Metropolitan Life Insurance Company March 31, 2000 Donald S. Clark Gramm-Leach-Bliley Act Privacy Rules, 16 CFR part 313-Comment Dear Mr. Secretary: Metropolitan Life Insurance Company (MetLife) appreciates the opportunity to comment on the proposed privacy regulations required by Title V of the Gramm-Leach-Bliley Act (the Act). We recognize the effort put forth by the Federal Trade Commission (the Commission) to meet the requirements of the Act, including the expedited rule-making requirements of Title V, and congratulate you on your work thus far. As you know, state insurance regulators face a similar task of drafting regulations to implement the Act. We believe that state insurance regulators, among other things, will consider the regulations developed by the federal agencies in the course of developing their insurance regulations. In addition, the Act provides for the federal agencies to consult with the state authorities designated by the National Association of Insurance Commissioners in the course of prescribing regulations. It is with this background that we submit our comments for your consideration. MetLife is a leading provider of insurance and financial products and services to a broad spectrum of individual and group customers. The company, with $418.8 billion of assets under management as of December 31,1999, provides individual insurance and investment products to approximately 9 million households in the U.S. MetLife is also the largest provider of group life insurance to corporations and institutions in the U.S., as well as providing pension and retirement savings plans to this market. MetLife is synonymous with reliability, accessibility and security. Our reputation is key because people put money into financial products to achieve distant goals that require a level of trust and experience that MetLife provides. This trust is based on both financial soundness and the relationship between the customer and MetLife. MetLife has traditionally treated information about its insureds as confidential and has a a long-standing privacy policy relating to the use of such personal information to MetLife. The policy was established voluntarily and was developed to reflect the reasonable expectations of insureds with respect to the confidentiality of personal information and MetLife's legitimate need to collect and use such information. It is this experience that we hope to bring to the discussion of the proposed rule. We will limit our comments on the specific sections of the proposed rule where clarification is would be desirable rather than attempting to comment on all the provisions and the various questions raised by the proposed rule. Where appropriate, we have included rule language or additional examples for your consideration. §313.2 Rule of Construction The proposed rule seeks input on the usefulness of the examples provided. The examples are very helpful in understanding the Commission's interpretation of the Act and the proposed rules. In some cases, examples of what is not covered provide the most insight as to the application of the Commission's view on the application of the underlying policy. The rule proposed by the Securities and Exchange Commission includes additional specific negative examples in several areas. The inclusion of some additional examples will improve the clarity of the proposed rule. §313.3(e) Definition of Consumer The definition of consumer includes "an individual that obtains or has obtained a financial product or service*" from a financial institution. The examples indicate that in order to meet the definition, the individual must provide nonpublic personal information to the financial institution in connection with obtaining or applying for a financial product or service. By implication, an individual is not a consumer of the financial institution if that institution does not receive any nonpublic personal information on the individual. An example to make this point directly will add clarity to the proposed rule. An individual should not be considered a consumer simply because she received a payment from a financial institution. The payment of money is not obtaining a financial service. In addition, third party beneficiaries or payees under a financial product or other third parties who claim a benefit under a financial product purchased by a consumer from a financial institution are not themselves consumers because they have not obtained a financial product or service from a financial institution. They are merely claiming proceeds of a product that another individual has obtained. Third parties have no direct relationship with the institution. To clarify that such individuals are not consumers for the purposes of the rule we suggest adding the following example following §313.3(e)(2)(v):
§313.3(i) Definition of Customer Relationship The proposed definition of a "customer relationship" would require the existence of a "continuing relationship." We believe that this approach expresses the intent of the Act and that, as such, it is important that the proposed rules provide guidance as to what constitutes a "continuing relationship." Considering the intent of the Act, necessary elements of a continuing relationship are: (a) a direct and ongoing voluntary relationship between the consumer and the financial institution; (b) privity of contract between the consumer and the financial institution; (c) direct communication between the consumer and the financial institution; and (d) control of the existence and duration of the relationship by the consumer and the financial institution, as opposed to control by a third party. For example, there are situations in which consumer's initial and continued eligibility for the financial product is contingent upon continued membership in a particular group - such as certain types of employee benefits (e.g., group life insurance) provided by an employer to its employees. In such cases, the relationship is not a true "voluntary" relationship since the consumer can generally only choose whether or not to accept the benefit that is being provided, as the employer generally offers only one alternative. The relationship is temporary and can be changed by the employer. Factors beyond the control of the consumer and the financial institution control the duration of the relationship. If the consumer leaves the group (as in the case where employment would terminate) the consumer's eligibility for the financial product will terminate. Generally, group contracts are issued on an annually renewable basis and the group has the opportunity to decide whether to maintain the group contract. The group often choose to contract with a different financial institution and to terminate the existing group contract, which terminates the individual's relationship with the financial institution. In these instances, we believe that there is no "continuing relationship." Accordingly, we propose adding an example to clarify that such relationships are not continuing relationships following §313.3(i)(2)(ii)(C):
§313.3(j) Definition of Financial Institution The proposed rule defines a financial institution as "any institution, the business of which is engaging in activities that are financial in nature as described in Section 4(k) of the Bank Holding Company Act." The proposed rule refers to institutions that are "significantly engaged in financial activities, such as a retailer that extends credit by issuing its own credit card directly to consumers." This example exceeds the scope of the definition in the Act and in the proposed rule. To read Title V otherwise would be inconsistent with the Act. The purpose of the Act was to permit affiliations between banks, insurance companies and securities firms. The Act accomplishes this by authorizing the creation of Financial Holding Companies. Under the Act, subject to limited exceptions, Financial Holding Companies are not permitted to engage in commercial activities. To read the definition of financial institution contained in Title V to apply to an entity whose business is primarily a commercial activity, rather than a financial activity, is inconsistent with the overall intent of the Act. The Act was not intended to regulate commercial entities that may engage in activities that would be permissible if conducted by a Bank Holding Company. This reading would extend the applicability of the proposed rule to businesses well beyond those envisioned by Congress. §313.3 (n) Definition of Nonpublic Personal Information The regulation specifically asks for comments as to the proposed alternatives for the definition of nonpublic personal information. Alternative B is consistent with the definition proposed by the Securities and Exchange Commission and the Federal Reserve Board. In addition to providing a uniform approach, we believe this alternative is preferable because it is consistent with the express terms of the Act. The Act specifically states that nonpublic personal information "includes any lists, descriptions, or other grouping of consumers (and publicly available information pertaining to them) only when it is derived using any nonpublic personal information other than publicly available information . . .but shall not include [such information] that is derived without using any nonpublic personal information" (emphasis added). Alternative A includes in the definition of nonpublic personal information lists of consumers derived from any source of information a consumer provides on an application for a financial product or service. Alternative B includes such information in the definition of nonpublic personal information, only when it is derived from nonpublic personal information. Accordingly, alternative B is consistent with the express terms of the Act, while alternative A contradicts the express terms of the Act. Moreover, we believe that this alternative is appropriate because even without considering the corresponding burden alternative A would place on financial institutions, no substantial privacy interest of a consumer is served by restricting the use of information that is publicly available. §313.3 (o) Definition of Personally Identifiable Financial Information The regulation defines nonpublic personal information as "personally identifiable financial information." The definition of "personally identifiable financial information" should be limited to information of or pertaining to a consumer's finances. The Act protects "nonpublic personal information." Nonpublic personal information is specifically defined as "financial information." The plain meaning of the term financial information is information of or pertaining to finances. Congress, by limiting the definition of nonpublic personal information to financial information, specifically excluded other types of information such as medical information, which is not information about or pertaining to a consumer's finances or financial condition. Clear evidence of Congress' intent is reflected in the fact that amendments, which would have brought medical information within the scope of the Act, were considered and not included. Applying the regulations to information other than financial information in the scope of these proposed rules would be beyond the scope of the Act. Accordingly, we recommend that §313.3(o)(1) be revised by replacing "information" with "financial information". Additionally, a new definition for "financial information" should be added to §313.3. We suggest the definition read:
In addition, the examples found at §313.3(o)(2) should all be revised so that the term "information" is replaced with the term "financial information". The example at §313.3(o)(2)(i)(A) should be further revised by striking "including, among other things, medical information." §313.16(b) Notice requirement for consumers who were your customers on the effective date. The Commission specifically asked for comments regarding the burdens associated with implementing these proposed rules as drafted. The proposal provides that initial notices must be provided to current customers within the 30 days following November 13, 2000. The December 13, 2000 deadline will result in a nationwide deluge of privacy notice mailings at the height of the 2000 holiday season. In addition, many institutions currently provide privacy notices to their customers and, in situations where these notices comply with the requirements of the final regulations, duplicate notices should not be required. We suggest striking the second sentence in 313.16(b) and inserting the following:
Treatment of Dormant Accounts Most financial institutions have at least some customer relationships where the institution no longer has a "good" address and attempts to secure a current valid mailing address have failed. Requiring that notices be mailed to "bad" addresses serves no purpose and will simply increase the financial institution's administrative expenses, costs which are passed on to all customers. We suggest adding a new subparagraph following §313.16(b):
In addition, we suggest adding to §313.5 Annual notices to customers required the following new subparagraph:
§313.8(a)(2)(ii)(D) Exercising the right to opt-out; Toll free telephone numbers: The Commission proposes the use of a toll-free number as a reasonable means by which a customer may opt-out. We believe that a toll free number may be the most accessible, convenient and "user friendly" means for our customers to elect to opt-out. We strongly urge the Commission to retain the example found in §313.8(a)(2)(ii)(D) regarding toll free telephone numbers. In addition, we encourage the Commission to press the other agencies to add the example to the other proposed rules to promote uniformity and clearly establish a reasonable opt out method that will be preferred by many consumers as the easiest way to state their preference. Conclusion MetLife appreciates the opportunity to comment on the proposed rule. We share the Commission's commitment to protecting the privacy and security of the information that our customers share with us. If you have any questions regarding our comments, please contact Russ Iuculano, Vice President, Government and Industry Relations, at 202-659-3575. Sincerely, Vincent P. Reusing |