|October 9, 2001
Re: Gramm-Leach Bliley Act Privacy Safeguards Rule 16 CFR Part 314 -- Comment,
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA) 1 appreciates the opportunity to comment on the proposed Federal Trade Commission (FTC) rule that would require financial institutions subject to its jurisdiction to implement standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLB).
The ICBA earlier commented on similar guidelines that were proposed by the four federal bank regulatory agencies (the agencies), and a copy of our August 25, 2000 comment letter is attached. Those guidelines became effective on July 1 and will apply to financial institutions subject to the agencies' jurisdiction.
We commend the FTC for taking similar steps to ensure that customer information is properly protected when stored or processed by financial institutions subject to the FTC’s jurisdiction. Financial institutions under FTC oversight include service providers, defined as "any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to the rule."
Community banks rely extensively on service providers to meet the product and services demands of their customers. They expect and require their service providers to safeguard customer information to the same extent that they themselves are required to safeguard such information. Therefore, ICBA believes it is critical that the FTC implement standards for safeguarding customer information that closely parallel the guidelines previously issued by the agencies. While we recognize that there are differences in how different financial institutions operate and are organized, we strongly encourage the FTC to take all necessary steps to ensure that the FTC rule is as similar as possible to those issued by the agencies. Such parallel rules will help alleviate potential confusion and burden as companies work to coordinate their efforts. Most important, parallel rules will facilitate compliance by all financial institutions.
Because community banks rely extensively on service providers, and recognizing that it is therefore important that service providers implement appropriate procedures to ensure the security and confidentiality of customer records, the ICBA has been an active participant in the Information Technology Service Provider Working Group established by BITS. 2 The Working Group is currently finalizing a Framework for Managing Technology Risk for Information Technology Service Provider Relationships. The soon-to-be-released Framework was recently endorsed by the ICBA and is designed to provide guidelines for control, design, and management practices where information technology services may be or have been outsourced. Under separate cover, BITS will be forwarding additional information on the Framework.
Given the financial services industry’s increasing use of service providers relatively unfamiliar with the regulatory requirements attendant to financial institution relationships, the ICBA strongly urges the FTC to develop a program for educating service providers on their responsibilities for complying with the FTC’s standards for safeguarding customer information. We also encourage the FTC to work closely with BITS on such an effort.
Thank you for the opportunity to comment. If you have any questions or would like any additional information, please contact Robert Rowe or Viveca Ware at 202-659-8111.
Robert I. Gulledge