|Re: GLB Act Notice Workshop
Dear Mr. Clark:
On behalf of the New Hampshire Bankers Association (NHBA), a
state banking trade organization, we are submitting the attached comments/responses to
questions posed by certain Federal regulators in the September 24, 2001 Joint Notice
Announcing Public Workshop and Requesting Public Comment regarding the challenges and
strategies for providing effective notice under the Gramm-Leach-Bliley (GLB) Act.
By way of background, most of the NHBAs 39 bank members
are small community banks (having less than $500MM in assets). From a GLB perspective, all
of these banks share customer information pursuant to §§14 and 15 of GLB, some share
customer information pursuant to §13 with service providers or joint marketers (usually
for credit cards, securities or insurance products), and almost all NHBA members do not
share customer information outside of the GLB exceptions with nonaffiliated third parties.
Most of the NHBAs member banks find that the current privacy notice has no practical
significance with customers because the banks often do not share outside of the GLB
exceptions, and therefore, there are no opt-out procedures to be followed.
As regulated entities, we accept the regulatory burden of
complying with GLB and we have an intense interest in ensuring that the process of privacy
notices works well for customers and for banks. Financial institutions rely on trust for
differentiation from other providers of services. We support the concept of the privacy
notice, and we reject any idea that results in confusion among customers as being
ineffective toward our ultimate trust goal.
Generally, we support four major concepts in the evolution
towards effective GLB privacy notices:
- Notices to customers should be understandable and effective;
- Notices should include a component of uniform and comparable
- Notices should be provided using cost-effective delivery
- Notices should reconcile the varying state and federal privacy
notice requirements so as not to undermine the basic objectives of GLB.
We have considered and responded to each of the questions
posed in the Request for Comment in the attached materials.
Thank you for the opportunity to express our views.
Very truly yours,
Gerald H. Little, President
New Hampshire Bankers Association
1. What challenges are associated with providing
effective privacy notices?
- The regulations, model clauses, and consumer advocate
complaints do not appear to recognize that some banks do not share outside of the GLB
exceptions and therefore are not required to (nor would it make any sense to) provide an
opt-out procedure. Any suggestion that every financial institution should disclose that it
"can share information unless the consumer tells it not to" does not address
this concern because it assumes that all entit ies share outside of the exceptions and
therefore must provide a GLB opt-out. We would like to see a positive or negative
statement required that indicates that the financial institution either does or does not
share outside of the GLB exceptions.
- For smaller banks especially, the relative cost of providing
an annual mailing to all customers is excessive. There is no meaningful reason for a bank
to provide a privacy notice to its customers every year if its privacy practices have not
changed and the bank has no opt-out procedures. If the privacy notice is posted on a
banks website and in a banks lobby, the option should be available for banks
to avoid the required annual re-mailing. Furthermore, the option to email privacy notices
(using E-SIGN procedures) to new and existing customers should be made available.
- While it is logical that the privacy notice provided to
customers should address all privacy policies affecting customers, every bank must contend
with the privacy laws of the state(s) in which it has branches because of the federal
floor doctrine. Additionally, most banks have customers who are residents of other states,
each with its own privacy laws. It becomes a confusing morass when trying to reconcile
multiple state laws in which a bank has branches, or in which it currently has customers
or may in the future have customers. Clear guidance is needed for this situation.
The practical effect on a bank that operates and has
customers in many states is that it is inefficient to attempt to comply with various state
notice requirements for opt-in, especially if the bank has a relatively small number of
customers in that state. Rather than attempting to comply with various opt-in notice
provisions, it is simply more efficient for the bank to not share customer information
with the threshold entities (i.e., third parties, affiliates, etc.) as determined by that
states laws and, therefore, not be required to provide opt-in notices to customers
in that state. The bank, in effect, pre-sets an indicator for all customers in that
particular state to "opt-out."
- "Shorter and clearer is better." We agree with many
of the participants in the "Get Noticed" Workshop that the notices need to be
shorter and more concise. We recognize that the GLB Act has specific notice requirements
(such as all the elements listed at 12 CFR 40.6) that may run counter to that goal.
However, we support a uniform, summary-style "disclosure block" that provides
information that is comparable between financial institutions. We especially support this
idea if one of the comparing statements is; "Does the financial institution share
customer information outside the GLB exceptions?" The problem with using that exact
language, though, is that customers do not know or care what the GLB exceptions include.
- We are still awaiting guidance from the FDIC and the other
federal regulators on previously raised issues of incompatibility between GLB and the
federal Fair Credit Reporting Act (FCRA) requirements as they relate to GLB §13 sharing
with joint marketers. The resolution to this issue most likely will affect the language
needed in the privacy notices.
- With respect to online privacy notices, more data gathering
and sharing is possible in an online environment. Issues unique to the online environment
encryption used, the security features of the system to ensure that data is indeed kept
private from third parties, etc. Guidance is needed from federal regulators with respect
to whether a single privacy notice or supplemental online privacy notice can be used.
- Customers do not understand the highly defined terms used in
privacy notices. Many customers believe that sharing with a joint marketer pursuant to the
requirements set forth in GLB §13 is the same as sharing with a non-affiliated third
party outside of the GLB exceptions. It is difficult for a bank to follow the law without
appearing to mislead customers in this situation.
- When customers receive excessive privacy notices, the notices
become irrelevant and customers do not read them. The process of providing notices and the
contents of the notices must be relevant to customers or we have missed the goals of GLB
and the Fair Information Practices.
2. What are some examples of privacy notices that are
easy to read and understand and that can serve as models for effective communication to
consumers? What formats are particularly effective?
- We support the idea of a shorter, easy-to-compare summary
disclosure followed by fully descriptive text. The work product of entities such as The
Center for Information Policy Leadership at Hunton & Williams seem to be on track for
developing a good solution.
- We do not believe that the "P3P" format of Internet
Explorer 6 will dovetail easily or appropriately with the GLB law.
- Although the idea of using the "food label"
disclosure promoted by groups such as the Privacy Council is a step in the right direction
concerning simplicity and uniformity, but we believe the Hunton & Williams-type
disclosure will be better because it parallels the GLB Act and better addresses financial
institution concerns. However, both disclosure types must address the small bank concern
of highlighting banks that do not share outside the GLB exceptions.
- We generally encourage the work product of groups such as
TRUSTe and its privacy symbols and labels initiative to date for web sites. However, we
are concerned that many banks are not yet ready to provide access and modification
services to customers yet. Since that is not required under GLB, the "access"
section should be an optional piece of information in the format. We support the goal for
banks to be able to provide access and modification of personal data to customers in the
3. What can we learn from readability and
communications experts that will help financial institutions draft notices that are easy
to read and easy to find?
- We support the idea of a short-summary, uniform
"disclosure box" for easy location of the information and comparison between
financial institutions privacy policies.
4. Are any industry groups developing self-regulatory
guidelines or "best practices" regarding GLB privacy notices and reasonable
opt-out methods? Are there useful models or guidelines from other contexts, such as online
privacy, that could provide guidance here?
- The American Bankers Association has provided several helpful
- Financial Privacy Toolbox;
- ABA Privacy Communication Kit; and
- Identity Theft Communication Kit.
- We support the ideas set forth in these documents and
encourage integration of these concepts in all financial institutions.
- As stated above, we believe the privacy notices should be
simplified from those based on the model language in the regulation as made available in
the above-mentioned guidance documents.
5. Have individual financial institutions or
industry, consumer, or privacy groups developed effective business and consumer education
materials regarding GLB privacy policies? Would it be useful for the Agencies or others to
develop additional consumer and business education materials regarding GLB privacy
- We encourage the work of groups such as the Center for
Information Policy Leadership at Hunton & Williams in developing a comparable
short-form notice linked to a full text notice.
- We also encourage the use by financial institutions of the
various additional consumer information materials available through, among others, the
American Bankers Association, the Federal banking regulators, and the Federal Trade
Commission in educating consumers about identity theft, credit report management, avoiding
fraud and general consumer financial awareness and literacy.
- The federal banking regulators recently released
Frequently Asked Questions for the Privacy Regulation document is very helpful and
addresses many of our other concerns.