VIA UPS OVERNIGHT & FACSIMILE OR ELECTRONICALLY

March 31, 2000

Ladies and Gentlemen:

Thank you for the opportunity to comment on the proposed privacy regulations ("Proposed Regulations") to Title V of GLB. In addition to the comments contained in this letter, the Principal Financial Group supports the comments to the Proposed Regulations submitted by the American Council of Life Insurers ("ACLI"), the Health Insurance Association of America ("HIAA"), the Consumer Mortgage Coalition ("CMC"), and the Electronic Financial Services Council ("EFSC").

The Principal Financial Group ("Principal") is a diversified family of insurance and financial services companies. Its member companies serve 9.7 million customers by providing a full line of individual and group insurance and financial products. Its flagship and largest member, Principal Life Insurance Company, is the eighth largest U.S. life insurance company in assets. The following comments reflect the composite thinking of our various companies.

Scope of the Proposed Regulations

The Proposed Regulations should not apply to the non-financial service operations of financial services holding companies. For instance, although health insurers and the health insurance operations of a holding company may fall under GLB's broad definition of "financial institutions," the Proposed Regulations should not apply directly to health insurers and the health insurance operations of a holding company. Congress provided that State insurance authorities, rather than federal agencies, must enforce the GLB's requirements as they related to the business of insurance. Keep in mind that the Department of Health and Human Services ("HHS") recently issued proposed regulations for comment pertaining to the confidentiality of medical records as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As such, we request that the final GLB regulations clearly state that they do not apply to health insurers or the health insurance operations of a holding company.

Alternative B Definition of "Nonpublic Personal Information" and "Publicly Available Information"

Principal strongly supports Alternative B under which information that is publicly available would not be transformed into nonpublic information simply because a financial institution happened to generate the information from its own records, so long as the fact of the customer relationship could be determined from public records. A financial institution's records include both publicly available and nonpublic information, and the fact that public information is contained in a financial institution's records does not make the information nonpublic or derived from nonpublic information.

For example, home sales are routinely reported in general-circulation newspapers as well as in more specialized publications and by information brokers. Particularly in the case of information brokers, those reports often identify the mortgagee as well as the purchaser or seller. A borrower who opted out of having the mortgage company disclose the existence of the relationship could still receive solicitations from unaffiliated third parties who obtained their name from an information broker rather than from the mortgage company. Among other things, such a borrower might mistakenly believe that the mortgage company had failed to honor the borrower's opt out request.

We believe that the definition of "publicly available information" should include any information made available to the general public (as provided in Alternative B) as opposed to information which is obtained from public sources (as provided in Alternative A). We do not believe that information which is available from public sources stops being public information simply because it is not obtained from public sources. Accordingly, we strongly urge adoption of Alternative B in relation to the definitions of "nonpublic personal information" and "publicly available information."

Inappropriate Inclusion of Medical Information in the Definition of Personally Identifiable Financial Information

We object to the example of "personally identifiable financial information" as "information a consumer provides to you on an application to obtain...insurance..., including among other things, medical information." As a result, all information collected in connection with a financial transaction is inappropriately swept into the definitions of both "personally identifiable financial information" and "nonpublic personal information". This interpretation directly conflicts with the provisions of the Act, which clearly limit the protection afforded by the Act to financial information.

Title V of the Act defines "nonpublic personal information" as personally identifiable financial information" (emphasis added). Moreover, the fact that nonfinancial medical information is collected in connection with a financial transaction does not change the basic nature of the medical information itself. Congress clearly did not intend for Title V to be applicable to medical information. It specifically declined to include a provision on the confidentiality of medical information. We therefore strongly urge that any reference to medical information in the context of financial information be removed from the Proposed Regulations.

Definition of "Consumer" vs. "Customer"

From a life insurance point of view, the Proposed Regulations are unclear on whether the individual identified in the definitions of "consumer" and "customer" is the applicant, the policyholder, the insured, or the beneficiary. It is essential for insurers to know the individual to whom they are required to provide notices and the right to opt out.

During the application process, the insurer deals with the applicant. Once the policy is issued, the insurer's contractual relationship is with the policyholder. The insurer is unlikely to have the address of an insured or beneficiary who is not the same individual as the policyholder. We suggest that for purposes of insurance "consumer" should be defined to mean the applicant, prior to issuance of coverage, and the policyholder, subsequent to issuance of coverage; and "customer" should be defined to mean the policyholder. Additionally, we are concerned that employees not be deemed to be customers when those employees are covered by group insurance policies issued to the employer, but about which employees the insurer does not obtain any identifying information.

We suggest that either an example in the Proposed Regulations or the discussion in the release make clear that where an insurance agent/broker-dealer sells a variable life or variable annuity insurance product to a "consumer" and, after the sale, effectively transfers the responsibility for management of that insurance product to the insurance company, the "consumer" is not a "customer" of the insurance agent/broker-dealer. This suggestion is consistent with both the purpose of the Proposed Regulations and the language set forth in the Proposed Regulations.

The problematic definitions of "consumer" and "customer" arise in the context of mortgage operations also. The Proposed Regulations should clarify how they apply to situations in which the entities with financial interests in the loan differ from those that have, or are interested in having, direct contact with the consumer. Lenders sell most home mortgages today to secondary market investors, including the government-sponsored enterprises ("GSEs") and large private investors such as pension funds, insurance companies, and securities firms. A mortgage may be sold to a secondary market investor for cash or securitized (placed in a pool of mortgages with interests in the pool sold to investors in the form of mortgage-backed securities). In either case, loans will generally be serviced by an entity other than the investor. Regardless of the structure of the asset sold to investors, at the end of the transaction the borrower will generally deal only with the servicer and has no reason to know who owns the loan. The Proposed Regulations as drafted could be interpreted to create significant compliance obligations for secondary market investors who have no direct contact with borrowers and do not use or share their information for marketing purposes. The difficulty lies in the definition of a "customer."

Under the definitions, a "consumer" becomes a "customer" when the financial institution and the consumer establish a "customer relationship," which occurs when they enter into a "continuing relationship." The preamble to the Proposed Regulations suggests that simple ownership of a loan is sufficient to create a "customer relationship," even when the entity with the ownership interest has no other relationship or interaction with the borrower.

Congress cannot have intended this result. To the contrary, in enacting Title V, Congress recognized that the activities of secondary market investors generally do not raise personal privacy concerns. The Act specifically exempts from the disclosure and opt out provisions any "disclosure of nonpublic personal information . . . in connection with . . . a proposed or actual securitization secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer." Section 502(e)(1)(C). This exemption would be rendered meaningless if a secondary market investor were considered to have established a customer relationship as soon as it acquired ownership of a loan.

The Proposed Regulations should recognize the distinction between a passive secondary market investor and a financial institution that has a direct relationship with the borrower by treating the borrower as a "consumer," not a "customer" of the passive secondary market investor under the regulation. Borrowers still would be fully protected because the investor would have to provide the disclosures and the opt out right before it disclosed any of their nonpublic information to unaffiliated third parties.

Without this clarification, there is a real possibility that consumers will be subject to a barrage of meaningless privacy notices from the successive owners of the loan. A privacy disclosure from an entity that never has any direct contact with the borrower, never plans to share the borrower's nonpublic personal financial information with unaffiliated third parties, and may only own the loan for a few days or weeks, is of no value to the borrower.

The SEC has similarly recognized that Title V's privacy provisions were not intended to apply to market participants that do not deal directly with consumers. The SEC's proposed regulations do not apply to a clearing broker that has no direct relationship with the consumer. We assert that the mortgage servicer - which is the entity that the borrower regards as the "lender," regardless of who actually owns the loan - would have a customer relationship with the borrower.

Furthermore, the Proposed Regulations should recognize that there are subservicing arrangements in which the loan is actually serviced by one or more entities other than the owner of the servicing rights. Servicing rights are, in essence, a financial instrument representing an interest-only strip-off of the mortgage. Instead of focusing on ownership of servicing rights (or, for that matter, on ownership of the loan), the entity or entities that deal directly with the borrower should be considered "servicers." In other words, the entity to which the borrower makes payments should be treated as the loan servicer, and the borrower as the customer of the loan servicer.

Initial Notice

The Proposed Regulations require a financial institution to provide an initial disclosure notice to a consumer prior to the time the consumer establishes a customer relationship with the financial institution. This requirement conflicts with the clear language of the Act, which provides that a financial institution must provide the initial notice at the time of establishing a customer relationship. The Proposed Regulations do not explain or justify why they do not follow the clear and unambiguous terms of the Act. We believe that it will prove extremely difficult, if not impossible, for financial institutions to comply with a standard calling for disclosures "prior to" the time the customer relationship is established.

Principal urges you to amend the Proposed Regulations to permit the initial notice to be provided at or before the time the customer relationship is established, thereby resolving the conflict between the language of the Act and the Proposed Regulations. Most significantly, such an amendment would achieve the balance sought by the agencies in providing for the provision of initial notice at a meaningful time without unnecessarily burdening financial institutions. It also would allow for the flexibility necessary to accommodate the variety of business practices in today's fast changing financial services marketplace.

Annual Notice

The Proposed Regulations state that notices must be provided annually to customers, and that "annually" means at least once during any period of twelve consecutive months during which the relationship exists. We strongly urge, instead, that the Proposed Regulations be clarified to permit annual notices to be provided to customers at least once during each calendar year in which the relationship continues rather than during each 12-month period.

Content of Notice

The Proposed Regulations also provide that a financial institution must inform consumers of the categories of information that the institution collects and the categories of information that the institution discloses to third parties. However, the examples provided in connection with categories of information collected do not match the examples of the categories of nonpublic personal information the institution discloses.

We believe that the greater detail suggested for information disclosed is inappropriate. The Act provides for notice of the categories of disclosed nonpublic personal information. The examples provided by the Proposed Regulations, however, are not categories but lists of the disclosed information itself. Accordingly, we urge that the Proposed Regulations be amended to provide for examples of categories of disclosed information by using the same examples that are used for the categories of information collected.

Opt Out Issues

The preamble to the Proposed Regulations states that a financial institution is not required to provide an opt out notice when a customer establishes a new type of customer relationship. The Proposed Regulations do not include this important provision.

The Proposed Regulations should clarify that the examples provided therein are not exclusive, but merely illustrative of the ways in which a financial institution may provide consumers with an opportunity to opt out.

Principal also believes that a financial institution should be required to provide a change in terms to consumers before being permitted to disclose nonpublic personal information only if the change in terms is material or substantial. A financial institution should not be required to resolicit its customers if changes to its privacy policies are minor or insignificant.

Conflict with the Fair Credit Reporting Act ("FCRA")

The conflict between the Proposed Regulations' interpretation of the opt out provision in Title V of GLB and the nearly identical provision in FCRA is particularly troublesome because GLB also requires the privacy disclosures to include "the disclosures required, if any, under" the FCRA affiliate information-sharing provision. The FCRA provision does not, strictly speaking, require any disclosures if a company does not wish to share information other than transaction and experience information with affiliates. However, the apparent intent of the requirement in GLB is to require a financial institution that wishes to take advantage of the FCRA exception to combine the FCRA disclosure with the privacy disclosure.

The Proposed Regulations' interpretation that it is impermissible to require the consumer to send a letter in order to opt out of the privacy provisions would make it very difficult for a company to impose such a requirement for the FCRA opt out in a manner that is not confusing to the consumer. In effect, the proposed interpretation would change an existing FCRA requirement, which would be inconsistent with Section 506(c) of GLB, which provides that "nothing in [the privacy provisions] shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act."

The final rule should also clarify two related points:

• Since FCRA does not require any annual disclosures, the annual GLB disclosure need not include any FCRA-specific content. In particular, the proposed regulations should make clear that GLB did not create an annual opt out right under FCRA.

• A company that does not provide the FCRA affiliate information-sharing opt out in its initial privacy disclosure may do so later by sending a revised privacy disclosure under Proposed 15 C.F.R. 313.8(c).

Principal strongly supports the reaffirmation in the Proposed Regulations that they do not apply to the FCRA.

Joint Market Exception

The agency has asked whether to require financial institutions to take steps to assure that the product being jointly marketed and the other participants in the joint marketing agreement do not present undue risks for the institution. Principal does not believe it is appropriate to impose such requirements on financial institutions under this rule. Such requirements should be considered in the context of the agency's authority to address the safe and sound operations of financial institutions subject to its jurisdiction.

Multiple Accounts

Principal believes that financial institutions should not be required to send separate opt out notices to customers who maintain joint accounts. Rather, it is appropriate to send one notice and opportunity to opt out to the address indicated in the institution's records. If no opt out response is received by the financial institution, the institution may make the disclosure.

On a related matter, diversified financial organizations should have the option of making a single disclosure, and providing a single opt out right, applicable to all account relationships with the customer of any financial institutions within the organization. Allowing such a procedure would reduce the paperwork burden on both the consumer and the financial institution. However, allowing an opt out to apply to all existing account relationships creates the problem of determining the customer's intentions if the customer who previously opted out subsequently opens a new account with another affiliate of the organization, and does not opt out of disclosures in connection with opening that account. If the customer does not elect to opt out of information sharing in connection with opening the new account, it will be unclear whether the customer intended to keep the opt out in effect as to his or her other accounts. To address this issue, Principal proposes that financial institutions that apply the opt out to all of a group of account relationships be permitted to maintain the customer's opt out status across all the accounts.

Exception for Servicing and Processing

Principal urges that scope of the processing and servicing exception contained in the Act be preserved in the Proposed Regulations. The Act provides that the servicing and processing exception should apply "as necessary to effect, administer or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer." § 502(e) of the Act. The words "in connection with," which appear in the Act should also appear in the Proposed Regulations. Unfortunately they do not. This is a significant omission. Unless the "in connection with" concept is also included in the Proposed Regulations, the inconsistency between the Act and Proposed Regulations will detrimentally effect the efficient delivery of products and services to consumers.

A similar concern exists with regard to the exceptions for maintaining or servicing a customer's account for securitizations that are contained in the Proposed Regulations. We urge that the language of the statute be incorporated into the Proposed Regulations.

Limits on Redisclosure

We disagree with the limitation in the Proposed Regulations that provides that a third party that receives information in accordance with the exceptions can use such information only for the purposes for which it was provided. The statutory limitation is more than adequate to limit redisclosure of nonpublic personal information and to protect consumers and urge the agencies to similarly limit this provision of the Proposed Regulations.

Insurance Policy Not a Transaction Account

In addition, Principal requests that the Proposed Regulations confirm that the term "transaction account" does not include an insurance policy. While it would be difficult to construe a policy number of an insurance policy as a transaction account, we would like to avoid the issue and thus request clarification on the issue.

Effective Date

The Proposed Regulations contain a proposed effective date of November 13, 2000. Based upon our experience, it is abundantly clear that the proposed effective date is unworkable as it will be impossible for the nation's financial institutions to meet. Accordingly, Principal requests that the effective date be postponed one year or, until November 12, 2001. This date will provide financial institutions with the opportunity to make the operational changes necessary to implement the Proposed Regulations.

Conclusion

Again, thank you for the opportunity to comment on the Proposed Regulations.

Very truly yours,

agb\privacy issues\project2.doc