Effective Financial Privacy Notices
Dear Sir or
The Independent Community Bankers of America (ICBA)1 commends
the federal agencies for holding a forum to discuss the effectiveness of financial privacy
notices. We also appreciate the opportunity to offer comments on some of the issues raised
and hope the dialogue will continue.
The final privacy rules established under Title V of the
Gramm-Leach-Bliley Act (GLBA) require that privacy notices be clear and conspicuous.
However, some consumer advocates complained that the initial notices were confusing and
misleading. Others contended that some companies went out of their way to obscure the
ability to opt out. To address these and other issues, the Federal Trade Commission (FTC)
took the lead in organizing this forum as the beginning of an ongoing dialogue on privacy
At the forum, representatives from the banking industry
affirmed the extensive work banks undertook to comply with the new requirements, sending
out millions of notices to customers. While bankers made every effort to produce notices
that were as comprehensible as possible, including meeting with consumer focus groups and
getting reaction from bank employees and friends, consumer representatives argued that the
resulting notices were overly long and complex. In response, bankers pointed out that the
complexity was caused by detailed statutory and regulatory requirements as one
banker said, 'it was like fitting the bank's Cinderella foot into the unforgiving
Gramm-Leach-Bliley glass slipper.'
Among other issues, the agencies have asked for comment on
the challenges associated with providing effective privacy notices, the formats most
effective for communicating information on privacy, and other matters related to privacy
notices required by GLBA.
Community banks have now developed privacy notices to comply
with the statutory and regulatory requirements. The many challenges involved with
developing the first round of privacy notices have been addressed and procedures are now
in place. While there may be some "fine tuning," community bankers do not expect
major changes to the procedures they have established.
One of the challenges that community banks report
confronting, though, is a problem with customer confusion about opt-out. Many community
banks only share information as permitted by law and therefore are not required to offer
their customers an opt-out option. However, reports in the media and comments by consumer
activists have caused some consumers to mistakenly believe that all financial institutions
must offer an opt-out right. As a result, community bank customers sometimes deliver an
opt out form that they have obtained from the Internet or otherwise when the bank does not
have a mechanism for opting out because it is not required to offer one. Guidance is
needed on how banks should handle such situations (conflicting guidance was presented
during the forum). It also would be useful if the federal agencies would help correct this
popular misconception and explain that not all banks must offer an opt-out right. And, it
would help if the agencies assured the public that financial institutions share
information in ways that benefit consumers. One excellent example is how reporting
information to credit bureaus makes credit more easily and inexpensively available.
However, it is critical that the public understand that not all information sharing is bad
and that not all banks share information in a way that requires an opt-out right.
Another useful step would be to develop a short form privacy
notice. As noted at the forum, the great majority of individuals do not seem concerned
about all the details that are currently required for privacy notices. A short-form notice
could incorporate references to more detailed information about a bank's privacy policies
and procedures for those customers that want that detail. A short form would be more
easily understood by the great majority of bank customers while addressing many of the
criticisms that consumer activists have raised. Keeping notices simple also would be less
confusing to customers and less burdensome for financial institutions.
The ICBA also recommends that the regulatory agencies develop
a set of "best practices." This would provide guidance for both bankers and the
public and might facilitate understanding of the privacy requirements. However, if
"best practices" are issued, it should be made clear that the requirements are
not mandatory and do not set standards for examinations by supervisors. While most
panelists at the forum urged banks to issue privacy notices in plain language that steers
clear of jargon, it is also apparent that some of the jargon results from GLBA
requirements, so guidance in the form of "best practices" would be useful. The
ICBA also agrees with panelists that recommended clearly defined terms so that everyone
understands what is meant, including what is meant by "privacy."
Recently, the banking regulators issued a set of frequently
asked questions to address some of the issues that have arisen since the privacy
regulations were issued. However, many questions still exist, and the ICBA urges the
agencies to continue to refine and expand this guidance. For example, one area where
guidance from the regulatory agencies would be especially beneficial would be how the
joint marketing exception applies and when the joint marketing exception differs
from the servicing exception.
Finally, the ICBA urges the federal agencies to develop
consumer education materials to help the public understand the Gramm-Leach-Bliley Act
requirements. It would also help if education materials outlined the benefits that can
come from information sharing. And, education materials should stress the important steps
that consumers can and should take to protect their information from identity theft. And,
education materials might offer guidance and contact information on how consumers can get
themselves removed from telemarketing lists and how to contact credit bureaus.
The ICBA looks forward to a continuing dialogue with the
federal agencies to continue to develop effective privacy notices. Should you have any
questions or need any additional information, please contact Robert Rowe, ICBA's
regulatory counsel, at 202-659-8111 or firstname.lastname@example.org.
Thank you for the opportunity to comment.
Robert I. Gulledge