Sent via electronic mail
Secretary, Federal Trade Commission,
We have examined the proposed rules that you have published regarding implementation of the privacy provisions of Title V of the Gramm-Leach-Bliley Act (GLB). We have comments to submit pursuant to your request for comments on the proposed rules and other areas in which comment was invited. The comments are submitted on behalf of our membership, a state association of 92 community banks, most of which are relatively small in asset size. To give you some background, approximately 80% of our member banks are an asset size of under $50 million and about 10% of our member banks are an asset size of over $100 million. Obviously, any new regulation with the breadth of these proposed rules will have a greater effect, relatively speaking, on most of our member banks than on the average bank in the U.S.
We must preface any comments by a statement of the importance of customer privacy to all of our members. Throughout the years, community banks in our state have jealously guarded the privacy of their customers financial and non-financial information. Unlike many states, North Dakota has a privacy law in existence and has had a bank privacy law in existence for some time. It is a strict law, with exceptions to allow our banks to carry on their day-to-day business, and it generally has worked well.
Higher Relative Cost and Burden on Smaller Banks
The Federal Register invites comments on the burden these proposed rules will establish on smaller institutions and "whether any exemptions for small institutions would be appropriate." Federal Register, p. 8785. We recognize that some of the requirements for all financial institutions are relatively specific in their requirements in GLB itself and are not within the discretionary specter of regulatory authority. Others, in this complex mixture of law and regulation, will fall within the purview of rulemaking. However, we would like to make it clear that from the perspective of community banking, we believe that a "one size fits all" approach is faulty and places a much higher relative burden and expense on smaller, community banks.
We have received information from one of the larger community bank members of our association that has provided us an estimate of the additional expense to their institution alone in additional processing, labor, material and systems to comply with the regulations and statutory requirements. The bank has estimated an additional cost of $97,400 to comply, based on the following:
The result is that the various notice requirements, in theory and in practice, will provide a much higher relative burden to community banks. We would suggest that, whether legislatively or administratively (or both), a separate set of requirements and reporting procedure be established for smaller banks. This separate system would not expand or change in any way the nonpublic information disclosed, but would at least somewhat lighten the administrative burden on smaller banks.
Applicability of GLB to Financial Institutions
GLB, by its very nature, was meant to provide a more uniform operating environment for various types of products and services in the financial arena, including securities and insurance underwriting and sales, as well as lending, financial management and other traditional banking functions. We believe that any financial privacy disclosure requirements should apply not only to banks, thrifts and credit unions, but to insurance companies, securities firms and all other entities encompassed, created or tacetly approved by GLB.
We have noted a specific group of institutions that are excluded from the disclosure requirements. They are the various Farm Credit Services cooperatives and other institutions and organizations in the farm credit system throughout the country. They deal with the same issues of confidential, financial customer information as any bank, thrift or credit union. We believe that any regulations or other requirements for disclosure and protection of nonpublic personal financial information should be equally binding on them as on any bank, thrift or credit union.
Reliance on North Dakota Law
Another area of comment relates to making sure that our interpretation of one of the exceptions in the regulations is correct and, if not, it should be amended to make it clearer. Before going into the exception, I should again note that North Dakota has a privacy act, Chapter 6-08.1, North Dakota Century Code, which has been in effect since 1985. Our law has been the subject of various regulatory and legal interpretations and those interpretations have been incorporated into the daily operations of our banks. Generally, I think it is fair to say that the law has worked well. It closely guards nonpublic financial information yet provides the exceptions sufficiently broad to allow our banks to conduct their day-to-day business without unnecessary regulatory or other burden.
GLB Section 502(e)(5), one of the list of exceptions in the statute, states that the statute does not prohibit the disclosure of nonpublic financial information "to the extent specifically permitted . . . under other provision of law. . ."
Our interpretation of this Section is that the list of exceptions in the North Dakota law would satisfy the requirement of "other provision of law." The banks would therefore be able to rely on the exceptions in state law and the judicial and regulatory interpretation of those exceptions. If the interpretation is anything other than that interpretation, we would request that regulatory language be clarified to make it clear.
A similar statutory problem exists between the GLB Act and the North Dakota law because GLB is unclear on its relationship to state law. GLB states that it preempts state law unless that law essentially has tighter control on the release of customer information. GLB then outlines an opt-out statutory framework. The North Dakota law is an opt-in law with a number of exceptions. Does that mean that the entire North Dakota law is not preempted by the GLB or only that certain parts of the North Dakota (or any other state law) are preempted by GLB? If parts of the North Dakota law remain in effect and parts do not, how can a North Dakota financial institution possibly determine what requirements it should meet? These problems and uncertainties will cause even more time and expense to the community banks in our state. They should be clarified before any regulation implementing GLB is finalized and becomes effective.
The regulations proffer two possible interpretations of what information is "public" information. We believe that it should not be necessary that the information be obtained from a public source, but that it can be obtained from any source. Determining where a bank gathers its public information is not something a regulator should be spending undue time and energy if the information itself if public.
Contents of Disclosures
We recognize that the regulations give eight basic information requirements for both the initial and annual notices required. However, we have received comment from our member community banks that the informational requirements are overly broad, in some cases redundant, and in many cases difficult to interpret. This is particularly true in light of the requirement that the financial institution "clearly and conspicuously" disclose its policies.
Thank you for the opportunity to file our comments on the proposed rules. We look forward to your comments and look forward to further efforts to administratively implement the very important changes to the banking and financial services environment with the passage of the Gramm-Leach-Bliley Act.
Very truly yours,
cc: DeWayne Streyle, President, ICBND