| By Electronic Mail October 9, 2001 Secretary Re: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314 - Comment Dear Secretary: The Financial Planning Association ("FPA")(1) appreciates the opportunity to provide comment as the Federal Trade Commission ("FTC") continues to revise rules to govern financial institutions pursuant to the security provisions of the Gramm-Leach-Bliley Act ("GLB Act"). As you know, Congress charged the FTC with developing privacy rules for financial institutions not otherwise specifically assigned to another federal agency. As a result, the FTC is responsible for developing rules for state-registered investment advisers as well as intrastate broker-dealers. Many of FPA's members are affiliated with state-registered investment advisers and are thus subject to the FTC privacy rules. FPA membership also includes many investment advisers registered on the federal level with the Securities and Exchange Commission ("SEC"); therefore, we have an equal interest in uniform application of Regulation S-P,(2) the privacy rule promulgated by the SEC, for all investment advisers. With respect to the proposed Privacy Safeguards Rule ("Safeguards Rule"), FPA supports the FTC's efforts to coordinate its proposal with other federal and state regulatory authorities, and we hope to see a final product that includes uniform and consistent application of rules among the various agencies with oversight. General Comment FPA is opposed to the application of the Safeguards Rule to state-registered investment advisers subject to the rule, because the rule differs from SEC privacy rules governing SEC-registered investment advisers. FPA respectfully requests that the FTC allow state-registered investment advisers and intrastate broker-dealers to continue to comply with §248.30 of Regulation S-P "Procedures to Safeguard Customer Information and Records" in lieu of the Safeguards Rule. We believe that this is a constructive alternative to the proposed rule, and this approach would create a uniform and consistent privacy policy for both state and federal investment advisers. FPA is supportive of the privacy protections established by the GLB Act. Because of the highly sensitive nature of the personal information collected as part of the financial planning process, professional organizations like FPA have for many years voluntarily mandated strict confidentiality with respect to client information. Consistent with its commitment to the CFP Code of Ethics and Professional Responsibility (the "Code"), FPA requires all members to adhere to the Code,(3) which has a specific confidentiality requirement for CFP practitioners.(4) As registered investment advisers or affiliates, most FPA members have a longstanding fiduciary relationship with their clients. Much of what the Safeguards Rule proposes has already been incorporated into the compliance and contractual agreements of our members. Financial planners are in a somewhat unique situation in that they are heavily regulated under multiple state and federal jurisdictions because of the comprehensive nature of the discipline. In addition to oversight under the federal or state securities laws as investment advisers, many are also licensed as insurance agents under state laws. In addition to investment and insurance advice or sales, financial planners also frequently engage in other advisory activities including educational planning, long-term elderly care, closely held small business planning, and estate planning. These activities require consideration of tax and trust laws, as well as an understanding of the complex requirements for college financial aid programs, and the eligibility criteria for long-term care insurance, among other concepts. In summary, financial planners already have a complex compliance burden due to the multiple layers of regulation affecting their practices. Many FPA members are sole proprietorships or partners in small boutique financial planning firms, so compliance with complex rules can be time consuming and costly. Some are also affiliated with state-registered advisory firms as well as SEC-registered advisory firms, making compliance with the Safeguards Rule even more complicated. FPA appreciates efforts made by the FTC to keep the Safeguards Rule flexible to allow smaller businesses to implement appropriate programs based on the size and complexity and the nature and scope of the their activities. However, FPA is extremely interested in consistency and uniformity in the regulations that affect state-registered investment advisers and investment advisers registered with the SEC. The Safeguards Rule fails in this regard. You have specifically requested comment on the extent to which other federal standards involving privacy or security of information may duplicate and/or satisfy the Safeguard Rule's requirements. In addition, you have asked for comment on the burden on small entities that may result from the rulemaking. FPA is also deeply concerned about these issues. Our comments focus on the interplay between the Safeguards Rule, the SEC's Regulation S-P, and the critical need for uniformity in the governing privacy rules directly affecting investment advisers. Compliance with Other Federal Privacy Standards You have requested additional comments on how compliance with other laws and rules relating to information security, such as SEC Regulation S-P, should be addressed in the proposed rule. The FPA believes that uniformity in this area is critical. Despite FTC efforts to ensure flexibility and to minimize burdens on small businesses, certain aspects of the Safeguards Rule differ significantly from SEC rules in this area and add another complex layer of regulation for small financial planning firms subject to the FTC rule. As you know, the SEC adopted procedures to safeguard customer records and information as part of Regulation S-P in June 2000. The FTC later determined that compliance with the SEC privacy rule would satisfy the FTC Privacy Rule.(5) FPA requests that the FTC also allow state-registered investment advisers and intrastate broker-dealers to continue to comply with §248.30 of Regulation S-P "Procedures to Safeguard Customer Information and Records" in lieu of the Safeguards Rule. This approach would create a uniform and consistent privacy policy for both state and federal investment advisers. Despite the intent of the Safeguards Rule to provide flexibility in meeting its requirements, one industry sector covered here is already adequately covered under another federal agency's rules. We feel strongly that the FTC should defer to the SEC where FTC privacy rules concerning state registered investment advisers differ from Regulation S-P. It should be noted that, with respect to investor protection, SEC-registered advisers manage the vast majority of assets under management by investment advisers in the United States, and SEC rules have not been proven inadequate in connection with the privacy concerns addressed by this Rule. Also, state advisers are required to register with the SEC when their assets under management exceed a $30 million threshold, at which time they would be required to meet different requirements under Regulation S-P. Regulation S-P generally requires firms to develop tailored policies and procedures that address the protection of customer information and records. These policies and procedures must be reasonably designed to insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of customer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. FPA believes that these procedures are appropriate to safeguard customer information. Although the FTC and the SEC have the same consumer protection goals in mind, the FTC has taken a different approach by incorporating certain core elements that are viewed as necessary to creating the required safeguarding standards. The FTC proposal requires state advisers to develop and implement a comprehensive written information security program containing administrative, physical, and technical safeguards deemed appropriate based on the firms size and complexity, and the nature and scope of its activities. The proposed rule also contains a requirement that service providers must contract to implement and maintain appropriate safeguards to protect customer information. This requirement is a marked difference from the requirements of Regulation S-P which does not require firms to enter into confidentiality contracts with service providers that receive customer information for processing and serving transactions. Third parties with whom a financial planner may share confidential information include nonaffiliated broker-dealers, insurance companies, mutual fund complexes, attorneys, accountants, trustees, executors, and others. We believe that this sharing of personal information with other financial professionals, most of whom have a similar fiduciary obligation to the client, has always been part of a traditional way of providing financial services to a client. The sharing of such information between third parties is obvious to the client. In its review of the privacy issue during passage of the GLB Act, Congress directed its attention primarily to potential problems with large institutional sharing of confidential information. We believe that the additional requirements in the proposed rule that may be appropriate for other regulated entities are unnecessary for state-registered investment advisers where such requirements undermine uniformity among privacy rules governing investment advisers. The North American Securities Administrators Association ("NASAA") is the unified voice for state securities regulators, and we support their arguments in favor of uniformity. We are aware that NASAA has submitted comments urging the FTC to permit state-registered investment advisers and intrastate broker dealers to comply with SEC Regulation S-P in lieu of the Safeguards Rule.(6) We strongly agree with the state regulators on this issue and offer that if compliance with Regulation S-P satisfies the concerns of state regulators with primary authority over state-registered investment advisers, FTC concerns should also be satisfied. Safeguard Rule Burdens Small Businesses You also requested comment on the burden on small entities that may result from the rulemaking. FPA believes that non-uniform privacy requirements for state and federal investment advisers will create an added compliance burden for small state-registered firms. In addition, because advisers typically look to the SEC for guidance in this area, non-uniform requirements will result in confusion and undermine compliance efforts. Conclusion As described in the GLB Act, the objectives of the privacy rules are to insure the security and confidentiality of customer records and information, protect against threats to the security or integrity of such records, and protect against unauthorized access to or use of such records. We believe that Regulation S-P will achieve these stated objectives and should be applied to all investment advisers. The SEC has determined that Regulation S-P is an appropriate privacy safeguard for advisers registered with the SEC. Through NASAA, the states have also voiced their concerns about uniformity and have asked that SEC rules be applied to state-registered investment advisers. FPA joins both federal and state regulators with primary authority over investment advisers in asking the FTC to create one uniform rule for all investment advisers by creating an exemption from compliance with the Safeguards Rule for investment advisers that are in compliance with Regulation S-P. We would be pleased to respond to any questions in connection with these comments. Please do not hesitate to contact the undersigned at 202.626.8772. Sincerely, Robert H. Neill, Jr. Assistant Director of Government Relations 1. The Financial Planning Association is the largest organization in the United States representing financial planners and affiliated firms. FPA is domiciled in Washington, D.C., with administrative offices in Atlanta and Denver, and represents approximately 29,000 financial planners and 100 local affiliates throughout the United States. 2. Privacy of Consumer Financial Information (Regulation S-P), Release No. IC-24543 (June 22, 2000) (the "Privacy Release"). Regulation S-P was proposed in Release No. IC-24326 (Mar. 2, 2000). 3. FPA members are required to adhere to a code of ethics and practice standards of the CFP Board of Standards, Inc. The CFP Board is a separate, Denver-based, nonprofit professional regulatory organization whose goal is to benefit and protect the public by establishing and enforcing education, examination, experience and ethics requirements for persons authorized to use its certification marks (CFPTM, CERTIFIED FINANCIAL PLANNERTM and CFP with flame logo®). The CFP Board is the largest such organization in the U.S., having certified nearly 60,000 registrants since the program began in 1973.4. Principle 5 of the FPA Code of Ethics, which is derived from the CFP Code of Ethics and Professional Responsibility, states: "An FPA member shall not disclose any confidential client information without the specific consent of the client unless in response to proper legal process, to defend against charges of wrongdoing by the FPA member or in connection with a civil dispute between the FPA member and client. A client, by seeking the services of an FPA member, may be interested in creating a relationship of personal trust and confidence with the FPA member. This type of relationship can only be built upon the understanding that the information supplied to the FPA member or other information will be confidential. In order to provide the contemplated services effectively and to protect the client's privacy, the FPA member shall safeguard the confidentiality of such information." 5. Privacy of Customer Financial Information - Security, 16 CFR Part 313 6. See Letter dated October 10, 2001, from Christine A. Bruenn, Maine Securities Administrator and Chair of the NASAA Privacy Project Group to Secretary, Federal Trade Commission. |