| March 30, 2000 | |
| Ms. Jennifer J. Johnson
Secretary Board of Governors of the Federal Reserve System 20th and C Streets, NW Washington, DC 20551 Docket No. R-1058 |
Mr. Robert E. Feldman
Executive Secretary Comments/OES Federal Deposit Insurance Corporation 550 17th Street, NW Washington, DC 20429 |
| Secretary
Federal Trade Commission Room H-159 600 Pennsylvania Avenue, NW Washington, DC 20580 Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313-Comment |
Communications Division
Office of the Comptroller of the Currency 250 E Street, SW Washington, DC 20219 Docket No. 00-05 |
| Manager, Dissemination Branch
Information Management & Services Division Office of Thrift Supervision 1700 G Street, NW Washington, DC 20552 Docket No. 2000-13 |
Jonathan G. Katz
Secretary Securities and Exchange Commission 450 5th Street, NW Washington, DC 20549-0609 File No. S7-6-00 |
Dear Sirs and Madams:
This comment letter is sent by Summit Bancorp., a bank holding company, on behalf of itself and its subsidiaries, which include two state-chartered banks which are members of the Federal Reserve System, Summit Bank (Hackensack, NJ) and Summit Bank (Bethelehem, PA), a state-chartered bank not a member of the Federal Reserve System, Summit Bank (Norwalk, CT), a registered broker-dealer, Summit Financial Services Group, Inc., and several insurance agencies, Meeker Sharkey Financial Group, W. M. Ross and Company, Inc., Spectrum Financial Group, Inc., Corporate Dynamics, and Philadelphia Benefits Corporation.
In general, we appreciate the efforts the regulators have made to provide prompt and consistent and coordinated privacy regulations. We would urge the regulators to provide model forms, to provide guidance by example regarding "categories" of information, third parties, etc.
We appreciate the opportunity to offer comments regarding specific parts of the proposed regulation.
Section by Section Analysis - [proposed additional language underscored]
§_.1(b). The rule would be clearer if it tracked the statute: Instead of "certain [very vague] of their non-bank subsidiaries or affiliates" say "their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisors)."
§_.2. The rule that compliance with examples constitutes compliance with the regulations is very important. These rules are intended to encourage compliance, not punish. The section could be written in much plainer English:
The examples in this part are not the only ways to comply with the law and regulations, but if you follow an example which is applicable to your situation, you will be treated as having followed the law and regulations.
§_.3(b)(2)(i)(F). "Boilerplate" is not a synonym for "ambiguous." Boilerplate means frequently re-used, standardized, ready-made, and comes from an old method of newspaper printing of syndicated material. There is nothing wrong with a disclosure which is standardized and frequently re-used, as long as it is clear and conspicuous. Overall, we believe that the standards proposed in the regulation about boilerplate and precision are impossible to achieve. Plainer language is almost necessarily less precise, based on my experience since 1980 with the New Jersey Plain Language Consumer Contract Law.
§_.3(b)(2)(iii)(A). We would suggest: "Larger type size(s), different type face(s), boldface or italics in the text;..."
§_.3(e)(2)(i), (ii) & (iii). Section 509 of the Act defines "consumer" as one "who obtains ... financial products or services which are to be used...." The attempt in these three examples and the definition in §_.3(k)(2) to define the failure to obtain a financial product or service as obtaining that product or service is contrary to the plain language of the law. However, we agree that a financial institution should not be permitted to disclose personally identifiable financial information received on credit applications without restriction.
Furthermore, it should be made clear that a beneficiary of a trust who is not also a trustee or settlor or a beneficiary of an insurance policy who is not the purchaser or owner of the policy is not a consumer. A beneficiary does not obtain a fiduciary or insurance service, a beneficiary is a passive recipient of such service. A beneficiary has no say in what institution provides the service, and has entered into no contract with the institution, although the beneficiary will have some rights under fiduciary principles and a trust agreement or insurance policy to which the beneficiary was not a party.
§_.3(e)(2)(iv). The purpose of this example is unclear. If this is intended to refer to a legal representative, such person is already covered by §_.3(e)(1). If this person is an obligor on a loan we bought, we have no problem but this needs to be made clear. If this is a friend, relative, volunteer or officious intermeddler, such person has obtained no financial product or service and is not covered by the Act.
§_.3(e)(2)(vi). The difference between this section and §_.3(i)(2)(ii)(E) is not clear.
§_.3(i)(1). "Customer relationship" should be defined as "a continuing relationship between a consumer and you under which the consumer obtains one or more financial products or services from you that are ...." This is consistent with the definition of consumer in both the law and proposed regulation. Furthermore, there are multiple circumstances in which persons may passively receive a service from a bank with which they have no customer relationship, such as a recipient of a dividend check from a transfer agent. "Customers" must be defined as those who affirmatively enter into a relationship with the institution (or another institution which has sold the account to the disclosing institution). The definition in Section 527 of the Act does not apply to Subtitle A of Title V and is more inclusive to deal with a different purpose, the prevention of fraudulent access.
§_.3(k)(2). As noted above in the comment regarding §_.3(e)(2)(i), (ii) & (iii), the attempt to include persons who fail to obtain a financial product or service is contrary to the law.
§_.3(n), (o) & (p). Summit supports Alternative B. It would be an undue burden on financial institutions to require them to maintain the source of all information, which would be necessary under Alternative A. We consider information available over the Internet to be "publicly available," particularly in light of the overwhelming proportion of public libraries offering Internet access. On a more general note, we urge the regulators not to read the word "financial" out of "nonpublic financial information." Names, addresses, phone numbers, birth dates are not financial information protected by Title V, and should not be protected on an individual basis. We do not consider this nonpublic personal information. However, we agree with the examples at §_.3(o)(2)(C) and (D), that lists of customers of a financial institution are proprietary information which should be considered nonpublic personal information. However, we do not think this should be done by defining them as personally identifiable financial information, but by directly defining them as nonpublic personal information.
§_.4(a)(1). We object to the requirement that the notice be provided "prior to" the time a customer relationship is established. Section 503(a) of the Act says "At the time of establishing," and that is the language that should be used in this regulation. The regulation suggests that consumers will "shop around" for privacy policies. If this takes place it will undoubtedly take the form of requests for privacy policies well prior to initiation of a specifictransaction. To require financial institution employees to make certain and document that a customer receives a privacy policy before, rather than at the same time as, the other 22 documents typically required for a residential mortgage or home equity loan is unreasonable and of no benefit to the customer. It just provides fodder for plaintiffs' attorneys to bring class action lawsuits.
§_.4(d). Since bank records are typically maintained on an account basis rather than a "customer" basis, we would urge that notice be required to only one owner or obligor or other party to an account. We would also propose that any party to an account have the power to "opt out" of sharing of information on the account.
§_.4(d)(2)(ii). The words "...and the consumer agrees to receive the notice thereafter" should be deleted. The institution is required to provide the notice within a reasonable time by §_.4(d)(2), and the problems of proof of an oral agreement to receive a privacy notice are insurmountable and an invitation to litigation.
§_.4(d)(5)(i) & (iii). We suggest that you add to the examples: "Fax a printed copy of the notice to a fax number provided by the customer."
§_.4. In response to the request for comments, we suggest that the regulators set a reasonably high asset or income number to identify private banking-type individuals to whom no privacy and opt-out notices need be sent. These individuals have personalized relationships with the financial institution, are able to protect themselves, and may have legitimate reasons relating to political situations in other countries why the do not wish to receive mail.
§_.5. We would urge the regulators to construe "annually" as once each calendar year, rather than every twelve months. It would be an undue burden to have to mail out privacy notices to different customers with the same type of account based on their account opening date.
With regard to the burden of annual notices, we would urge that a financial institution which does not change its privacy disclosure notice from the preceding year be required to send only a brief notice of the availability of its privacy disclosure and opt-out notices upon request by mail, telephone or in person. We believe this would comply with Section 503(a) of the Act requiring annual notices to customers and significantly reduce the burden on institutions. "Our policies and procedures on customer privacy have not changed from the last notice we gave you." That's clear and conspicuous disclosure of a financial institution's policies, in the words of Section 503(a).
§_.5(c)(2)(iv). This last example should be deleted or changed to "There has been no account activity for a period of twelve consecutive months [end of sentence]." Banks mail out tax data, dormancy, escheat, audit confirmation, marketing and a multitude of other materials to account addresses, which do not reflect an ongoing customer relationship.
§_.6(a)(5). We suggest you add "or may contract" at the end of this subsection.
§_.6(a)(8). Section 503(b)(3) of the Act calls for disclosure of "the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501." The regulation adds the word "integrity." Unfortunately, the plain English meaning of "integrity" is honesty, accuracy, completeness. The example in (d)(5) and the description of the propose rule suggest that "integrity" means protection "against reasonably anticipated threats or hazards," which is a relatively obscure technological usage. Although the word "integrity" was probably used in this technological sense in Section 501(b)(2) of the Act, since Section 503(b)(3) does not require disclosures regarding "integrity," this word should be deleted from the regulation and example to avoid confusion of customers.
The fact that the agencies' regulations under Section 501 of the Act setting forth standards for security, confidentiality and integrity are still in an early stage but necessary for institutions to prepare their disclosures supports the suggestion that the date for sending the first of the annual notices be postponed.
§_.6(b). In response to the request for comment, Summit agrees that describing disclosures to nonaffiliated third parties as permitted by law should be sufficient with respect to the exceptions permitted under Sections 10 and 11 of the proposed regulation
§_.7. As stated with respect to §_.4(d) above, since bank records are typically maintained on an account basis rather than a "customer" basis, we would propose that any party to an account have the power to "opt out" of sharing of all information on the account.
With respect to the request for comment on a trust account with multiple beneficiaries, it is our position that a trustee is a customer, a settlor of a trust with a continuing relationship may be a customer, but a beneficiary who is not also a trustee or settlor is not a consumer. A beneficiary does not obtain a fiduciary service, a beneficiary is a passive recipient of such service. A beneficiary has no say in what institution provides the service, and has entered into no contract with the institution, although the beneficiary will have some rights under fiduciary principles and a trust agreement to which the beneficiary was not a party.
§_.7(a)(3)(i). We agree that 30 days is a reasonable period for mail notice and do not think an example in the context of transactions conducted using an electronic medium would be helpful, as reasonableness in this context is in a process of rapid evolution.
§_.7(c). We suggest adding "or certain uses of nonpublic personal information" to this section. Customer surveys have shown that many customers object only to telemarketing uses, and a number of institutions, including Summit, currently provide opt-out notices which allow the customer to specify the methods of solicitation for which the customer wishes information not to be used.
§_.8(a)(2)(ii). An additional alternative reasonable means should be included: "(D) Provide a toll-free telephone number by which the consumer may opt out." Summit has provided this convenient choice to customers for privacy opt-outs for some time; it is the method most frequently used by customers. See OCC Advisory Letter 99-3, Note 16.
As noted below, Summit expects to mail over three million four hundred thousand privacy and opt-out notices. Past experience would indicate that less than one percent of the customers will opt out.
§_.8(b)(1). This subsection should be revised to make it clear that an institution can provide the opt-out notice at any time (plus 30 days) before it makes disclosure of financial information to third parties.
§_.9(a)(2)(ii). In response to the request for comment on the use of information for the purpose of updating or validating credit scoring systems, we believe that this exception should be added to §_.11, as being similar to fraud protection, institutional risk control and the like.
§_.9(c). We would urge deletion of the definition of joint agreement. Subsection (b) accurately tracks the statute; subsection (c) changes "marketing ...pursuant to joint agreements" to "jointly offer, endorse or sponsor." There is a significant difference in that the former merely describes the contractual relationship between the parties while the latter implies affirmative participation by both parties. The implication that the disclosing financial institution endorses or sponsors the product should not be written into regulation; it is a question of facts and circumstances to be determined on a case-by-case basis. If customers of small community bank purchase products from Merrill Lynch or Prudential, they are not relying on the community bank's endorsement, nor is the community bank in a position to do significant due diligence on a well-known national financial institution. The community bank can only be expected to exercise reasonable business judgment in its selection of parties with which it contracts. We would therefore oppose a rule which would evidence the financial institution's sponsorship. We do not think that regulations can effectively describe the appropriate steps which an institution should take to mitigate reputational and legal risk; we would suggest at most a cautionary footnote reminding institutions of such risks.
§_.11(a)(1). We suggest adding the underlined language: "with the consent or at the direction of the consumer, provided that you are not aware that the consumer has not revoked the consent or direction." We would urge the regulatory agencies not to require that such consents be in writing, as one of the most frequent circumstances covered by this exception is when the customer requests the financial institution to give a bank reference to a third party.
§_.11(a)(7)(ii). The use of the words "properly authorized" in Section 502(e)(8) of the Act are very troublesome, as it would be difficult and extremely expensive, and violate most state and federal rules of civil and criminal procedure for institutions to do due diligence on each subpoena received. Rather than deleting these words from the regulation, since they will still exist in the statute, we would urge that the regulators add a definition of "properly authorized" to mean "regular on its face, that is, identifying the court, parties, docket number and issuing officer." This describes the actions taken by financial institutions today and conforms to the rules of Federal Procedure.
§_.12(a)(1). We would request that the word "receive" be replaced by the word "obtain," since a financial institution should only be held responsible for information which it obtains voluntarily.
In response to the request for comment, we do not think "policies or procedures" would ensure compliance with redisclosure limits. A reasonable financial institution will either contractually require (which still does not ensure) compliance or deal with a third party which has in some other fashion committed to or is legally required to comply.
§_.13. We would urge the addition of "except for disclosures pursuant to §§ .9, .10 or .11," at the end of this section, due to the fact that marketing materials may be enclosed with other account materials being sent by a servicer for the financial institution.
§_.15. A critical question of conflict of laws is which state privacy law will govern, the law of the state of domicile of the financial institution, or the state of residence of the customer. We would urge a rule specifying the former. It would be an undue burden on financial institutions in today's mobile society to have to track customer moves and send out a new notice and opt-out each time a customer moves across a state line.
§_.16. We would suggest that a December 13, 2000 mailing deadline for initial disclosures of privacy policies is not in the best interests of informing consumers of their rights. Section 510(1) of the Gramm-Leach-Bliley Act (the "Act") authorizes the agencies to prescribe different effective dates for different portions of Title V of the Act, except that Sections 504 (Rulemaking) and 506 (Protection of Fair Credit Reporting Act) are effective immediately. We would suggest that Sections 501, 502(c), 502(d), 502(e), 505, 507, 508 and 509 be made effective November 13, 2000, and that the other provisions be optional until fifteen months after the date on which final rules are required, i.e., July 13, 2001.
There are several reasons to postpone mailing of the opt-out and disclosure notices. These notices are to be sent out no less frequently than annually. Some feel this regulation will result in greater information and technology systems costs than Y2K. Six months from promulgation of a regulation which will require massive system changes is a short time, meaning there will be little if any early mailing. Summit will mail well over three million four hundred thousand privacy notices. Imagine the effect on the Postal Service and each consumer's mailbox when Citigroup, Merrill Lynch, Prudential, American Express, and tens of thousands of other banks, insurance companies and agencies, securities dealers and other entities newly defined as "financial institutions" drop billions of notices in the mail on virtually the same day, the beginning of the Christmas holiday shopping season and the related mail surge. And the same mailings will occur the same time of year, year after year.
Consumers will be overwhelmed by privacy notices, greatly reducing their effectiveness. The Postal Service, mailing houses, printers and data processing operations will be overwhelmed by the flood. Will the regulators show the same concern about the stability of the financial system put at risk by this crisis resulting from regulatory action as they did about Y2K?
We would suggest that it would be wise to delay the mailing deadline until July 2001 because it will give financial institutions the ability to stagger their mailings to their customers, reducing the negative impacts on all concerned, as well as the costs. Most financial institutions spent several years preparing for Y2K. After the Christmas holidays come the 1099's, W-2's, K-1's and other year-end tax mailings as well as the Christmas bills. February and March are the principal months for mailing out Annual Reports and Proxy Statements. July would be good as a cut-off date, as institutions should be in a position to start mailing in April and stagger the mailings through June and early July.
Furthermore, as noted above, we have not even seen the administrative, technical and physical safeguards standards which we are required to describe as part of our privacy notices. In addition, a massive training effort of thousands of employees will be necessary.
We suggest that the rules be issued as temporary rules and hope there will be an opportunity for further comment after the rules are promulgated, as there have been with other Gramm-Leach-Bliley rules.
Very truly yours,
Richard F. Ober, Jr.
Executive Vice President, General Counsel and Secretary
Summit Bancorp
301 Carnegie Center
P.O. Box 2066
Princeton, NJ 08543-2066
tel-609.987.3430
fax-609.987.3435
rober@summitbank.com
D:\_DOCS\CRA-COMP\PRIVACY2.WPD