the individual: (a) in connection with a payment made to such individual; (b) in connection with a claim made by such individual; or (c) otherwise as a third party beneficiary, of a financial product or service that a consumer has obtained from you." The proposed rule provides examples that imply, and rightly so, that the individual must have a direct relationship with the financial institution to be considered a "consumer"under the proposed rule. For additional clarity, we suggest inserting the following example at §248.3(g)(2)(vi): "(vi) If you are an investment company, an individual is not a consumer for your purpose when the individual has an interest in shares you have issued only through the purchase of a variable insurance policy or contract" §248.3(k) Definition of Customer Relationship The proposed definition of a "customer relationship" would require the existence of a "continuing relationship." We believe that this approach expresses the intent of the Act and that, as such, it is important that the regulations provide guidance as to what constitutes a "continuing relationship." Considering the intent of the Act, necessary elements of a continuing relationship are: (a) a direct and ongoing voluntary relationship between the consumer and the financial institution; (b) privity of contract between the consumer and the financial institution; (c) direct communication between the consumer and the financial institution; and (d) control of the existence and duration of the relationship by the consumer and the financial institution, as opposed to control by a third party. For example, there are situations in which consumer's initial and continued eligibility for the financial product is contingent upon continued membership in a particular group - such as certain types of employee benefits (e.g., group life insurance) provided by an employer to its employees. In such cases, the relationship is not a true "voluntary" relationship since the consumer can generally only choose whether or not to accept the benefit that is being provided, as the employer generally offers only one alternative. The relationship is temporary and can be changed by the employer. Factors beyond the control of the consumer and the financial institution control the duration of the relationship. If the consumer leaves the group (as in the case where employment would terminate) the consumer's eligibility for the financial product will terminate. Generally, group contracts are issued on an annually renewable basis and the group has the opportunity to decide whether to maintain the group contract. The group often choose to contract with a different financial institution and to terminate the existing group contract, which terminates the individual's relationship with the financial institution. In these instances, we believe that there is no "continuing relationship." Accordingly, we propose adding an example to clarify that such relationships are not continuing relationships following §248.3(k)(2)(v): "(vi)You provide a financial product to the consumer, but you have not communicated with the consumer, have no direct contractual relationship with the consumer or the consumer's continued eligibility for such financial product is contingent upon continued membership in a group." §248.3 (t) Definition of Nonpublic Personal Information The proposed rule provides a definition of nonpublic personal information that is consistent with the express terms of the Act. This is preferable to the alternative definition proposed by several other federal agencies. The Act specifically states that nonpublic personal information "includes any lists, descriptions, or other grouping of consumers (and publicly available information pertaining to them) only when it is derived using any nonpublic personal information other than publicly available information . . .but shall not include [such information] that is derived without using any nonpublic personal information" (emphasis added). The definition proposed by the Commission includes information only when it is derived from nonpublic personal information. Accordingly, it is consistent with the express terms of the Act, while alternative definition offered by the other federal agencies contradicts the express terms of the Act. Moreover, we believe that the Commission's definition is preferable because no substantial privacy interest of a consumer is served by restricting the use of information that is publicly available. §248.3 (v) Definition of Personally Identifiable Financial Information The proposed rule defines nonpublic personal information as "personally identifiable financial information." The definition of "personally identifiable financial information" should be limited to information of or pertaining to a consumer's finances. The Act protects "nonpublic personal information." Nonpublic personal information is specifically defined as "financial information." The plain meaning of the term financial information is information of or pertaining to finances. Congress, by limiting the definition of nonpublic personal information to financial information, specifically excluded other types of information such as medical information, which is not information about or pertaining to a consumer's finances or financial condition. Clear evidence of Congress' intent is reflected in the fact that amendments, which would have brought medical information within the scope of the Act, were considered and not included. Applying the regulations to information other than financial information in the scope of these regulations would be beyond the scope of the Act. Accordingly, we recommend that §248.3(v)(1) be revised by replacing "information" with "financial information". Additionally, a new definition for "financial information" should be added to §248.3. We suggest the definition read: "Financial information means information of, or pertaining to, a consumer's finances, financial condition or financial qualifications." In addition, the examples found at §248.3(v)(2) should all be revised so that the term "information" is replaced with the term "financial information". The example at §248.3(v)(2)(i)(A) should be further revised by striking "including, among other things, medical information." §248.16(b) Notice requirement for consumers who were your customers on the effective date. The Commission specifically asked for comments regarding the burdens associated with implementing these regulations as drafted. The proposal provides that initial notices must be provided to current customers within the 30 days following November 13, 2000. The December 13, 2000 deadline will result in a nationwide deluge of privacy notice mailings at the height of the 2000 holiday season. In addition, many institutions currently provide privacy notices to their customers and, in situations where these notices comply with the requirements of the final regulations, duplicate notices should not be required. We suggest striking the second sentence in §248.16(b) and inserting the following: "The initial notice, as required by §248.4, must be provided to consumers who were your customers on the effective date of this part as soon as reasonably possible, but no later than twelve (12) months after the effective date, except in those instances where a notice complying with §248.4 has been provided during the six month period immediately preceding such effective date. Such notice may be provided separately or in conjunction with any regularly scheduled mailing to the customer." Treatment of Dormant Accounts Most financial institutions have at least some customer relationships where the institution no longer has a "good" address and attempts to secure a current valid mailing address have failed. Requiring that notices be mailed to "bad" addresses serves no purpose and will simply increase the financial institution's administrative expenses, costs which are passed on to all customers. We suggest adding a new subparagraph following §248.16(b): "(c) Notwithstanding the requirement of §248.16(b), no initial notice need be sent to such existing customers for whom you only have a known bad address. An address is deemed to be bad if it is the last known address of record, if mail to that address has been returned as undeliverable and if reasonable attempts to obtain a current valid address for the customer have been unsuccessful." In addition, we suggest adding to §248.5 Annual notices to customers required the following new subparagraph: "(d) Dormant relationship. No annual notice need be sent to such existing customers for whom you have a known bad address. An address is deemed to be bad if it is the last known address of record, if mail to that address has been returned as undeliverable and if reasonable attempts to obtain a current valid address for the customer have been unsuccessful." Exercising the right to opt-out; Toll free telephone numbers: The Commission fails to allow the use of a toll-free number as a reasonable means by which a customer may opt-out. We believe that a toll free number may be the most accessible, convenient and "user friendly" means for our customers to elect to opt-out. We strongly urge the Commission to add an example at §248.8(a)(2)(ii) regarding toll free telephone numbers. Conclusion MetLife appreciates the opportunity to comment on the proposed rule. We share the Commission's commitment to protecting the privacy and security of the information that our customers share with us. If you have any questions regarding our comments, please contact Russ Iuculano, Vice President, Government and Industry Relations, at 202-659-3575. Sincerely, Vincent P. Reusing Senior Vice President