ASSOCIATION OF FINANCIAL SERVICES HOLDING COMPANIES
March 31, 2000
Re: Proposed Regulations on Privacy of Consumer Financial Information
Dear Sir or Madam:
The Association of Financial Services Holding Companies ("Association") appreciates the opportunity to submit comments on the above-captioned proposal published February 22, 2000 (65 FR 8770) implementing subtitle A of title V of the "Gramm-Leach-Bliley Act ("Act"), Public Law 106-109, November 12, 1999.
The Association is a non-profit trade organization made up of holding companies that control federally-insured banks, savings institutions and limited purpose institutions, as well as a variety of nondepository affiliates. The Association is incorporated in the District of Columbia and has its principal place of business in Washington, D.C.
1. Definition of "nonpublic personal information" and "personally identifiable financial information."
The definition of "personally identifiable financial information" in § ___.3(o) is inconsistent with the Act's definition in section 509(4)(A), which states that "nonpublic personal information" means "personally identifiable financial information": (a) provided by a consumer to a financial institution; (b) resulting from any transaction with, or services performed for, the consumer; or (c) otherwise obtained by the institution. (emphasis added)
Section ___.3(o) provides that "personally identifiable financial information" means any information about the consumer obtained by the institution by one of the above three means.
The Association recommends that the final regulations be amended to clarify that "financial information" is information that relates to the consumer's financial condition, for example, information relating to assets, liabilities, income, average balances, and types of accounts. The fact that a person is a customer of the institution, for example, and the customer's name address, telephone number and occupation are not financial information.
Our position on this point is buttressed by the following colloquy during Senate debate on S. 900 between Senator Allard (R-CO) and Senator Gramm (R-TX), Chairman of the Senate Banking Committee:
This legislative intent could be incorporated by an amendment providing that § ___.9(o) read, in relevant part, as follows (new language in bold):
(o)(1) Personally identifiable financial information means any financial information:
(i) provided by a consumer to you .
(ii) Personally identifiable financial information does not include a list of names and addresses of customers of a financial institution or of an entity that is not a financial institution.
This amendment, coupled with the adoption of Alternative B, which gives effect to the plain meaning of "publicly available information," and coupled with conforming amendments throughout the proposal, would conform the meaning of "personally identifiable information" as used in the proposal to that intended by Congress
With respect to the definition of "nonpublic personal information," the Association recommends that the definition exclude depersonalized data.
2. Definition of "customer" and "consumer."
The Association supports the examples in § ___.3(i)(2)(ii) of isolated and other transactions that do not result in a continuing relationship with the institution. The agencies, however, should add language to make it clear that these examples are not exclusive.
3. Exemptive authority under section 504(b) of the Act
Section 504(b) of the Act provides that in writing regulations implementing the Act, they may include such additional exceptions to subsections (a) through (d) of section 502 "as are deemed consistent with the purposes of this subtitle." Following are the Association's comments on two proposals that fall within these subsections.
A. Disclosures under section 502(b)(2) of the Act
Section 502(b)(2) provides that institutions that share nonpublic personal information with unaffiliated third parties are not required to provide an opt out notice to consumers with respect information shared with such parties that provide services for or perform functions on behalf of the institution ("service providers"), including the marketing of the financial institution's own products or services or financial products or services offered pursuant to a joint agreement between two or more financial institutions.
To avail itself of this option, the institution must "fully disclose" to the consumer the providing of such information, and must enter into a contract with the third party that requires the third party to maintain the confidentiality of the information.
In proposed § ___.9, the agencies construe the statutory phrase "fully disclose" to mean the initial privacy notice required by § ___.4. Section ___.8 (c)(1)(i ) and (ii) requires an institution that provides nonpublic personal information to an unaffiliated third party not described in the initial notice to send a revised notice to the consumer with a new opt out notice. While these sections do not specify that a change in a § ___.9 service provider requires a revised initial notice, sections § ___.8 and § ___.9 considered together, can be read to require a revised notice in the case of a change in a service provider under § ___.9, even though no opt out notice is required to be sent with this notice.
This requirement would result in substantial expenses for institutions that change service providers and would provide no discernible benefit to consumers. A notice requirement would impose a burden all institutions that outsource services ranging from smaller and medium sized institutions that typically outsource numerous functions to large institutions with customers numbering in the tens of millions.
We believe this burden can be relieved by the following changes in these two sections:
. Permitting institutions to provide a brief statement in their initial notice along the lines of "We share information with companies that perform services for us relating to your accounts with us, and these companies may change from time to time. We enter into a contract with each of these companies requiring them, as provided by law, to maintain the confidentiality of this information and to use it only for the purposes for which this information is disclosed.";
2 Amending § ___.9 to clarify that new notices are not required to be sent to consumers for a change in service providers covered by that section; and by
3. Amending §§ ___.4(a)(2) and (b)(1) by inserting "___.9" before "___.10" each time it appears therein.
B. Providing encrypted account numbers
Institutions sometimes provide encrypted customer account numbers to third parties in accordance with a joint marketing project. This practice ensures that purchaser billing information provided to the institution by the third party for orders received is accurate. This practice does not compromise any information relating to the consumer since the third party may not use the consumer's account number for its own marketing or other impermissible activities.
The agencies request comment on, among other things, whether an exception to the prohibition in section 502(d) of the Act, which prohibits direct access to consumers accounts is appropriate. The comments in the Conference Report to S. 900 (H. Rept. 106-439, p.173), which is quoted in the preamble, clearly indicate that the conferees contemplated section 502(d) to permit sharing of encrypted account numbers.
This practice was referred to during the Senate debate on S. 900 in the following colloquy among Senators Gramm, Bennett (R-UT) and Hagel (R-NE).
In addition, the language of section 502(d) itself does not bar the use of encrypted account numbers. That section provides as follows:
In the transactions referred to above, third party marketing vendors are provided encrypted account numbers without a decryption key. An institution that provides encrypted account numbers in this manner is providing neither an "access number," nor an "access code" as these terms are used in the statute.
4. Trust accounts
The agencies request comment on how the opt out right should apply to commingled trust accounts where a trustee manages a single account on behalf of multiple beneficiaries.
We recommend that the final regulations make it clear that trust beneficiaries are neither "customers" nor "consumers" under Title V, so long as the institution has a policy in place stating that it will not share nonpublic personal information about beneficiaries with unaffiliated third parties, other than such parties that are referenced in ___.10 and ___.11, and third parties referred to in § ___.9 that perform services for or perform functions on behalf of the institution.
Trust beneficiaries are persons who generally do not select the institution that administers the trust and are even farther removed from a relationship with an institution than persons who engage in occasional isolated transactions with the institution, such as using the institution's ATM.
In addition, some personal (as opposed to commingled) trust arrangements confer benefits on beneficiaries, or remaindermen, whose rights may not vest for several years after the creation of the trust. In some cases, the identity of these persons is not known at the time the trust is created. Even if the identity of the contingent beneficiaries is known, the grantor of the trust may not want these persons to be advised of their rights.
If an institution intends to share nonpublic personal information about trust beneficiaries with unaffiliated third parties other than those referred to above, then its responsibilities with respect to the beneficiaries whose information would be disclosed would be the same as its responsibilities to "consumers."
6. Definition of "financial institution."
Section 509(3)(A) defines a "financial institution" as an institution the business of which is engaging in financial activities described in section 4(k) of the Bank Holding Company Act of 1956. The banking agencies' definition , at §___.(j)(i), describes these activities as including activities that are "financial in nature" or "incidental to such activities," as described in section 4(k).
The FTC's definition does not include activities that are "incidental" to financial activities and the agency requests comment on several aspects of the definition of "financial institution" (65 FR 11174-11177, March 1, 2000), pointing out that:
We believe it is critical that the agencies harmonize their definitions of "financial institution" so that companies other than insured depository institutions that are in the same lines of business will be subject to the same rules irrespective of the agency under whose jurisdiction they fall. We believe the narrower FTC definition is preferable to that of the banking agencies because it provides a greater degree of certainty than that of the banking agencies. We further recommend that all of the agencies consider narrowing this definition even further by examining whether the functional descriptions of activities that are financial in nature in section 4(k)(4) of the Bank Holding Company Act would serve as a basis for a more workable definition.
The Association appreciates the opportunity to present these comments.
Very truly yours,
Patrick A. Forte
1. Congressional Record, November 4, 1999, page 13902 (daily ed.).
2. Congressional Record, page S13902, November 4, 1999 (daily ed.).