| Sent: Friday, March 31, 2000 3:35 PM Attached is testimony regarding Joint Notice of Proposed Rulemaking, Privacy of Consumer Financial Information Contact person: Jennifer Davis Carey March 31, 2000 Donald S. Clark, Secretary Via e-mail: GLBRule@ftc.gov Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 - Comment Dear Secretary Clark: This letter is written in response to the request for comment on the above referenced proposed Regulation P (Privacy of Consumer Financial Information) implementing the privacy provisions of the Gramm-Leach-Bliley Act (the "Act") by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System ("Board"), the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission (collectively referred to as "the agencies"). The Massachusetts Office of Consumer Affairs and Business Regulation ("Office of Consumer Affairs") appreciates the opportunity to comment on the proposed regulations. The Office of Consumer Affairs is a cabinet level agency that oversees 9 state regulatory bodies including the Massachusetts Division of Banks ("Division") and the Massachusetts Division of Insurance. The protection of personal financial privacy is a major and longstanding public policy objective of Governor Argeo Paul Cellucci and Lieutenant Governor Jane Swift. The Cellucci/Swift Administration believes that financial privacy rights must be significantly strengthened at both the state and federal levels to protect against the unauthorized dissemination and fraudulent misuse of private financial data. The Act's authorization of inter-industry financial services company mergers and the current advanced state of information technology demand that adequate financial privacy protections be in place. The Act's privacy provisions, however, do not go far enough to protect the legitimate privacy expectations of individuals particularly with respect to information sharing among corporate affiliates. The Cellucci/Swift Administration also believes that an "opt-in" rather than "opt-out" procedure is the only way to give individuals effective control over the sharing of private financial data. Consequently, the Cellucci/Swift Administration filed comprehensive, first in the nation, state level privacy legislation in 1999. A major legislative objective of the Office of Consumer Affairs is to assist the Cellucci/Swift Administration in securing swift passage of its privacy legislation. The following comments are not an endorsement of the Act's limited privacy provisions. They are offered in order to have the agencies' regulations provide the fullest consumer privacy protections to the extent permitted by the Act's narrow scope. Comments are presented with reference to the sections of the proposed regulation in the areas of protected information; consumers and customers; and specificity in required notices. Protected Information The Office of Consumer Affairs favors the broader interpretation of "financial" as reflected in the proposed section 3 that would include, in part, any information provided with an application for a financial product or service and the information resulting from obtaining said product or service; and also would include in the jurisdiction of the regulation institutions that conduct business that is financial in nature. The rationale, in part, is the perception of the customer or consumer. Information presented by these individuals for the purposes of obtaining a financial product or service or resulting from same is considered in its entirety as directly related to their financial information and the expectation is that all information will be treated the same for purposes of privacy. The expectations of privacy of the individual with the broad interpretation of "financial" would be more consistent with the Alternative A proposal for the definition of "Nonpublic personal information" under this same section. This proposal makes a distinction that information that would be available from public sources but was in fact obtained from the individual would be considered "nonpublic personal information" for purposes of the regulation. Because of this distinction, the individual would have an opportunity to "opt out" which would be consistent with their understanding of the nature of the information and any release of information from the financial institution would strongly imply a that a customer relationship exists. Alternative B would permit the disclosure of certain information that is publicly available, even if it was not obtained from public sources, including a list derived without using personally identifiable financial information. However, as the definition of "personally identifiable financial information" includes the existence of a customer relationship, it is unclear that there is a benefit to the institution in this alternative or even when the exception would be utilized as no example was offered. The increased protection to the individual by expanding their "opt out" options and ability to make an informed choice appears clear and the Office of Consumer Affairs supports Alternative A given this position. The Office of Consumer affairs recommends that the Federal Reserve commit to reviewing the definitions of "financial institution" and "financial product or service" within a year after the effective date of the regulations. We recognize that the definitions track the statute closely. However, because the definitions are somewhat vague, a review of how effective these definitions work in practice is warranted. The Office of Consumer Affairs found after a review of sections ___.09 and ___.12, with regard to service providers and joint marketing initiatives that clarification is required. Section ___.09 provides that a financial institution can provide nonpublic personal information to nonaffiliated third parties to perform services or functions on behalf of the financial institution, which can include joint marketing of products or services. This section would allow the transfer of otherwise "protected" information to accomplish a goal of the financial institution. The fact that a third party was utilized should not hinder this financial institution's ability to function as it would individually. However, nonpublic personal information would now be in the possession of the nonaffiliated third party and the disposition of this information is a concern. Section ___.9(a)(2)(ii) would appear to address this concern adequately by limiting the use of the information to the joint marketing project at hand. The previous subsection, ___.9(a)(2)(i), requires confidentiality use only to the extent that confidentiality is required of the original financial institution. This would imply that the nonaffiliated third party could now use the information provided for, in part, a separate joint marketing agreement that did not include the initial financial institution or with its own affiliates. Section ___.12 also lends itself to this interpretation as it utilizes the language that the receiver of the information can reuse the information without the consumer's or customer's ability to "opt out" to the same extent that the originating financial institution can if made directly. It is understandable to facilitate the efficient delivery of products and services to omit servicing agreements from the "opt out" provisions. However, the regulation should clearly limit the use of, at minimum, the personally identifiable financial information, to execution of the agreement for which the information was provided. To not limit the reuse of such provided information would weaken the protections of the regulation. Consumers and customers The definition and related examples clarify the distinction and justify the disparate treatment. Protections are afforded to both groups, with disclosures triggered appropriately. The duration and evaluation of the "customer relationship" is important as it directly affects the right to receive annual notice of the privacy policies of the financial institution. The definition of "customer relationship" found in section ___.3 includes an individual who possesses a credit card, home equity line of credit, or other open-end credit product. However, section ___.5(c)(2)(iii) would allow the financial institution to terminate the classification of these accounts as customer relationships, and therefore discontinue annual notice, if a statements or notices are no longer provided. Under the relevant section of Regulation Z, statements are only required to be provided when there is activity on the account. This section does not appear to limit how long the account must be "inactive" in order to lose its status and may subject customers who reasonably believe they have an ongoing relationship by virtue of their continued access to this line of credit to a loss in disclosure rights. The regulation should clarify that the status of the account for purposes of privacy disclosures should be consistent with the financial institution's disclosed policies regarding continued access. Section ___.5(c)(2)(i), with regard to deposit accounts, states that the relationship is discontinued if the account is dormant under the bank's policies. A more consumer protective approach would be to consider the relevant state law for purposes of consistency. Any description of determination of dormancy should be clearly stated in the initial disclosures and any annual disclosures. Specificity of Required Notices As described above in the discussion of "customer relationship", the discontinuation of this relationship means no annual notices are required but the information is still subject to the financial institution's use. Provided this individual did not exercise "opt out" instructions before the relationship ended, the protections afforded by the regulation could be diminished. Any initial disclosure and annual notice should alert the customer to the affect of the discontinuation of the relationship. The notice should be segregated from any other notices or disclosures that may be provided at the same time. The regulation allows, for the most part, that the financial institution only classify information about affiliates, nonaffiliated third parties that may be contacted, and information collected and disseminated only in terms of categories under section ___.6. This would tend to provide a greater scope for the individual to consider when making an "opt out" decision, as the implication is that all information is on the table to all types of entities. Specificity would not necessarily increase clarity or further the goal of consumer protection in most areas. However, with regard to the financial institution's affiliates and the customer's inability to "opt out" of the sharing of certain information with these parties, the specific disclosure of these parties should be considered. A financial institution, at the time of the required disclosure is aware of which entities are affiliates and providing this information should be required in order for the individual to make the most informed decision. The Fair Credit Reporting Act at section 603(d)(2)(A)(iii) provides the customer additional "opt out" privileges not detailed within this proposed regulation that should be made clear in any disclosure. It is recognized that the initial disclosure cannot always be provided prior to the time a customer relationship is established. Subsequent delivery is acceptable under the circumstances described at section ___.4(d)(2) but the standard for reasonableness should reflect the circumstances described, i.e. purchasing an account or orally agreeing to enter into a relationship and receive the disclosures subsequently. The standard utilized for subsequent disclosures for real-estate transactions, namely no more than three (3) business days after the customer relationship is established but in any event before any nonpublic personal information is provided. Thirty (30) days is a reasonable time to allot before the disclosure of information to nonaffiliated third parties. Under the proposed rules, institutions have until mid-December, 2000 (30 days after the November 13, 2000 effective date) to send initial privacy policy notice to consumers on or before November 13, 2000. The final rules should extend the 30-day deadline to allow institutions to send the initial notice as part of a regularly planned mailing. This change would help avoid unnecessary costs to be passed on to consumers. General The Cellucci/Swift Administration's legislation, which addresses the privacy of financial information, differs significantly with regard to the consumer's control of the dissemination of the information. Under the proposed bill, Massachusetts would have an "opt in" provision whereby the financial institution must assume that the consumer or customer does not desire the sharing of the information unless specifically instructed otherwise. This would be more consumer protective and would be recognized as permissible under proposed section ___.15. However, the Office of Consumer Affairs would recommend that the agencies provide greater clarity to section ___.15. Section ___.15(a) states that the proposed regulation does not preempt any state law or regulation "in effect in any State" except where the state law or regulation is inconsistent with the proposed regulation. Section ___.15(b) on the other hand states that "For the purposes of this section, a State statute, regulation, order or interpretation is not inconsistent with the provisions of this part" if the statute or regulation is more consumer protective. The Office of Consumer Affairs assumes that these two subsections can be read independently. In other words, a State can enact legislation or promulgate regulations after the effective date of the proposed regulation without being preempted so long as the statute or regulation is more protective to the consumer. Greater clarity by the agencies would assist in this area. In addition, the final rules should require that federal authorities notify and consult with states at least sixty (60) days prior to determining a state law may be preempted. Thank you for the opportunity to comment on the proposed regulations. If you have any questions, please feel free to contact me or David Veator, Deputy Director and General Counsel at (617) 573-7300, or David J. Cotney, the Division's Deputy Commissioner for Consumer Compliance, at (617) 956-1500, extension 542. Very truly yours, Jennifer Davis Carey, Director |