ELECTRONIC FUNDS TRANSFER ASSOCIATION
950 Herndon Parkway, Suite 390
Herndon, Virginia 20170
Phone: (703) 435-9800 · Fax: (703) 435-7157
http://www.efta.org
March 31, 2000
| Jennifer J. Johnson
Secretary Board of Governors of the Federal Reserve System 20th Street and Constitution Avenue, N.W. Washington, D.C. 20551 Attn: Docket No. R-1058 E-mail: regs.comments@federalreserve.gov |
Secretary
Federal Trade Commission Room H-159 600 Pennsylvania Avenue, N.W. Washington, D.C. 20580 Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 - Comment E-mail: GLBRule@ftc.gov |
|
Jonathan G. Katz, Secretary
|
Communications Division
|
|
Robert E. Feldman
|
Manager
|
|
Becky Baker
|
Re: Gramm-Leach-Bliley Act: Comments on Proposed Privacy Regulations
Ladies and Gentlemen:
This comment letter is submitted on behalf of the members of the Electronic Funds Transfer Association ("EFTA") in response to the proposed rules to implement Title V ("Title V") of the Gramm-Leach-Bliley Act (the "Act" or the "GLB Act"),
published for comment on various dates in the Federal Register by the Board of Governors of the Federal Reserve System ("FRB"), the Office of the Comptroller of the Currency ("OCC"), the Federal Deposit Insurance Corporation ("FDIC"), the Office of Thrift Supervision ("OTS"), the Securities and Exchange Commission ("SEC"), the Federal Trade Commission ("FTC") and the National Credit Union Administration ("NCUA") (the FRB, OCC, FDIC and OTS are collectively referred to as the "Banking Agencies;" the SEC, FTC and NCUA, combined with the Banking Agencies, are collectively referred to as the "Agencies").
EFTA is the nation's leading non-profit, inter-industry trade association dedicated to the advancement of electronic payment systems and electronic commerce. The Association's nearly 900 members represent a broad spectrum of perspectives that engender accurate and effective analysis of electronic payments and electronic commerce issues. Members include the nation's leading financial institutions, electronic payments networks, card associations, retailers, information processors, equipment, card and software manufacturers and vendors, Internet providers, telecommunications companies, state governments, and Federal agencies. A list of EFTA Board Members is attached. Each of the Agencies will have jurisdiction under the Act over one or more EFTA members. Please note that none of the government members of EFTA were involved in the development of this comment letter.
After initially addressing the proposed effective date, this letter addresses issues in the order in which they are addressed in the proposals. Because each Agency will assign a different part to its final rule, we have included citations to sections of the proposals only, leaving citations to part numbers blank.
I.§_.16: Effective Date
Each Agency has proposed that the final rules take effect on November 13, 2000, the earliest date permitted by the Act. The Act clearly authorizes the Agencies to delay the effective date, and each Agency has invited comment as to whether the effective date should be delayed for more than six months after issuance of the final rules. For the reasons stated below, we strongly urge the Agencies to delay the effective date to November 13, 2001, or at least to a date after January 1, 2001. We also request that covered financial institutions ("FIs") be permitted to stagger the mailing to initial customers over a time period greater than 30 days.
Difficulty of Implementing the Rules in Six Months. Preliminary feedback from EFTA members indicates that virtually every member FI will have to make significant computer system changes in order to implement an opt-out procedure. Even FIs that will not have to implement an opt-out procedure, either because they do not share information with nonaffiliates or because they share information with nonaffiliates only pursuant to one of the Act's exceptions to the opt-out procedure, will have to invest substantial resources to draft and disseminate the required privacy policy. Finally, the cost of the initial mailing alone could be in the tens of millions of dollars for some FIs; FIs will need more than six months to be able to budget an unexpected cost of that size. As discussed below, we believe there are important questions that have not yet been answered by the proposals, and thus the final rules may be quite different from the proposals; thus, FIs will not be able to begin full-scale implementation of the required changes until after the final rules have been issued. Few EFTA members believe they will be able to analyze and understand the final rules and implement the necessary systems changes in a six-month timeframe. A more realistic timeframe would be eighteen months from the date of issuance of the final rules.
Difficulty of Mailing to All Existing Customers in a 30-Day Period. Especially for large FIs, issuing a mailing to every one of its existing customers - who can measure literally in the millions -- in a 30-day time period will be extremely burdensome, regardless of the time of year. Preliminary feedback from EFTA members indicates that most members may need up to 90 days to successfully complete a mailing of this size. Even for small FIs, a mailing to its entire customer base will be quite large for those institutions in relative terms.
Difficulty of Producing a Large Mailing at Year-end. Even if the Agencies choose not to increase the timeframe for implementation of the final rules, we strongly urge the Agencies to consider delaying the effective date until after the year-end mailing season. Under the proposals, FIs will be required to mail initial notices to existing customers no later than 30 days after the effective date, or by December 13, 2000. To require such a mailing just as FIs are preparing year-end reports and tax-related forms would add an even greater burden. Consumers are typically deluged with catalogs, year-end statements, tax forms and holiday cards during December and January; to add the initial notice to that mix could cause consumers to disregard this very important mailing. Finally, some FIs are concerned as to the ability of their local post offices or mailing houses to be able to absorb a mailing of this size in December.
II. §_.1: Purpose and Scope
Foreign Financial Institutions. The Banking Agencies have requested comment on whether the rules should apply to foreign financial institutions that solicit business in the United States but do not have an office in the United States. The EFTA strongly believes that the rules should apply to any FI soliciting business in the US, whether or not the FI has a physical office located here. Particularly with the growth of the Internet, a foreign institution without a physical presence here can still exert influence over US customers. Indeed, depending upon how onerous the requirements become for foreign institutions, it may become desirable to give up a physical presence in the US. The applicability of the final rules only to "consumers" and "customers" will keep such a requirement from negatively affecting foreign FIs that do not conduct a retail business in this country. In addition, other applicable laws - such as the International Banking Act and the FRB's Regulation K - may preclude a foreign FI from conducting business in this country without a physical presence. However, the EFTA believes the rules should make distinctions based on the activities of the FIs (e.g., whether they deal with "consumers"), rather than on whether they have a physical presence in a particular geography.
Providing a loophole for foreign FIs soliciting the business of US customers but not actually located here would also be particularly unfair to US FIs in light of the effect and application of the European Union's Directive regarding data protection. Under that Directive, European companies have been prohibited from sharing information with a US entity - regardless of any affiliation between the US and European entities - on the grounds that US privacy laws did not meet the European standard.
Non-FIs. The EFTA supports the FTC's provision limiting the reuse and redisclosure by "other persons" who are not FIs but receive Protected Information from FIs. Such a restriction places FIs on the same competitive level as all other entities with regard to Protected Information, and continues to protect individuals with regard to such information even after it has been lawfully shared by an FI.
Scope of FTC Jurisdiction. The GLB Act reserves for the FTC jurisdiction over any FI "or other person" not subject to the jurisdiction of any other agency or authority specified in the Act; the FTC's authority is to enforce the Act under the Federal Trade Commission Act (the "FTC Act"). GLB Act §505(a)(7). We strongly urge the FTC to clarify in the final rule that FIs may be non-profit entities as well as for-profit. Colleges and universities, for example, are non-profit entities, but may extend student loans to their students and, in some cases, to parents of students. The same intensely personal information that a prospective borrower must provide to a bank must also be provided to a lending school. Indeed, in many instances, the school's loan application may be combined with a financial aid application that requires significantly more personal information then required by any bank loan application - including identification of the student's siblings, along with their ages. Non-profit lenders should be required to maintain the same level of confidentiality for such information as for-profit lenders.
III. §_.2: Rule of Construction
The Act requires each final rule to be "consistent and comparable," to the extent possible, with the rules of the other Agencies. GLB Act § 504(a)(2). Each proposal, except for the SEC's, provides a safe harbor for compliance with the examples in each proposal: "Compliance with an example, to the extent applicable, constitutes compliance with this part." The SEC's proposal, however, states, "The examples in this part provide guidance concerning the rule's application in ordinary circumstances. The facts and circumstances of each individual situation, however, will determine whether compliance with an example constitutes compliance with the applicable rule." The effect of each statement would appear to be the same, since the "safe harbor" will apply only "to the extent applicable;" that appears to be the same concept as the SEC's restriction regarding the "facts and circumstances of each individual situation." We request, therefore, that the rule of construction be the same in each final rule, and that the SEC's final rule, therefore, be modified to clarify that compliance with an example, to the extent that the facts and circumstances of the example apply to the individual situation, will be deemed to be compliance with the SEC's final rule.
IV. §_.3: Definitions
"Clear and Conspicuous."
Length of Disclosures. We address below the information to be included in the various notices required under the Act, as well as the relationship between the proposals and the FCRA. As discussed in those sections, the required disclosures for some FIs may be quite lengthy. We request, therefore, that each Agency modify its proposal to clarify that length of a disclosure, provided it relates solely to the collection, disclosure and maintenance of a consumer's nonpublic personal information, in and of itself, will not affect the "clear and conspicuous" nature of that disclosure.
Plain Language Requirements. Each proposal includes examples of how an FI may make a notice clear and conspicuous. The wording used, however, appears to make every example listed mandatory, rather than suggestions for FIs to elect as appropriate. We are quite concerned that including the examples as provided in the proposals will expose FIs to lawsuits based on a technical violation of the examples, regardless of whether the notice otherwise meets the "clear and conspicuous" definition.
"Control."
Flexible Standard. The Banking Agencies, the NCUA and the FTC have used the tests in Section 23A of the Federal Reserve Act to define "control," so that, under those proposals, a company controls, is controlled by or is under common control with another (and thus is an "affiliate" of the other) when there is 25% ownership or otherwise a controlling influence over the company. The SEC's proposal includes a more flexible definition, so that 25% ownership (or lack thereof) only creates a presumption of control (or noncontrol), rather than conclusively determines it. The EFTA requests that the SEC definition of "control" be used in each final rule.
Service Organizations. The NCUA invited comment as to whether it should define "control" in its final rule to deem any credit union service organization ("CUSO") that is 100% owned by credit unions to be controlled by, and thus an affiliate of, each credit union, regardless of the individual ownership percentages. Such a definition would permit each credit union to share information with the CUSO without regard to the Act.
Banks may own bank service corporations in a manner and for purposes similar to CUSOs. We request, therefore, that the final rules of the Banking Agencies be modified to provide a consistent and comparable rule that bank service corporations that are 100% owned by banks are "controlled" by, and thus affiliates of, each bank owner without regard to ownership percentages.
"Customer."
Servicing. The Banking Agencies and the FTC included in their proposals examples of "customer" that would cover a borrower if the FI merely retains the servicing rights to a loan that it sold to another company. Extending coverage of the Act to servicers seems to be at odds with the Act's exemption for the transfer of information to the servicer of a loan. GLB Act §502(d)(1)(a).
List of Respondents. The SEC's proposal would exempt from the definition of "customer" people who provide only their names, addresses and areas of investment interest in order to obtain prospectuses, investment adviser brochures or other information to be sent to them (e.g., over the Internet, or by returning a magazine "tear-out" card). We believe this is a reasonable interpretation of the Act, and request that each Agency's final rule include this clarification as an example.
"Customer Relationship."
Clarification of Exclusion of Electronic Fund Transfers. EFTA members are significantly engaged in the business of electronic fund transfers ("EFTs") - whether through automated teller machines, point of sale terminals or other means. A typical EFT requires the participation of a number of unrelated entities: the consumer's FI; the owner/operator of the ATM or POS terminal; the switch; and a local, regional, national or international network. We request that the final rules clarify that the initiation of an EFT, including a deposit, does not create a customer relationship between the individual initiating the transaction and the parties involved in completing the EFT (apart from the consumer's account holder).
Location of Definition of Terminated Relationships. Each proposal provides that the annual notice, discussed below, need not be provided to customers with whom the FI no longer has a continuing relationship; however, the discussion regarding when a consumer relationship has been terminated appears in the provision regarding the annual notice. That placement reflects the order of the Act, but we suggest that the discussion regarding the termination of the customer relationship would be clearer if it were moved to the definition of "customer relationship," with terminated relationships excluded from the definition of "customer relationship."
Definition of Terminated Relationships. Each proposal includes various examples for when a customer relationship has been terminated. Furthermore, each agency except the SEC has proposed that a lack of communication for 12 consecutive months would permit an FI to deem the customer relationship terminated. We support such a flexible standard. The Banking Agencies, however, have requested comment on whether the applicable standard should be state law. We strongly oppose tying this determination to state law. Such a requirement would unduly hamper the operations of FIs operating across state lines. Furthermore, it is not always clear which state would control; for example, many banking institutions export the law of one state when lending in another.
Clarification of Effect of Repeated but Isolated Transactions. The Supplementary Information to the Banking Agencies' joint proposal and the FTC's proposal states, "A consumer would not necessarily become a customer simply by repeatedly engaging in isolated transactions, such as withdrawing funds at regular intervals from an ATM owned by an institution with whom the consumer has no account." (Emphasis added.) The example provided in the final rule, however, notes only that a consumer does not become a customer "if [t]he consumer only obtains a financial product or service in an isolated transaction ...." (Emphasis added). We believe the concept that repeated but isolated transactions such as ATM withdrawals do not create a customer relationship is important enough to include in the examples used in the final rule, and request that the final rules include that clarification.
Former Customers. The proposals are silent as to the treatment of individuals who ceased to be a customer before the Act took effect. We request that the final rules clarify that such individuals are considered to be terminated customers if the FI's policies would have deemed them to be such prior to the effective date of the Act.
"Financial Institution." The FTC's final rule will determine the true scope of Title V, since it is the rule that will determine which companies that are not traditionally thought of as "financial" will be covered by the Act. The FTC's proposal would include only companies "significantly engaged" in financial activities, and requests comment as to whether "significantly engaged" should be defined in the final rule. We support the requirement that a company have more than a de minimis involvement in financial activities before being covered by Title V, and request that "significantly engaged" be defined in the final rule, to provide clear guidance, with the test based on the percentage of a company's gross revenues attributable to financial activities. Furthermore, we suggest that the FTC include the examples it provided in the supplementary information to its proposal as part of the final rule.
However, we strongly urge the FTC to provide additional guidance as to what companies will be deemed to be FIs. Anecdotal evidence suggests that very few unregulated entities are certain as to whether they are covered by the Act or not.
"Nonpublic Personal Information," "Personally Identifiable Financial Information," and "Publicly Available Information." Because the Act defines "nonpublic personal information" to include "personally identifiable financial information" (not defined in the Act) and exclude "publicly available information" (also not defined in the Act), we have treated the three terms as a group.
The FTC, OCC, OTS and FDIC proposed two alternative definitions for these terms. The NCUA proposed only what the other agencies identified as "Alternative A." The FRB proposed only what the other agencies identified as "Alternative B," and the SEC proposed only a modified version of "Alternative B." We support the SEC's definition, further modified as discussed below, and request that each final rule use the SEC's proposed definition, further modified as discussed below.
Personally Identifiable Financial Information. This term is used, but not defined, in the Act to in turn help define "nonpublic personal information." Each Agency has defined this term to include all personally identifiable information as "financial" if it is obtained by an FI in connection with providing a financial product or service to a customer, regardless of whether it is information that is intrinsically financial; for example, health information obtained in connection with the underwriting of insurance (a financial product or service) would be deemed to be personally identifiable financial information, and thus restricted by Title V. We believe this is a far broader definition than the plain language of Title V can support. Congress intentionally used this term to limit the restrictions on "nonpublic personal information" only to financial information. Expanding the definition of this term to include non-financial information would violate Congress's intent, as clearly evidenced by the plain meaning of the words it used in drafting the statute, to limit the application of Title V's restrictions to information that is intrinsically financial.
The broad definition proposed by the Agencies would include customer lists of FIs. Such a restriction would place FIs at an enormous competitive disadvantage with regard to non-FIs, particularly consumer reporting agencies. Such a disadvantage would be completely at odds with the intent of the remaining provisions of the Act, which repeal artificial restrictions on the ability of FIs to compete with non-FIs. The ability of FIs to share customer lists with nonaffiliated third parties, beyond the circumstances set forth in Section 502(e) of the Act, is a crucial component of their ability to take advantage of their new powers granted by the remainder of the Act. Furthermore, when combined with the FTC's proposed limitation of "financial institution" to those "significantly engaged" in financial activities, this broad definition would create the anomalous situation that lists of customers seeking non-financial services or products from entities "significantly engaged" in financial activities would be restricted, but lists of customers seeking financial services or products from entities not otherwise engaged in financial activities would not be restricted. In addition, consumer reporting agencies would be permitted to gather and disseminate lists of customers of particular FIs without providing the consumers the opportunity of opting out of such lists, even though the particular FIs could not provide those lists themselves.
Publicly Available Information. "Alternative A" as proposed by most of the Agencies would deem information to be "publicly available" (and thus not restricted) only if the FI actually obtained it from a public source (as defined in the proposals). "Alternative B," as proposed by each Agency except the SEC, would deem information that could lawfully be obtained from a public source to be "publicly available," regardless of whether the FI actually obtained it from such a source. The SEC's proposal would deem information that the FI reasonably believes lawfully could be obtained from a public source. We believe that the SEC's proposal is the only workable definition of "publicly available information," and should be adopted in each final rule.
Alternative A does not protect information provided to an FI by a consumer; rather, it protects only information that is not publicly available, regardless of how the FI obtains it. Thus, an FI could reconfirm all information it received regarding a consumer through public sources, thereby converting protected information to publicly available information. Alternative A, therefore, would only impose an additional cost on FIs, without providing any additional protection to consumers. The SEC's Alternative B recognizes this reality by covering information that the FI reasonably believes is publicly available, without requiring FIs to take the merely mechanical step of reconfirming the availability of the information.
Furthermore, we request that the final rules clarify that FIs may reasonably believe that certain basic categories of information - such as name, address, telephone number, real property ownership, mortgage lender and mortgage amount - are publicly available.
V. § _.6: Content of Initial and Annual Notices
Disclosure Categories. We generally support the Agencies' proposals regarding the content of the initial and annual notices to the extent they permit the disclosure of information collected and shared and parties with whom the information is shared by disclosing general categories. However, we believe the examples used in the proposals inadvertently restrict the ability of FIs to provide meaningful disclosure of those categories by limiting the categories that may be used. We request, therefore, that the examples permit FIs to disclose the information required by using any meaningful category, such as type of information or entity, content of information collected or disclosed, source of information, or any other category that would provide a meaningful explanation to the consumer. Such flexibility would enable each FI to tailor the disclosures as necessary to its operations or its customer base, without requiring the final rules to be unduly lengthy or detailed.
Length of Disclosure. Preliminary feedback from EFTA members indicates that the disclosure of many FIs, including just the items that are mandatory under the Act and proposed rules, will require multiple pages. In addition to the mandatory items, many FIs feel that additional information should be included in the disclosures to ensure that the disclosure is meaningful to the consumer. For example, many FIs will want to include examples regarding the type of information collected or entities to whom it may be shared. Furthermore, many FIs will want to include an explanation of the benefits consumers may obtain by not opting out. We request that the Agencies include in the final rules a clarification that length alone will not cause a disclosure to violate the "clear and conspicuous" requirement, provided the disclosure exclusively concerns the collection, maintenance and disclosure of nonpublic personal information.
Description of Exempted Nonaffiliates. Sections 502(b)(2) and 502(e) set forth circumstances where an FI may disclose consumer information to nonaffiliated third parties without having to provide the consumer an opportunity to opt out. Each proposal states that when describing nonaffiliated third parties subject to such exceptions, the FI need only state it is making disclosures as permitted by law. We request that each final rule clarify that an FI complies with that requirement merely by using the language stated - e.g., "We make may disclose information to other nonaffiliated third parties as permitted by law," and no further explanation is required for such categories.
Future Disclosures. Each proposal states that the initial and annual notices may include categories of information and nonaffiliates reflecting collection or disclosure the FI does not currently make but may in the future make. We request that the final rules clarify that once such a disclosure is made, where the FI reserves the right to undertake such collection or disclose such information in the future, the FI need not notify consumers once that collection or disclosure is initiated by the FI.
Inclusion of the FCRA Affiliate-sharing Opt-out Notice. Section 503(b)(4) of the Act requires the initial and annual notices to include "the disclosures required, if any, under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act." (Emphasis added). The cited section of the FCRA requires a company to provide an opt-out opportunity to consumers before sharing certain information with affiliates. There is no requirement in FCRA that the affiliate opt-out be given more than once (although the consumer apparently has the right to opt-out at any time after being provided the initial notice). The proposals, however, appear to require that the FCRA opt-out notice be included in every initial and annual Title V notice. We believe that such an interpretation goes beyond Congress's intent, and is in direct contravention of Congress's clear direction that "Except for the amendments [that specifically amend the FCRA], nothing in [Title V] shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act . . . ." GLB Act § 506(c). The "if any" language highlighted above should instead be read to mean that the FCRA affiliate opt-out should be included in a notice only if the FI needs to provide such notice to begin sharing certain information among affiliates. We request that the final rules clarify that the FCRA affiliate opt out need not be provided more than once.
VI. § _.4: Timing of Initial Notice
"At the Time of Establishing a Customer Relationship." The Act states that the initial notice must be provided "[a]t the time of establishing a customer relationship," GLB Act § 503(a), while the proposals state that the initial notice must be provided "prior to the time" the customer relationship is established. The difference in wording can create a significant operational problem for FIs. We request, therefore, that the final rules be modified to reflect the statutory language.
Additional Flexibility to Reflect Actual Transactional Flow. The Agencies have invited comment as to whether there are situations in addition to those included in the proposals where it is not practicable for the FI to provide a notice prior to establishing the customer relationship. We request that the final rules provide that general rule, and then include the situations set forth in the proposals merely as examples of the general rule, rather than limiting the general rule to those applications.
Combining the Initial Notice with Other Required Disclosures. The Supplementary Information to each proposal states that an FI may provide the initial notice "at the same time a financial institution is required to give other notices . . . ." The proposed rules, however, do not include that statement. We believe this is a critically important clarification regarding the timing of the notice, and request that it be included in the examples used in each final rule.
VII. § _.8: Form and Method of Opt-Out
Existing Customers. The proposals neglect to address the situation regarding an existing customer of an FI, who has already received at least the initial notice, and then obtains an additional product or service from the FI. We do not believe that Congress intended for consumers to be inundated with paper. Furthermore, repeated notices may confuse the consumer as to whether a prior opt-out is effective, or whether there has been a change in the institution's policy. We request, therefore, that the final rules provide that the initial notice need be provided to a customer by an FI only once, regardless of the number of relationships that customer may establish with a particular FI.
Consumer's Own Letter. The proposals state that requiring the consumer to write his or her own letter to opt-out of nonaffiliate-sharing is not an acceptable means of offering an opt out to consumers. For the reasons stated below, we request that this prohibition be deleted from the final rules. Congress had the opportunity to require FIs to follow an "opt-in" process, where consumer financial information could not be shared unless the consumer specifically authorizes the sharing. Congress chose, however, the opt-out process, where information can be shared unless a consumer specifically prohibits the sharing. In choosing an opt-out process over an opt-in process, Congress recognized that most consumers appreciate the convenience of product solicitations closely targeted to each consumer's interests. Congress also recognized that the additional costs and burdens of an opt-in are outweighed by any benefits of such a procedure. The proposals, however, would require that FIs provide a postage-paid return postcard or other option for a consumer to opt-out under Title V. Such a requirement would impose on FIs a cost almost as high as an opt-in procedure. That requirement also implicitly assumes that most consumers will want to opt-out, an assumption that was rejected by Congress when it chose the opt-out process. The proposals would require such an opt-out method not only in the initial notice, but with every annual notice. This would provide a prohibitively high cost on FIs.
Many FIs have already instituted an opt-out process for sharing certain consumer information among affiliates pursuant to the FCRA. Almost without exception, FIs who have established an opt-out process under the FCRA require the consumer to write his or her own letter to opt-out of the affiliate-sharing. Anecdotal evidence indicates that many consumers have elected to opt-out of such information-sharing, even when required to write a letter. Thus, it does not appear that the letter-writing requirement creates any true obstacles for those wishing to opt-out.
Prior to the enactment of Title V, no agency was permitted to issue regulations implementing the FCRA. Title V amended the FCRA to permit certain agencies to issue FCRA regulations for institutions under the jurisdiction of those agencies. We strongly urge the Agencies, when considering subsequent FCRA regulations, to make any such regulations conform as closely as possible to the final Title V rules, so as to avoid any contradictory rules regarding information disclosure. To that extent, we note that implementing a final rule under Title V that prohibits FIs from requiring a consumer to write a letter to opt-out of information-sharing will create two significant issues for FIs with regard to the FCRA: first, FIs will be required to implement a more burdensome and costly procedure than non-FIs to share consumer information, thus creating a competitive disadvantage for FIs; second, such a rule will cast doubt on the validity of the opt-out procedures that have been in place for over a year for many FIs.
Permitting Telephone Opt Outs. We believe that permitting the opt out to be made through a toll-free telephone number established by the FI would provide an efficient process, for both the FI and the consumer. The response time for a telephone opt would, presumably, be significantly shorter than for a postal opt out. We request that the final rules permit a toll-free telephone number as a permissible method of opting out, with a correspondingly shorter response time, such as 15 calendar days.
Subsequent Notices to Customers After Opting Out. By opting out of information-sharing, a consumer implicitly has indicated a preference for receiving less mail. Therefore, sending those consumers a reminder every year of a right they have already exercised is illogical, contrary to the customer's direction, and potentially confusing. We request, therefore, that the final rules provide that the annual notice need not be sent to customers who have already submitted a complete opt-out notice.
VIII. § _.9: Exception for Service Providers and Joint Marketing
Pre-existing Contracts. The Act permits FIs to share information with nonaffiliated third parties that uses the information to perform services for, or functions on behalf of, the FI, provided the FI fully discloses that arrangement to consumers and the third party is contractually required to maintain the confidentiality of the information. The proposals are silent regarding contracts between FIs and such third parties that pre-exist the enactment of Title V. In the experience of EFTA's members, many contracts of that type are originally written for a one-year or other short-term duration, with the contract then continually renewing until either party cancels. Thus, it is unusual for FIs to re-negotiate such contracts. Re-negotiation of such a contract frequently is an invitation for the service provider to increase its prices; thus, FIs are understandably reluctant to re-negotiate existing contracts to insert a confidentiality requirement that specifically refers to Title V. We request, therefore, that the final rules provide an exemption from the contractual confidentiality requirement for contracts that pre-existed the enactment of Title V.
IX. § _.13: Limits on Sharing Account Number Information
Section 502(d) of the Act prohibits the sharing of account numbers or similar forms of account access numbers or codes with third parties. Each proposal invited comment as to whether there should be any exceptions to such a requirement. We request that the final rules provide an exemption for truncated account numbers to be shared.
We appreciate the opportunity to comment on these proposals.
Very truly yours,
/s/ H. Kurt Helwig
H. Kurt Helwig
Executive Director
::ODMA\PCDOCS\DOCSC\854900\4
| Robert Albin
Chief Operating Officer Western Union North America/FDC Treasurer, EFTA |
Dale Dentlinger
Senior Vice President, Consumer Network Svcs. EDS |
| Nandita Bakhshi
Senior Vice President Fleet Financial Group |
Eugene DeSilva
Vice President, Network Services American Express |
| Lynne Barr
Partner Goodwin, Procter, & Hoar, LLP Secretary, EFTA |
Alfred Dominick
President & Chief Executive Officer InteliData |
| Brian Bates
Vice President - POS Division Transaction Network Services, Inc. |
Henry Friedman
Director, Product Mktg. EFT Services BISYS |
| James L. Brown
Professor, Center for Consumer Affairs University of Wisconsin-Milwaukee |
Kiran Gandhi
Vice President, Business Development Mag-Tek Inc. |
| Ernest Burdette
President & Chief Executive Officer Triton Systems, Inc. |
Judith A. Hartlieb
Vice President Applied Communications, Inc. |
| Art Burger
President Burger, Carroll & Associates, Inc. |
James Hayes
Executive Vice President & General Counsel Cash Station, Inc. |
| Kenneth R. Chrisman
Executive Vice President Wells Fargo Bank |
H. Kurt Helwig
Executive Director Electronic Funds Transfer Association |
| Ronald V. Congemi
President & Chief Executive Officer STAR System, Inc. |
Michael Hudson
Executive Vice President Tidel Engineering, Inc. |
| Frank D'Angelo
Senior Vice President & General Manager, EFT Services M&I Data Services |
William C. Hussey
Chairman & Chief Executive Officer Touch Technology, Inc. |
| Matthew P. Lawlor
Chairman & Chief Executive Officer Online Resources & Communications Corporation |
Gary S. Roboff
Senior Vice President Chase Manhattan Bank |
| Dennis F. Lynch
President & Chief Executive Officer NYCE Corporation |
Jerry Rosenthal
Director, CMA Marketing Merrill Lynch |
| Richard G. Lyons, Jr.
Senior Vice President, Electronic Banking & Marketing Comerica Bank |
Paul Schmelzer
Executive Vice President STAR System, Inc. |
| John MacAllister
Executive Vice President Benton International, Inc. |
Jeffrey Schumacher
Vice President, Product Management/Marketing Associates Commerce Solutions |
| Mark E. MacKenzie
President Citicorp Services Inc. Chairman, EFTA |
Roy Shirah
Vice President, Global Product Management Diebold, Inc. |
Lee Manfred
|
Phillip Valvardi
President Concord |
| Ruth Ann Marshall
Executive Vice President MasterCard International |
David Weber
Vice President Armed Forces Financial Network |
| John J. McDonnell
Chairman & CEO Paylinx Corp. |
Richard Webster
General Manager, Retail Bank Solutions Compaq Computer Corporation |
| Andrew Orent
Vice President, Self-Svc. Solutions NCR |
Chuck White
|
| George Pappas
Executive Vice President CyberCash, Inc. |
Steve Wright
|
| Walt Patterson
President ACS/TransFirst, Inc. Vice Chairman, EFTA |
|
| Scott Qualls
Senior Vice President Branch Banking & Trust |