March 30, 2000
Communications Division
Office of the Comptroller of the Currency
250 E Street, SW
Washington, DC 20219
Docket No. 00-05
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and C Streets, NW
Washington, DC 20551
Docket No. R-1058
Mr. Robert E. Feldman,
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RIN 3064-AC32
Manager, Dissemination Branch
Information Management & Services Division
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Docket No. 2000-13
Re: Privacy of Consumer Financial Information
Ladies and Gentlemen:
Bank of America Corporation ("Bank of America") welcomes the opportunity to comment on the draft regulations ("Proposed Rule") proposed by the Office of the Comptroller of the Currency ("OCC"), the Board of Governors of the Federal Reserve System ("Board"), the Federal Deposit Insurance Corporation ("FDIC") and the Office of Thrift Supervision ("OTS") (collectively, the "Agencies") to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act ("GLB Act") with respect to the banking sector of financial institutions.
Bank of America, with $633 billion in total assets, is the sole shareholder of Bank of America, N.A., the largest bank in the United States, with full-service consumer and commercial operations in 21 states and the District of Columbia. Bank of America provides financial products and services to more than 30 million households and two million businesses, and provides international corporate financial services for clients doing business around the world.
The level of detail required by the proposed rule is one of the most critical issues for Bank of America. Bank of America does not share customer information with nonaffiliated third parties for purposes of marketing their products and services to our customers. Therefore, we are particularly concerned about the extensive detail required in the proposed rule regarding the disclosure of information among affiliated entities and with service providers. This level of detail will add significantly to the length of the privacy policy notice with very little benefit to customers. We urge the agencies to reconsider this position and require no more than a very high level disclosure regarding this issue.
We are also concerned about the regulatory burden that will be imposed by the timing of the effective date of the new rules. Financial institutions need an appropriate amount of time to fully implement the new requirements to ensure that the policy disclosures accurately reflect their practices. This requires review of, and if necessary, revision to, systems and procedures, development of the policy, training of associates, enhancement of audit and compliance procedures and actual preparation and mailing of disclosures. The final rule should provide an additional year for compliance with the new requirements. This would also allow for appropriate distribution of the millions of disclosures that must be mailed to existing customers under the law.
Bank of America is also concerned about who will be deemed to be a "customer" for purposes of providing the initial and annual policy disclosure. With respect to joint accounts, Bank of America believes the final rule should provide that notice may be given to any one joint account holder for that account (as is permitted for various other disclosure regulations) or to each individual customer. This would provide adequate flexibility and permit banks with various systems constraints to provide the disclosures together with account statements. In addition, we are concerned about how the rules will apply to various types of fiduciary arrangements. Because fiduciary relationships (where the bank is acting as a fiduciary) can vary greatly and there are significant state common law restrictions already in place, Bank of America proposes that the final rule exempt fiduciary relationships from the initial and annual notice requirements. Alternatively, the final rule should limit the disclosure requirements to those beneficiaries who receive notices and statements regarding the fiduciary relationships managed or administered by the bank.
We have expanded on these points, as well as included comments on additional aspects of the proposed ruling, in our attachment (17 pages). We appreciate the opportunity to comment on this very important and far-reaching proposal. If you have any questions on our comment, please contact Kathryn D. Kohler, Assistant General Counsel, at (704) 386-9644 or Ben C. Smith, Senior Vice President, at (336) 805-3588.
Sincerely,
Patrick M. Frawley
Director, Regulatory Relations
Attachment
Table of Contents
Topic |
Page Number |
1 | |
1 | |
2 | |
3 | |
3 | |
4 | |
5 | |
5 | |
6 | |
6 | |
6 | |
8 | |
8 | |
8 | |
9 | |
9 | |
10 | |
10 | |
|
|
11 | |
11 | |
11 | |
11 | |
11 | |
12 | |
12 | |
13 | |
13 | |
13 | |
15 | |
16 |
Office of Comptroller of the Currency ("OCC") Docket No. 00-05
Board of Governors of the Federal Reserve System ("Board")
Docket No. R-1058
Federal Deposit Insurance Corporation ("FDIC") RIN 3064-AC32
Office of Thrift Supervision ("OTC") Docket No. 2000-13
(Collectively, the "Agencies")
Bank of America Corporation ("Bank of America") acknowledges and appreciates the difficulty of developing regulations to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act ("GLB Act"), which involves complex issues, and we applaud the Agencies for working together and also working with the U.S. Securities and Exchange Commission and the Federal Trade Commission. This was a large undertaking with a very short time frame and we appreciate the effort to promulgate a consistent set of regulations ("Proposed Rule") that will govern various financial institution competitors. Bank of America encourages the Agencies to continue this effort in order to establish substantially similar final regulations.
Initially, we would like to comment on issues that present the most significant challenges to Bank of America.
Bank of America commends the Agencies for recognizing that affiliated financial institutions should have the flexibility to use a common initial privacy notice under Section 503 of the GLB Act. In addition, the Proposed Rule does not prohibit financial institutions from establishing separate privacy policies and delivering separate privacy notices for different categories of consumers, customers or products, so long as each particular consumer or customer receives a notice which is accurate with respect to him or her. Bank of America strongly encourages the Agencies to retain these provisions in the final rule.
In keeping with our current practice, Bank of America would like to develop a single privacy policy and deliver a single privacy notice to all of its customers, regardless of which affiliates or divisions maintain accounts for the customers. Our customers might find it confusing if different privacy policies applied depending on the type of account they have or the subsidiary they are dealing with. Although there may be enhancements to our privacy policy in some units of the company, Bank of America has and will have a comprehensive privacy policy upon which our customers can rely whenever they do business with the Bank of America brand. Consequently, we are concerned that the Proposed Rule requires such a level of detail with respect to the various elements of disclosures required in the privacy notice that it may be impossible to develop, maintain and deliver a single privacy notice to customers. The purpose for requiring the privacy policy notice was to provide customers with an understanding of their financial institution's policies and practices with respect to what information is collected about a customer, what disclosures of information are made to nonaffiliated third parties, and how customer information is safeguarded. A lengthy, detailed notice is unlikely to provide any meaningful benefit to consumers and customers because they are very unlikely to devote the considerable time required to read and understand it.
As we announced last June, Bank of America does not disclose any customer information (nonpublic or otherwise) to nonaffiliated third parties for purposes of marketing their products and services to our customers. Therefore, our primary concern is the level of detail required to describe our disclosure of customer information to service providers acting on our behalf, where customers do not have the right to opt out. The Proposed Rule would require us to thoroughly analyze the thousands of service providers we use in order to categorize them for disclosure purposes. Providing a detailed listing of these categories provides no benefit to customers. Any changes in outsourcing arrangements may require a complete redisclosure, imposing a significant burden on Bank of America, again with little or no benefit to customers.
Clearly Congressional intent is to exempt various common servicing activities under both Sections 502(b)(2) and 502(e) from the notice and opt out rights, allowing financial institutions to continue to outsource various activities. We believe that the Agencies have inappropriately extended to traditional bank outsourcing arrangements the disclosure and confidentiality requirements of 502(b)(2) intended to apply to joint marketing arrangements (which were added to that section when the joint marketing arrangement provision was added). In addition, to require a notice obligation to qualify for the exemption from notice and opt out for service providers creates a "Catch-22." This would mean that we could not hire a service provider to conduct any front-end activities, such as marketing of bank services on our behalf [which is specifically permitted in Section 502(b)(2)], until we had given notice to all possible prospective customers. Because this was clearly not the intent of Congress, the Agencies should not apply the "fully disclose" requirement contained in 502(b)(2) to service providers. It was only intended to apply to joint marketing agreements.
Bank of America is also very concerned about the requirements imposed by the Proposed Rule with respect to disclosures among affiliates. The detailed requirements regarding categories of nonpublic personal information disclosed to affiliates and the categories of affiliates to which it is disclosed are entirely inconsistent with the GLB Act, which addresses disclosures to nonaffiliated third parties. Bank of America disagrees with the Agencies' interpretation of Sections 503(a) and 503(b) with respect to disclosures to affiliates. Section 503(a) contains only the general requirement for a disclosure that includes affiliates due to the reference in 503(b) to the Fair Credit Reporting Act ("FCRA") affiliate sharing disclosure. Section 503(b), which addresses the content of the notice, is clear that the information to be provided under the GLB Act relates only to nonaffiliated third parties. By adding the FCRA affiliate sharing notice to the Section 503 notice, Congress was simply stating that the Section 503 notice would be an appropriate place to provide the FCRA affiliate sharing notice, but we do not believe Congress intended to require additional affiliate sharing disclosures. In any event, requiring both types of disclosures would be very confusing to consumers since the FCRA disclosure addresses "experience" and "nonexperience" information and the GLB Act addresses "nonpublic personal information."
Bank of America is also concerned that describing our security policies and procedures in the level of detail required by the Proposed Rule would compromise their effectiveness. Further, these safeguards are continuously enhanced as more effective techniques are developed and to address changing threats. The Proposed Rule could require us to redisclose to customers whenever there are significant enhancements to these practices. This would create a huge regulatory burden and serve as a disincentive to enhancement activities. Bank of America urges the Agencies to adopt a final rule which only requires a very high level disclosure on this issue. For example, with respect to the example contained in the Proposed Rule about access to information by employees, we would suggest the following language, taken from Bank of America's Code of Ethics which must be executed by all associates: "...associates are only authorized to access customer information for legitimate business purposes on a need-to-know basis." At most, the final rule should only require disclosing types of limitations on access or types of measures employed by the financial institution to protect information against reasonably anticipated threats or hazards.
In addition, the Agencies must publish the security and confidentiality standards for public comment. If the proposed standards are different from those currently employed by financial institutions, there could be significant costs to implement the standards and further delays needed to do so.
Regulatory Burden and Timing of Effective Date
The Agencies have indicated that they do not believe that the Proposed Rule imposes a significant regulatory burden on financial institutions. Bank of America strongly disagrees with this contention. The Proposed Rule, with the level of detail required and the very limited implementation period, will impose a very significant regulatory burden. The sheer volume of disclosures that Bank of America alone will be required to mail to our existing customers is extremely large. We have estimated that we will produce and mail up to 50 million notices to existing customers at an estimated cost ranging from $2.5 million up to $18 million (initially and annually), depending on the size of the notice and the method of distribution. This figure does not include the costs to fully implement the new requirements or any new state privacy law requirements. In addition, this could have a huge environmental impact, given the sheer volume of the paper required to distribute the lengthy notice to so many customers.
In addition, the very limited six-month time period for implementation is not nearly sufficient to complete the activities required to implement this rule. These activities include, at a minimum, the following:
This simply cannot be done in a six-month period. As stated in the Proposed Rule, financial institutions will be held responsible for inaccurate notices. It is essential that financial institutions have an adequate opportunity to address all aspects of the new requirements. As the regulatory bodies for financial institutions within the banking field, the Agencies can understand the need to undertake appropriate risk management measures to ensure compliance with the policies being disclosed. While most banking financial institutions have some type of privacy policy in place, the GLB Act and the Proposed Rule will require significant changes.
The Proposed Rule would require Bank of America to mail up to 50 million notices to existing customers by December 13, 2000, which will place an impossible burden on our vendors and the mail systems. Multiply this by the tens of thousands of other financial institutions which will also be required to mail disclosures during this same time period, and the volume will significantly disrupt the operations of the U.S. Postal system. This mailing will also occur primarily during the holiday mailing season, which already taxes the mail delivery system. Finally, consumers will receive this huge volume of lengthy disclosures all within a very short time making it even less likely that they will read and obtain any benefit from the disclosures. On the other hand, if financial institutions have the flexibility to spread out the delivery of these disclosures over a period of 12 months, consumers are much more likely to benefit from the disclosures and compare one financial institution's policies to those of another. A 12-month time period would also alleviate the problem of huge mass mailings every year during the holidays.
Since it is imperative that the final rule provides sufficient time for financial institutions to fully implement the new requirements, Bank of America strongly urges the Agencies to extend the mandatory compliance an additional 12 months (i.e. until November 13, 2001). This would also permit financial institutions to spread out the notices that they must send to existing customers.
Repeated, Isolated Transactions
Bank of America commends the Agencies for acknowledging that repeated, isolated transactions by consumers should not constitute a customer relationship. In most cases, the financial institution with which such consumers conduct repeated transactions such as cashing payroll checks or using an ATM, would have no information to be able to provide annual notices to such consumers.
Bank of America has concerns about who will be treated as a customer for purposes of providing the Section 503 privacy policy notice. Bank of America believes that it is very important that financial institutions have the flexibility to give notices to either (1) any of the joint account holders present or opening the joint account or at the address which they have provided to the financial institution for provision of account statements or (2) individually to each customer. Most financial institutions do not currently have the capability to provide the initial notice or the annual notices to each joint account holder. Systems have not been designed to collect addresses for all joint account holders. Permitting delivery of this notice to any joint account holder is entirely consistent with other notice regulations (Regulations Z, E and DD) which permit the provision of disclosures to one of the joint account holders at the address they have provided to the financial institution. In essence, joint account holders have designated a specific address for receipt of statements and notices and the person(s) at that address would receive it as representative on behalf of the others.
We also urge the Agencies to make it clear that providing the notice as an insert with an account statement would constitute appropriate delivery. If this is not considered adequate for initial notices (as to current customers) or annual notices, the regulatory burden will be multiplied significantly. Typically, the account statement would be the most significant mailing the customers receive from their financial institutions and has the highest likelihood of being opened and reviewed by customers.
Who constitutes a "customer" in a fiduciary relationship, if anyone, is problematic. There is a broad array of fiduciary relationships, many of which do not involve a traditional customer relationship. Many of the beneficiaries of trusts administered by the financial institution do not know that they are beneficiaries, and it would thwart the purposes of the grantor to notify them of that relationship (which may or may not mature into current beneficiary status). It may prove very confusing to such beneficiaries to receive these notices. In many cases, the beneficiaries have no power to remove the trustee. Also, as a practical matter, most financial institutions do not have an automated way to identify such beneficiaries for purposes of providing initial or annual notices. The rights and responsibilities will vary greatly, will change from time to time, and will depend in great part on the specific provisions of the document creating each relationship.
Generally, fiduciaries treat account and beneficiary information as extremely confidential due to their common law duty of confidentiality. In fact, a national bank must apply to the OCC and be approved to function as a fiduciary. Furthermore, state fiduciary laws and common law, together with regulatory examinations and oversight, safeguard the rights and interests of beneficiaries under fiduciary relationships administered by the financial institution. Bank of America encourages the Agencies to promulgate an exception to the initial and annual notice requirements with regard to fiduciary relationships. As an alternative, although less desirable, we recommend that financial institutions only be required to provide these notices to individuals who are obtaining the fiduciary services directly from the financial institution and are receiving statements with respect to fiduciary relationships. This alternative would comply with requirements in governing documents and state law regarding notice of account transactions to customers, and would be more in keeping with the intentions of trust grantors and state legislators.
In addition, there are situations where the bank may be acting either in a depository or fiduciary capacity for someone, who themselves is a fiduciary. For example, if a financial institution acts as the trustee over an employer's retirement plan, the financial institution's customer is the employer, not the individual employees. In that case, while the employees are ultimate beneficiaries, the GLB Act would not govern the entire trust relationship because the "customer" is not obtaining the financial service for a "personal, family or household" purpose. In addition, in a depository context, a "Pay on Death" account (or Totten Trust), where the primary customer has named beneficiaries to receive the proceeds in the account on the death of the account holder, the "customer" is the primary account holder and not the beneficiaries (who typically do not know they are named). Similarly, when the bank holds the depository account for a trustee or guardian, the bank's customer is that trustee or guardian, not the beneficiaries or wards. It would thwart the purposes of those accounts to give notices of this sort to the beneficiaries or wards. In addition, the bank has no direct contact with those beneficiaries or wards. The Agencies should make it clear that in these situations, the individual beneficiaries are not "customers" of the bank under this law.
"Prior To" Standard for Delivery
The Proposed Rule provides that a financial institution must provide the initial privacy notice prior to the time that it establishes a customer relationship. This standard is inconsistent with the statutory language in the GLB Act which specifically provides that the financial institution must provide the notice "at the time of" establishing the customer relationship. However, we commend the Agencies for providing financial institutions with the flexibility of providing their privacy policy notice at the same time a financial institution is required to give other required notices regarding the account (such as the "initial disclosures" required under the Truth in Lending Act or the Truth in Savings Act). In some cases, these other notice requirements provide for delivery of the notice within a brief time after establishment of the relationship (e.g. within 10 days after establishing a deposit account over the telephone under Regulation DD). These various notice requirements serve similar purposes of conveying important information to consumers at the commencement of the relationship. As a further protection, no information regarding the consumer can be disclosed to nonaffiliated third parties until the consumer is given the required notice and the opportunity to opt out. Therefore, the final rule should provide that the standard for providing the notice is "at the time of or within a reasonable time after" establishment of the account and should retain the clarification that providing the notice together with other required disclosures meets this criterion. Such a rule would provide the flexibility needed for situations such as portfolio purchases, accounts opened by telephone, mail or e-mail, or dealer transactions. In addition, it should not be limited to situations where the customer has no choice about the institution with which it will do business. In some of these cases, the customer may have a choice, but there is no direct contact between the customer and financial institution (such as with a dealer transaction). . In each of these situations, there is no capability to provide an immediate written disclosure. With respect to relationships initiated by telephone, the final rule should not require the consent of the customer in order to provide the disclosure after the fact.
The Agencies requested comment on whether and how the Proposed Rule should address situations in which a customer has requested that a financial institution not send statements, notices or other communications to the customer. The final rule should make it clear that customers can essentially "opt out" of receiving the initial Section 503 privacy notice and the annual notices by opting out of receiving any communications from the institution. If the financial institution has been instructed to hold the mail for future pick up, this notice should be treated in the same manner. To provide otherwise could violate the customer's stated confidentiality wishes. In addition, in the event of a bankruptcy, the automatic stay would prevent the bank from mailing many communications to the customer. The final rule should make it clear that if another law prevents communication with the customer, that requirement would supercede our obligation under this law.
Nonpublic Personal Information
Publicly Available Information
The GLB Act provides that "nonpublic personal information" is personally identifiable financial information that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer or is otherwise obtained by a financial institution, but excludes publicly available information. The Proposed Rule suggests two alternatives for the definition of public information, which differ in their treatment of information available from public sources. Under Alternative A, information is public information only if it was actually obtained by the financial institution from a publicly available source (i.e., government records, widely distributed media or government-mandated disclosures). On the other hand, under Alternative B, information is public information if it can be obtained from a publicly available source, even if it was obtained from the customer or other source.
The final rule should adopt the concept expressed in Alternative B. To do otherwise would elevate source over substance and foster factual disputes over the immediate origin of information that, by definition, is available to anyone and everyone. If Alternative A is adopted, financial institutions would incur the unnecessary costs of tracking the actual source of information they hold and would bear the burden of proof that they had not inappropriately disclosed information which is clearly available generally to the public.
The Proposed Rule defines the term "publicly available information" to include information from an Internet site that is available to the general public without requiring a password or similar restriction. Bank of America concurs with this concept, but encourages the Agencies to revise it to make it clear that the requirement to use a password to access a site does not in and of itself prevent a site from being available to the general public. In many cases, a site may require registration to obtain a password, without requiring the payment of a fee or other limitation on access to a site. Such a password requirement does not prevent a site from being available to the general public.
Personally Identifiable Information
The Agencies also invited comment on whether the term "nonpublic personal information" should cover information about a consumer that contains no indicators of a consumer's identity when it is communicated to a nonaffiliated third-party recipient (so-called "depersonalized information"). Under Section 509 of the GLB Act, the term "nonpublic personal information" includes only "personally identifiable financial information." By using the term "personally identifiable," Congress clearly intended to exclude information that contains no indicators of a consumer's identity. There is no policy rationale for including depersonalized information in the term "nonpublic personal information." The GLB Act is designed to protect a consumer's privacy interest with respect to the consumer's financial information. Disclosing depersonalized information cannot compromise a consumer's privacy, because that information, by definition, does not identify any individual consumer.
As mentioned above, the GLB Act defines the term "nonpublic personal information" as personally identifiable financial information obtained by a financial institution about a consumer. The Proposed Rule's interpretation of the term "financial information" is overly broad and is not supported by the statute or its legislative history. As explained in a colloquy between Senator Allard and Senator Gramm on Title V, Congress intended the term "personally identifiable financial information" only to include information that describes a consumer's "financial condition."1 Thus, the final rule should adopt the narrower definition of "financial information" intended by Congress -- that is, only information that describes an individual's "financial condition," such as an individual's assets and liabilities, income, account balances, payment history and overdraft history.
In particular, the mere fact of a customer relationship, without any indication of the nature of the relationship (e.g., deposit account or credit card account), should not be considered "financial information" because it contains no information regarding the consumer's "financial condition." Similarly, the final rule should make clear that mere identification information (e.g., name, address and telephone number) is not "financial information" under the Rule.
In addition to the above issues, Bank of America has comments on the following other issues presented in the Proposed Rule.
Purpose and Scope (Section ___.1)
The Agencies requested comment on whether the final rule should apply to foreign financial institutions that solicit business in the United States but that do not have an office in the United States. Bank of America supports the applicability of the final rule to foreign institutions soliciting business from a consumer in the United States as a means of protecting consumers and ensuring a level playing field.
Rules of Construction (Section ___.2)
Bank of America supports the use of examples in the final rule as helpful in interpreting the rule. However, the final rule should retain the statement contained in the Proposed Rule that the examples are not intended to be exhaustive but rather are to provide guidance about how the rules would apply in specific situations.
Definitions: Clear and Conspicuous (Section ___.3(b))
The Proposed Rule provides a new and very detailed definition of the term "clear and conspicuous." This is a term of art that has been used in many different laws and regulations, including Regulations Z, DD and E, for many years. This term has been interpreted over the years and it is inappropriate to establish a new and inconsistent definition for this same term. The final rule should not contain a definition for "clear and conspicuous."
The Proposed Rule provides that the annual notice requirement contained in the GLB Act requires financial institutions to provide the institution's privacy policy then in effect at least once during any period of twelve consecutive months. Bank of America suggests that the final rule provide additional flexibility in meeting this requirement. We propose that the final rule provide that disclosures must be provided once each calendar year. We acknowledge that such a requirement could theoretically result in disclosures 23 months apart. However, we believe that it meets the annual notice standard contained in the GLB Act, while affording the institution some flexibility to adjust delivery by a few months, to accommodate quarterly statement schedules and otherwise to address unforeseen situations which might require delay of a notice. This rule would also permit financial institutions to reduce peaks in disclosure production and delivery as well as to adjust staffing needs to address customer inquiries prompted by the annual notice deliveries.
Bank of America concurs with the language in the Proposed Rule that establishes the institution's policies as the standard for determining when accounts are deemed to be dormant or inactive. The final rule should retain this standard. In addition, the final rule should make it clear that where either the customer or the financial institution in fact close an account, the relationship has terminated.
Form and Method of Opt Out (Section ___.8)
As mentioned previously, Bank of America's policy is not to disclose any customer information to nonaffiliated third parties for the purpose of marketing their products and services to our customers. Therefore, we do not expect to provide the notice and opt out required by Section 502. Nevertheless, we urge the Agencies to provide in the final rule that any reasonably accessible means of opt out should be permitted, including toll-free telephone numbers.
Service Providers (Section ___.9)
As discussed above, Bank of America does not believe that the "fully disclose" and contract requirements set forth in Section 502(b)(2) of the GLB Act apply to service providers. In addition, Bank of America believes that the Agencies have further extended the contractual provision beyond anything set forth in the GLB Act by imposing a use limitation. Specifically, even if the confidentiality contract requirement applies to service providers, the requirement relates solely to the maintenance of confidentiality. The provisions of Section 503(c) regarding the limits on reuse pertain only to redisclosure and do not restrict other uses of the nonpublic personal information. Sections ___.9(a) and ___.12 inappropriately impose restrictions on use which are not provided for in the GLB Act.
Joint Marketing Agreements (Section ___.9)
The Agencies should not impose additional requirements on financial institutions with regard to joint marketing arrangements without clear indications that further protections are warranted.
Exceptions Relating to Transaction Processing (Section ___.10)
While the exceptions set forth in Section ___.10 of the Proposed Rule generally appear to be adequate for these common processing situations, Bank of America suggests that the Agencies provide some additional flexibility to accommodate situations in which the financial institution reasonably and in good faith believes that a third party requesting information is acting at the direction or on behalf of the customer. For example, in situations where a customer has passed away, it is common for the customer's attorney to initiate an inquiry of local financial institutions regarding location of safe deposit boxes and accounts prior to appointment of a personal representative. We are not certain that this situation is covered by the exceptions contained in the Proposed Rule.
We strongly recommend that the final rule provide for an exception to permit the disclosure of information in order to comply with the "know your customer," suspicious activity, and currency transaction reporting requirements of the Bank Secrecy Act, as those are interpreted from time to time by the Agencies.
In addition, the final rule should contain a definition of "requested or authorized by the consumer" which would be broad enough to ensure that follow-up transactions arising out of one's status as a security holder would be deemed authorized or requested by the consumer. Examples of such transactions would be proxy mailings that flow from a prior requested transaction, mailing of tender offer requests or other notices to stock or bond holders (whether from the issuer or a third party, such as a class action notice).
Bank of America urges the Agencies to retain all of the exceptions contained in Section ___.10 of the Proposed Rule in the final rule.
Other Exceptions (Section ___.11)
The final Rule should make it clear that co-brand programs are matters of notice and consent, rather than notice and opt out. In such co-brand programs, the relationship agreement itself contemplates that the customer has or will have a relationship with both the financial institution and the co-brand partner, and the benefits program is offered by the co-brand partner in conjunction with the financial services offered by the financial institution, essentially as one product. The sharing of information by the financial institution with the co-brand partner is an integral part of offering that product. As a result, the sharing of information by a financial institution with a co-brand partner should be a matter of notice and consent, rather than notice and opt out. The customer has chosen to participate in this arrangement which necessarily involves use of the information by both the financial institution and the co-brand partner in connection with what is essentially the same customer relationship. Any subsequent opt out by the customer does not affect this account relationship. If the customer wants to terminate consent, he or she can do so by closing the account.
The Agencies have asked for comment on whether safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. The Agencies indicate that such safeguards might include, for instance, a requirement that consent be written or that it be indicated on a separate line in a relevant document or on a distinct Web page. The final rule should provide flexibility with respect to the methods by which financial institutions may obtain consent from a consumer. Specifically, the final rule should not require that a consumer's consent be in writing or indicated on a separate line in a relevant document or on a distinct Web page. Instead, the final rule should only require that the consent provision be presented in a clear and conspicuous manner to the consumer.
Requiring a consumer's consent to be in writing would actually harm consumers as well as financial institutions. In some instances, it may be impossible or impractical for a financial institution to obtain a consumer's consent in writing in a timely fashion. For example, the example in Section ___.11(b) of the Proposed Rule provides that a consumer may specifically consent to a financial institution's disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to the institution for a mortgage so that the insurance company can offer homeowner's insurance to the consumer. However, if oral consent were not acceptable, a consumer who applies for a mortgage over the telephone simply would not have the opportunity to obtain the homeowner's insurance quote in a timely manner, to the detriment of the consumer.
We also urge the Agencies to provide that with respect to compliance with legal process pursuant to Section ___.11(a)(7)(ii), the term "properly authorized" be revised to provide the financial institution the ability to reply to legal process which it, in good faith, believes to have been properly authorized. It is impractical for a financial institution, given the volume of legal process which it may receive and process, to conduct the level of investigation necessary to ensure that in all cases the process is in fact "properly authorized." Clearly, response in accordance with procedures reasonably designed to identify improperly issued process and good faith compliance is an appropriate standard for this exception. We also ask that the "good faith" concept be included in the exceptions relating to other requests related to local or state law or requirements, such as requests for completion of bad check affidavits to aid in prosecution of the drawer of a bad check or for requests from child support enforcement agencies.
Bank of America urges the Agencies to retain all of the exceptions contained in Section ___.11 of the Proposed Rule in the final rule.
Limits on Redisclosure (Section ___.12)
The Agencies have requested comment on the meaning of the word "lawful" in the context of when a service provider is permitted to further disclose nonpublic personal information about a consumer that it has received from a financial institution. Bank of America urges the Agencies to make it clear in the final rule that this requirement does not require the financial institution to separately contract with any sub-contractors of their service provider. Instead, because it is permissible for the financial institution to disclose nonpublic personal information to its service providers, it should be permissible for its service providers to do likewise. In addition, use of the information by the service provider to perform any of the activities described in the exceptions under section ___.10 and Section ___.11 would also constitute "lawful" disclosures.
The Agencies seek comment on whether the final rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. While a financial institution may wish to retain the right to audit a service provider, it should not be required to audit the activities of such nonaffiliated third parties, other than to contractually limit redisclosure of the information and enforce those contractual provisions should evidence of a violation arise. A financial institution could not effectively audit each third party to which it might disclose nonpublic personal information to ensure that such parties are complying with their statutory obligations to limit redisclosure of that information, but could enforce contractual obligations should violations occur. In addition, the Agencies retain the authority to review practices of entities acting as service providers to the financial institutions they supervise.
Limits on Sharing Account Number for Marketing Purposes (Section ___.13)
The Proposed Rule should make it clear that a financial institution's provision of account numbers to its agent, processor or service provider that is supplying operational support for the financial institution, including marketing products on behalf of the financial institution itself, is not prohibited under Section 502(d) of the GLB Act. Congress did not intend the Section 502(d) prohibition to restrict the ability of a financial institution to provide account numbers to the institution's agents, processors and other service providers that perform services on the institution's behalf or otherwise assist the institution in servicing its own customers and prospective customers. Instead, Congress intended Section 502(d) to restrict the ability of a financial institution to provide account numbers for a credit card account, deposit account or other transaction account of a consumer to a nonaffiliated third party for use by that nonaffiliated third party in marketing that third party's good or services. Congress did not intend to interfere with longstanding outsourcing practices of banks and other financial institutions.
However, without a clarification in the final rule that the provision of account numbers by a financial institution to the institution's agents, processors or service providers is not prohibited by Section 502(d), financial institutions may be compelled to discontinue certain routine practices because of the uncertainty surrounding whether such practices are prohibited under Section 502(d). For example, financial institutions often disclose account numbers to a service provider who handles the preparation and distribution of monthly checking account and credit account statements for the institution. In many cases, the institution also directs the service provider to include marketing literature with the statement about a product; in some cases, the account number may be preprinted on the response form to ensure proper account posting. Section 502(d) simply does not apply to this type of practice. First, a financial institution -- in making information available to its processors and service providers engaged in activities on the institution's own behalf -- should not be viewed as "sharing" information with a nonaffiliated third party. Instead, the processor or service provider should be viewed as an extension of the financial institution itself. In addition, for this particular practice, a financial institution would be providing the account numbers to service providers for its own statement and marketing purposes.
The final rule should also make clear that Section 502(d) does not preclude a financial institution from providing an account number of a consumer to a nonaffiliated third party after the consumer has already agreed to use the account to purchase the goods or services being offered. This clarification is consistent with the plain language of Section 502(d), which restricts a financial institution only from providing an account number for a credit card account, deposit account or transaction account of a consumer to any nonaffiliated third party "for use in" telemarketing, direct mail marketing or other marketing through electronic mail to the consumer. Once a consumer has decided to purchase the good or service being marketed, the marketing has concluded. Nonetheless, to avoid confusion regarding when the marketing activities have concluded, the final Rule should clarify that Section 502(d) does not preclude a financial institution from providing an account number of a consumer to a nonaffiliated third party after the consumer has already agreed to use the account to purchase the goods or services being offered.
The final rule should also specify that a financial institution may provide an account number to a nonaffiliated third party for use in marketing to the consumer, if the financial institution has obtained the consumer's prior consent to provide that information to that nonaffiliated third-party marketer. This is particularly important in the case of co-branded credit or debit card programs. Often the account number is shared in order to ensure accuracy. In addition, there may also be various marketing programs associated with these programs. As discussed above, the sharing of information by a financial institution with a co-brand partner, including account numbers, should be a matter of notice and consent. The consumer has chosen to participate in this arrangement which necessarily involves use of the information by both the financial institution and the co-brand partner. The final rule should make it clear that the term "account number or similar form of access number or access code" does not include an account number or other similar number, so long as that number is encrypted when provided to the nonaffiliated third-party marketer and the nonaffiliated third-party marketer is not given the information or device needed to decode or unscramble the encrypted number. In addition, the final rule should clarify that the term "account number or similar form of access number or access code" does not include a so-called reference number used by the financial institution to identify a particular account holder, including a partial or truncated account number, provided the reference number cannot be used by the recipient nonaffiliated third-party marketer to post a charge or debit against the particular account. Such an interpretation is consistent with the purpose of this prohibition, which is to protect against the initiation of unauthorized transactions to the customer's account. Because the nonaffiliated third party does not have the ability to decode the account number that is encrypted or does not have the entire account number, it could not initiate a transaction to the customer's account.
Footnote
| 1 | 145 Cong. Rec. S13,902-03 (daily ed. November 4, 1999) |