| March 31, 2000 Secretary Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 - Comment Ladies and Gentlemen: This comment letter is submitted by NYCE Corporation on the proposed rules to implement Title V ("Title V") of the Gramm-Leach-Bliley Act (the "Act" or the "GLB Act"), published for comment on various dates in the Federal Register by the Board of Governors of the Federal Reserve System ("FRB"), the Office of the Comptroller of the Currency ("OCC"), the Federal Deposit Insurance Corporation (the "FDIC"), the Office of Thrift Supervision ("OTS"), the Federal Trade Commission ("FTC") and the National Credit Union Administration ("NCUA") (collectively, the "Agencies"). NYCE Corporation owns and operates the NYCE Network, one of the largest shared regional electronic fund transfer ("EFT") networks in the United States, with a principal service area consisting of the States of Connecticut, Delaware, Illinois, Indiana, Maine, Massachusetts, Michigan, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island and Vermont. The NYCE Network is operated under the NYCE® brand name. NYCE provides shared network access to cardholders at automated teller machines ("ATMs"), point of sale ("POS") terminals, scrip terminals and point-of-banking ("POB") terminals. As of December 31, 1999, the NYCE Network had over 2,300 participants (commercial banks, credit unions, savings banks, savings and loan associations, cooperative banks and bank holding companies) with more than 45.1 million cardholders. As of December 31, 1999, there were approximately 35,500 ATM terminals, 785 POB terminals, 205 scrip terminals and 208,000 POS terminals participating in the NYCE Network. NYCE Network transactions are processed by an EFT processing system, which includes software, computer hardware, and network management services, commonly referred to as the switch. Approximately 175 organizations have direct, on-line technical interfaces to the NYCE switches and are linked to the computer facilities of the participating financial institutions, merchants or third party processors. NYCE also manages the daily settlement of NYCE Network transactions through the automated clearing house system and generates settlement reports on a daily basis. In addition, NYCE offers a variety of electronic funds transfer support services not associated with the NYCE brand name through its EFT Processing Services line of business. These services include cardbase authorization and management services, ATM terminal driving and monitoring services, stand-in processing, administrative terminal services, support of surcharging options and programs, processing services for Visa Check® and MasterMoney® off-line debit card transactions and gateway access services to national and regional networks and electronic benefits transfer programs. We are writing to request that the Agencies include additional guidance and clarity in its final rule to assist EFT providers, such as NYCE, in determining their compliance obligations - if any - under the Act. Specifically, we are requesting that the definitions of "customer," "customer relationship" and "financial institution" be clarified as noted below and that the final rule include EFT transactions as an example of transactions exempt from the disclosure and opt-out requirements pursuant to Section 502(e) of the Act. Most consumers use one or more EFT networks regularly, if not on a daily basis. Given the significant presence in the financial life of consumers, we believe that a clear rule regarding the applicability of the Act to EFT networks would greatly benefit both consumers, the networks and their financial institution and retailer participants. "Customer" and "Customer Relationship." The Act provides that the required privacy policy and opt-out notice is to be provided to every "customer," which is not defined in the Act. In the proposals, "customer" is defined as "any consumer who has a customer relationship with a particular financial institution." "Customer relationship" is defined as "a continuing relationship between a consumer and a financial institution whereby the institution provides a financial product or service to a consumer that is to be used primarily for personal, family or household purposes." We do not believe that users of an EFT network have a customer relationship with an EFT network, and thus never become customers of the network. We request, therefore, that the final rules contain an example that explicitly states that the use of a terminal (such as an ATM, POS or POB) by a consumer in a transaction (such as withdrawing or depositing cash, purchasing goods or services, funds inquiry or transfers between accounts) does not constitute a customer relationship, and therefore terminal users are not customers of the EFT network that processes the transaction regardless of the number of transactions performed by the consumers. An individual may access an EFT network only through a card or other access device issued by a member or participant in the network. The individual's relationship, therefore, is with the institution that has issued the access device to the individual - in other words, the individual's bank, credit union or other traditional financial institution. It is that FI that maintains a relationship with the network. The network has no direct contact with the individual, and has no contractual or other relationship with the individual. Merely by effectuating EFT transactions, therefore, an EFT network does not have a customer relationship with any individual using the network. We request that the Agencies clarify this through an example in the final rules. We further request that the Agencies clarify the statement in the Supplementary Information that a "consumer would not necessarily become a customer simply by repeatedly engaging in isolated transactions, such as withdrawing funds at regular intervals from an ATM owned by an institution with whom the consumer has no account." See, e.g., 65 Fed. Reg. at 11176. As discussed above, we do not believe a consumer ever becomes a customer of an ATM owner or operator merely by conducting one or many transactions through an ATM. Thus, we request that the Agencies include this statement as an example in the final rule, but with the word "necessarily" removed, to reflect that EFT transactions in and of themselves can never create a customer relationship between a consumer and an EFT network. "Financial Institution." We request that the final rules specifically state whether an EFT network is or is not a "financial institution" ("FI"). If an EFT network may be considered to be an FI, we recommend that the rule be applicable to all networks, regardless of ownership. Certain bank holding company owners of NYCE have had to apply to the FRB for permission to invest in NYCE; pursuant to those and related applications, NYCE's owners have asserted, and the FRB has concurred, that NYCE engages in financial data processing activities permitted under the Bank Holding Company Act. However, not all EFT networks are owned by bank holding companies. For example, the Plus (owned by Visa), Cirrus (owned by MasterCard) and MAC (owned by Concord EFF) EFT networks are not owned by banks or bank holding companies, and thus able to engage in acquisitions and other transactions without obtaining FRB approval. We assume that Congress did not intend ownership to determine who is or is not an FI; we therefore urge the Agencies to adopt a rule or exception that applies equally to all EFT networks. Although the determination of whether EFT networks are FIs or not will not have any affect on their disclosure requirements under the Act, we note that FIs are still subject to other provisions of the Act. Most importantly, the Act imposes only on FIs an explicit obligation to "respect the privacy of ... customers and to protect the security and confidentiality of those customers' nonpublic personal information." GLB Act § 501(a). Since all EFT networks use the same type of personal information to perform their functions, to have this obligation apply to some networks but not others would confuse customers and deprive them of the protection intended by the Act. Furthermore, the Act requires all FIs to abide by standards established by the appropriate agency relating to administrative, technical and physical safeguards affecting the security and confidentiality of financial data. Again, to require some but not all EFT networks to abide by such standards would defeat both the affiliation and consumer protection purposes of the Act. Exceptions for Processing and Servicing Transactions. Under Section 502(e) of the Act, FIs do not have to disclose to consumers or customers, or permit them to opt out of, sharing of information with nonaffiliates "as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer ...." We believe EFT transactions clearly fall within this exception. However, as noted above, because of the importance of EFT transactions to most consumers on a daily basis, clear guidance to this effect from the Agencies would be helpful to both consumers and EFT networks. We therefore request that the Agencies include EFT transactions as an example in section __.10 of the final rules. We appreciate the opportunity to comment on these proposals. Very truly yours, James S. Judd |