| JOSEPH E. LASTOWKA, JR.
GUY A. MESSICK EUGENE J. MALADY |
THE MADISON BUILDING
108 CHESLEY DRIVE MEDIA, PA 19063-1712 |
| ROXANNE ARENA*
PAUL P. PADIEN** JOHN B. WHALEN, JR* *NJ Bar also - **NJ & NY Bars also |
FAX: (610) 565-9363
TELEPHONE (610) 565-0330 |
March 30, 2000
| Becky Baker
Secretary of the Board National Credit Union Administration 1775 Duke Street Alexandria, VA 22314-3428 Delivered by facsimile: 703-518-6319 |
Gramm-Leach-Bliley Act Privacy
Rule, 12 CFR Parts 716 and 741 - Comment |
| Secretary
Federal Trade Commission Room H-159 600 Pennsylvania Avenue, N.W. Washington, DC 20580 Delivered electronically via: GLBRule@ftc.gov |
Gramm-Leach-Bliley Act Privacy
Rule, 16 CFR Part 313 - Comment |
Jonathon G. Katz
|
Privacy of Consumer Financial
Information (Regulation S-P) - Comment File Number S7-6-00 |
Dear Ms. Baker, Mr. Katz and Secretary, Federal Trade Commission:
This is a joint comment on the proposed privacy regulations by the National Credit Union Administration, the Federal Trade Commission and the Securities and Exchange Commission. Due to the interrelation of the proposed regulations to credit union service organizations and credit unions, a joint approach is required.
I am General Counsel for the National Association of Credit Union Service Organizations ("NACUSO"). NACUSO is the trade association for credit union service organizations ("CUSOs"). CUSOs are operating subsidiaries of credit unions. They are corporations, limited liability companies and limited partnerships that are permitted by NCUA regulations to perform certain financial and operational services similar to the services that banks can provide through their operating subsidiaries. The permitted services include the sale of securities and insurance products, mortgage origination, data processing, and trust services. The regulations restrict the customer base of CUSOs. CUSOs must primarily serve credit unions, members of the investing credit union or members of credit unions under agreement with the CUSO. Thus, CUSOs must be closely affiliated with credit unions in the types of services and the persons they serve.
CUSOs provide a vehicle to both share operational services between credit unions and enable credit unions to provide financial services to their members that cannot be legally offered by the credit union. The sharing of operational services by CUSOs should be covered by the transaction exemption to the proposed opt-out requirement. The impact of the Privacy Regulations on CUSOs that provide financial services is the area of most concern.
Affiliate and Control Definitions
Since the passage of the Gramm-Leach-Bliley Act, banks have had the authority to market deposits, securities and insurance products within the bank's corporate structure. Thus, banks have the ability to freely use their customer information to cross market these products without the need to provide opt-out options to their customers. Credit unions must continue to use their CUSOs to sell these products. Unless a credit union has the same ability to share information with its CUSO on the same level as a bank can share its information internally, credit unions will be at a severe competitive disadvantage to banks. This is where the definition of "Affiliate" becomes critical to credit unions. If the CUSO is considered an affiliate of the credit union, then the credit union can share information without an opt-out option and be on equal footing with the banks.
The question posed by the proposed definition of "Affiliate" is "What level of control or ownership must exist between a credit union and CUSO in order for an affiliate relationship to exist?" This definition will be determined by the regulations promulgated by the National Credit Union Administration for federally insured credit unions and by the Federal Trade Commission for privately insured credit unions (approximately 400 of the 11,000 credit unions nationwide). CUSOs selling securities will be governed by the affiliate definition promulgated by the Securities Commission and by the Federal Trade Commission for activities other than the sale of securities (with the exception of the sale of insurance products which will be governed by the respective states).
Under the proposed regulations, an affiliate relationship would exist if one entity "has control over the other." The proposed definition has a control factor of 25%. Thus, a CUSO would be considered an affiliate of a credit union if the credit union has at least 25% voting control of its CUSO. For the reasons stated below this "Control" definition is too restrictive for application to credit unions and CUSOs.
Credit unions only comprise about 2% of the financial services market with most credit unions under $20 million dollars in assets. Credit unions are cooperatives. Traditionally, credit unions have worked together to solve operational problems and to pool resources to help credit unions compete. There are many examples of more than four (4) credit unions binding together to deliver services through a CUSO. The NCUA comments to the regulations would expand the definition to permit a CUSO to be considered an affiliate of a credit union if the CUSO is wholly owned by credit unions, regardless of the percentage of ownership held by a single credit union. This is a welcomed modification of the regulation and particularly appropriate for the cooperative nature of credit unions. However, even this change does not address all the concerns of credit unions and CUSOs.
We are recommending that the proposed definition of "Control" should be expanded further in two (2) areas. The first expansion is to treat a wholly owned CUSO the same as a credit union investor for purposes of the privacy regulations. For business or organizational reasons, credit unions have used their wholly owned CUSOs as the investors in a multiply owned CUSO. Thus, if a multiply owned CUSO is owned exclusively by credit unions or the wholly owned CUSOs of credit unions, the multiply owned CUSO should be considered an affiliate of the investing credit unions and CUSOs, regardless of the percentage of ownership.
The second expansion is to permit any credit union to treat a CUSO as an affiliate if they control any portion of the CUSO, regardless of the amount of the control. This is consistent with the history of the cooperative nature of credit unions. Credit unions have a history of protecting the privacy of their members and this will not change based upon the percentage of control of a CUSO.
If the Agencies conclude that there is a need to establish a minimum control percentage, we ask that credit unions be permitted to aggregate for purposes of meeting the minimum control percentage. For example, the proposed "Control" definition would require an affiliate have control or be controlled at a minimum level of 25%. For this alternative recommendation, we suggest that the rule be modified to permit a credit union (or its wholly owned CUSO) to be considered an affiliate of a multiply owned CUSO if at least 25% is owned by credit unions (or their wholly owned CUSOs) regardless of the percentage of ownership of any one credit union or wholly owned CUSO investor. This rule would allow credit unions to aggregate the control element, which is an attribute of the cooperative nature of credit unions.
The vast majority of credit union members view the CUSO as an extension of their credit union, regardless of whether they fully understand the legal separation between the credit union and its CUSO. Credit union members uniformly understand that there is a close affiliation between their credit union and its CUSO. The members' perception of the CUSO as an affiliate of the credit union holds true regardless of whether the CUSO is wholly owned or multiply owned. The percentage of ownership and control between a credit union and CUSO does not affect the member perception of affiliation. Credit unions can protect against the inappropriate use of shared information through agreements with the multiply owned CUSO and the non-credit union investors. Under these circumstances, the sharing of information between a credit union and CUSO without an opt-out provision is not foreign or inappropriate from the members' perspective.
Some credit unions have allowed vendors to have an equity interest in CUSOs as an incentive to provide higher levels of service to the credit union members which in turn enhances the value of the CUSO. This is a perfectly appropriate business model that works well for the credit unions using it. It is important to have an affiliate definition that does not invalidate an affiliate relationship if a third party is participating in the CUSO. Under the proposed definition, as long as a credit union has a minimum of 25% control, others may control 75% of the affiliate. The alternative NCUA definition would permit an affiliate relationship if the whole CUSO is controlled by credit unions, regardless of the percentage of control. Unfortunately, these alternatives would not permit an affiliate relationship between a credit union and CUSO if the credit union controlled less than 25% of the CUSO and there was a non-credit union owner. We cite three examples of current multiply owned CUSOs providing financial services where this would be the result:
(a) There is a limited partnership CUSO that is a licensed broker providing financial services. The limited partners own 75% of the equity interest and are all credit unions or CUSOs. The general partner is a broker. By regulation, the credit union can only be a limited partner in a limited partnership CUSO and have no control over the CUSO. Should a limited partnership CUSO be treated differently than a corporation or limited liability company CUSO even when proper safeguards can be put in place to protect the members' privacy?
(b) There is another national CUSO that is a limited liability company (that may offer financial services in the future) which is 51% controlled by dozens of credit unions and the balance is owned by a broker.
(c) There is yet another example of a limited liability CUSO that is owned by five (5) credit unions, one wholly owned CUSO and an insurance agency. The insurance agency has a minority position that can be bought out for fair market value if the credit union/CUSO investors decide to change agents. In the meantime, the agent is provided an incentive to work with the CUSO for modest fees given the ability to share in the growth of the CUSO's value. All these are business models that would be disallowed as affiliates under the proposed rules.
The National Association of Securities Dealers ("NASD") has a direct impact on CUSOs selling securities products. Those regulations provide that control will be presumed at a minimum of 10% control or if, by contract, the broker can control the delivery of services by another entity. See, NASD Rule 2350 (b)(2) Broker Dealer Conduct on the Premises of a Financial Institutions and NASD Rule 2720(b)(1)(A) and (B) Distribution of Securities.
Any definition of "Control" which has a minimum percentage is arbitrary and cannot be the subject of legitimate debate. The real test is whether the credit union can exercise sufficient control over the CUSO to prevent the unauthorized use of private information. We recommend that an affiliate relationship should exist if the credit union has any ownership relationship with the CUSO and the credit union is able to exercise control over the use of private information it shares with the CUSO. It is vitally important to coordinate the affiliate rules among the NCUA, the Securities and Exchange Commission and the Federal Trade Commission. If a credit union and CUSO relationship is considered an affiliate under the credit union regulations, it should also be considered an affiliate under the applicable FTC and/or SEC Rules. Without coordination of the various regulations and affiliate definitions, information could legitimately go from the credit union to the CUSO, but not from the CUSO to the credit union. Such a dichotomy creates an operational inconsistency and fosters an unfair competitive advantage for banks. Likewise, it is important that the FTC rule applicable to non-federally insured credit unions is the same as the rule that applies to federally insured credit unions.
Affiliate Definition
NCUA: We propose a change to the proposed definition of "Affiliate" for federally insured credit unions. This definition is as follows:
Affiliate means any company in which the credit union has an investment and which the credit union has the power to require compliance with its privacy policies;
[Credit unions are not owned by anyone other than members and therefore credit unions will not have parent affiliates.]
FTC: We propose a change in the proposed definition of "Affiliate" in order to address the potential inconsistencies of how a CUSO and a credit union could mutually share information and the potential inconsistencies in the treatment of the approximately 400 credit unions that are not federally insured:
Affiliate means any company that controls, is controlled by, or is under common control with another company; provided that if a company is considered an affiliate of a financial institution under the regulations applicable to the financial institution then the company shall also be considered an affiliate of the financial institution under these regulations. The definition of affiliate for credit unions regulated under this regulation shall be the same as the definition under the privacy regulations promulgated by the National Credit Union Administration.
Securities Commission: We propose a change in the proposed definition of "Affiliate" in order to address the potential inconsistencies of how a securities selling CUSO and a credit union could mutually share information:
Affiliate means any company that controls, is controlled by, or is under common control with another company; provided that if a company is considered either an affiliate of a financial institution under the regulations applicable to the financial institution or the National Association of Securities Dealers Regulations, then the company shall also be considered an affiliate of the financial institution under these regulations.
Control Definition
NCUA: Depending on the final approach taken, there would not be a reason to include a definition of "Control". If a control factor where still part of the regulatory scheme, subsection (g)(a) of the definition of "Control" should be amended with one of the following alternatives:
Alternative 1:
The ability to control the use of information disclosed to a company in which an ownership interest exists;
Alternative 2:
Ownership, control, or power to vote 10 percent or more of the outstanding shares of any class or voting security of the company directly or indirectly, or acting through one or more other persons, provided that credit unions and wholly owned subsidiaries of credit unions may aggregate their ownership, control or power as a group to meet the minimum percentage without regard to the amount that each credit union or wholly owned subsidiary of a credit union owns or controls;
FTC: In order to avoid any inconsistencies in the treatment of non-federally insured credit unions, subsection (g)(a) of the definition of "Control" should be amended as follows:
Alternative 1:
The ability to control the use of information disclosed to a company in which an ownership interest exists;
Alternative 2:
Ownership, control, or power to vote 10 percent or more of the outstanding shares of any class or voting security of the company directly or indirectly, or acting through one or more other persons, provided that credit unions and wholly owned subsidiaries of credit unions may aggregate their ownership, control or power as a group to meet the minimum percentage without regard to the amount that each credit union or wholly owned subsidiary of a credit union owns or controls;
SEC: In order to avoid any inconsistencies in interplay with the NASD Rules, subsection (g)(a) of the definition of "Control" should be amended as follows:
Alternative 1:
The ability to control the use of information disclosed to a company in which an ownership interest exists;
Alternative 2:
Ownership, control, or power to vote 10 percent or more of the outstanding shares of any class or voting security of the company directly or indirectly, or acting through one or more other persons, provided that credit unions and wholly owned subsidiaries of credit unions may aggregate their ownership, control or power as a group to meet the minimum percentage without regard to the amount that each credit union or wholly owned subsidiary of a credit union owns or controls;
Nonpublic Personal Information and
Personally Identifiable Financial Information Definitions
As noted in the proposed rule, the Agencies are considering two alternative definitions of "Publicly Available Information." The two definitions differ by their treatment of the source of the information. Under one proposed definition, Publicly Available Personal Information would be limited to information derived from public sources. Alternatively, the term would include information that could be derived from public sources even if it is obtained from a nonpublic source.
We strongly advocate the latter of these proposals. Including information that could be derived from public sources without regard for the actual origin of the specific information. To require credit unions and CUSOs to treat otherwise public information differently merely because the information was provided by its member rather than a public source would create operational inconsistencies and confusion in protecting information that is freely available in the public domain.
We concur that personally identifiable information should never be disclosed without the opportunity of the consumer to opt-out. However, this should not prevent the sharing of financial information that does not identify the person(s) associated with it. For planning purposes, it is critical that credit unions and their CUSOs be permitted to look at aggregate financial data that does not identify the consumer. Without this information, credit unions and CUSOs would be "flying blind" for planning and marketing purposes. The results of this could adversely affect their safety and soundness. We urge all three Agencies to exclude from the definition of "Nonpublic Personal Information" and "Personally Identifiable Financial Information" any information that does not identify the consumer associated with the information. The privacy rights of an individual cannot be violated if financial information cannot be linked to the individual.
Policy and Notice and Opt-out Provisions
We urge each regulatory body to permit consumers to elect to receive their policy notices and make their opt-out elections by electronic means. It is actually more convenient for consumers with Internet access than the mail.
Likewise, We urge that there is the ability to give joint account holders at the same address one policy notice and opt-out election form. In the alternative, there should be the ability of the joint account holders at the same address to expressly agree to have one policy notice and opt-out election form. Both of these recommendations would accomplish the public purposes of the Act and save the costs of needless duplication.
Joint Marketing Agreement Exception
We support the joint marketing agreement exception. The exception permits credit unions and CUSOs to deal with some of the competitive disadvantages vis-à-vis banks, while providing protection for consumers from improper usage of the information.
Consumer Consent
We urge all the Agencies to permit consumers to consent to disclose information by whatever means that suit an entity's particular operations, e.g. by mail, telephone and/or Internet. If systems can be developed to document the consent by a consumer, there should be no regulatory limitation on the method of consent. Consumers want speed and convenience. If regulations require consent, let the parties have the ability to determine the method of providing the consent.
Effective Date
We urge that the deadline for compliance be extended to April 1, 2001. The year-end time period is too cluttered with mail, budget and planning issues. It would be an operational burden and the consumers will be less attentive. This problem would be repeated on an annual basis if the effective date remains in November with a December mailing. The first quarter of the year is a better time period to send and receive the opt-out notices.
We appreciate the opportunity to comment on the proposed regulations and invite any questions you may have to these comments.
Very truly yours,
Guy A. Messick
GUY A. MESSICK
| cc: | Robert Dorsa,
President NACUSO |