|LAW OFFICES OF PAUL SOTER
149 San Felipe Avenue
San Francisco, California 94127
Tel. (415) 333-3193
Fax (415) 333-3792
March 27, 2000
Via electronic mail to GLBRule@ftc.gov
Re: Notice of Proposed Rulemaking: Privacy of Consumer Financial Information
Dear Sir or Madame:
I am a sole practitioner who provides product-oriented regulatory and compliance advice to entities that provide various types of financial services to consumers. On behalf of my clients, I appreciate the opportunity to comment on the Federal Trade Commissions (the "FTC") proposed rule to implement Section 504 of the Gramm-Leach-Bliley Act (the "Act") as to entities regulated by the FTC (the "Privacy Regulation").
New Consumer Financial Service Providers
My background is in banking law, and I continue to advise some of the largest banks in California and the United States with regard to issues pertaining to the offering of consumer financial services in and from California. However, over the past few years I have seen a two-pronged metamorphosis in the consumer financial services industry. First, as banks have aggressively pursued mergers with and acquisitions of each other, their product offerings have tended to become narrower in scope. Thus, many of the services that consumers formerly would have obtained from banks are now offered primarily, or at least more aggressively, by other types of entities. These services include check cashing; money transmittal; sales of money orders and equivalent instruments; access to deposit accounts and credit card accounts through automated teller machine ("ATM") networks; small loans; and bill payment. Second, many of these new service providers achieve access to the market for consumer financial services primarily or exclusively through use of new delivery technologies such as the Internet, sophisticated ATMs or remote service units ("RSUs). For the sake of convenience, the entities described in this paragraph will be referred to in this letter as New CFS Providers.
As the business models of these New CFS Providers are so new, there is often little or no federal or state law directly governing their operations. Furthermore, it is often extremely difficult to apply existing and newly-enacted laws to New CFS Providers product operations. In this regard, the privacy provisions of Section 504 of the Act are typical. The language of the Act, while extremely broad, does not fit well either the overall frameworks of the customer relations or the specifics of the consumer transactions in which New CFS Providers engage. Accordingly, this letter will attempt to provide useful comment in this regard to the proposed Privacy Regulation.
General; Timing of Implementation
First, the FTC is to be commended for its overall efforts in seeking to fashion a workable regulation from the extremely broad language of the Act. In general, the proposed Privacy Regulation is comprehensible and detailed. The numerous examples are particularly useful. However, it is clear from the outset that implementation of the Privacy Regulation will be complicated and fraught with potential for error on the part of financial institutions, as defined.
For this reason, I strongly urge the FTC to take whatever action it can to extend the time period available for implementation between the publication of the final version of the Privacy Regulation and its effective date. Many factors come into play here. First, many New CFS Providers, as well as their traditional industry counterparts, are new to the regulated businesses in which they are engaged. It will take a certain amount of time for both New CFS Providers and for traditional small consumer financial service providers, such as finance companies, check cashers, check sellers, etc., to learn of the existence of the final Privacy Regulation and to bring themselves into compliance. Second, as the FTC is aware, many of the entities it regulates essentially out-source compliance; that is, they purchase turn-key or do-it-yourself compliance systems, forms, and policies and procedures from outside vendors. Those vendors thus perform a valuable public service by making a much higher level of compliance capability available than small entities would otherwise be able to generate on their own. However, the development, marketing, and implementation of such compliance services take time, which will not be available under the accelerated time frame currently contemplated. Accordingly, the FTC would permit and facilitate a much higher level of compliance with the Privacy Regulation which is, after all, the goal of the Act by lengthening the implementation period.
The most significant substantive issue to both New CFS Providers and traditional small consumer financial service providers pertains to the definition of "customer relationship" found in Section 313.3(i) of the draft Privacy Regulation. I urge the FTC to add language clarifying that a series of "isolated transactions" does not create a customer relationship.
There is a common and important fact pattern involved here. A consumer who has engaged in a satisfactory isolated transaction with a financial institution is likely to return to that financial institution when he or she wishes to engage in another transaction of the same nature. Likewise, a financial institution that has engaged in a satisfactory isolated transaction with a consumer may wish to take steps to facilitate further such transactions. Many financial institutions seek to recognize such repeat business by issuing identification cards or numbers to facilitate such repeat transactions; some pass part of the cost savings on to the consumers in the form of repeat business discounts. Yet, each money order sale, money transmission, check cashing, or similar transaction truly is a unique and isolated transaction. One would therefore hope that such repetitions of isolated transactions by consumers and financial institutions could result in lowered costs, rather than in the increased costs and compliance burden of having the relationship considered to be a Customer relationship and triggering the higher compliance level associated with that characterization. This seems particularly appropriate for transactions effected through ATMs or RSUs, but also in face-to-face or Internet-based where the transaction is sufficiently discrete that there is nothing in the transaction that inherently suggests the probability or necessity of further transactions between a particular consumer and a particular financial institution.
The current draft Privacy Regulation does not address this issue. Accordingly, I urge the FTC to clarify this point. I believe that making it clear that a series of isolated transactions, without more, does not become a customer relationship under the Privacy Regulation, will, by minimizing the regulatory burden on financial institutions, benefit both the consumer financial services industry and the consumers with which that industry does business.
Alternative Definitional Issues
Next, I would like to comment on the alternatives proposed for Section 313.3(n)-(p) of the proposed Privacy Regulation. I recommend adoption of the less restrictive Alternative B in each case. Three points are worth considering here. First, the implementation of the Privacy Regulation promises to be difficult enough under the best of circumstances; the fewer restrictions and requirements that are posed, the lighter the compliance burden will be and the fewer mistakes will be made. Second, it is unclear that the Act intended to include information that is unidentifiable as to any particular consumer within the ambit of its coverage. To the extent financial institutions are able to analyze and utilize information about their customer bases without compromising any customers reasonable privacy expectations, they should be able to do so unimpeded. Third, this principle is heightened when the information thus analyzed and utilized could be assembled from non-proprietary sources. Accordingly, Alternative B seems both fairer and more in keeping with the legislative intent of the Act.
Electronic Disclosure Requirements
Financial institutions ability to provide legally required disclosures by means of electronic media is, of course, the subject of careful consideration at the moment by the Federal Reserve Board, the Office of the Comptroller of the Currency, and no doubt by other federal agencies as well. However, I believe that the approach that seems to be set forth in the draft Privacy Regulation is the appropriate one, and would urge the FTC to restate it in clearer manner.
If read together, Sections 314(c)(5)(iii)(C), 315(b), 318(b)(1) and (3), 313(d) and 313.11(b)(2) seem to provide that a consumer may choose a means of electronic communication with a financial institution, whereupon the consumer and the financial institution may agree that all communications from the financial institution to the consumer required under the Privacy Regulation may be effected through that medium. I laud this approach, and suggest that, as a model for required disclosures in the environment of electronic commerce, it is not only practical and fair, but inevitable.
* * *
I trust the FTC will find this comment letter useful. Please feel free to contact me if I can provide any clarification of the above comments.
R. Paul Soter, Jr.