March 31, 2000
Mr. Jonathan G. Katz
Secretary
Securities and Exchange Commission
450 5th Street, N.W.
Washington, D.C. 20549-0609
Re: Privacy of Consumer Financial Information (Regulation S-P), Release Nos. 34-42484, IC-24326, IA-1856; File No. S7-6-00
Dear Mr. Katz:
The Investment Counsel Association of America, Inc.1 appreciates the opportunity to comment on the Commission's proposed Regulation S-P2 implementing notice requirements and restrictions on sharing consumer information as mandated by the Gramm-Leach-Bliley Act.3
The proposal would require financial institutions, including all federally registered investment advisers, to adopt policies and procedures that are reasonably designed to insure the security and confidentiality of consumer records, protect against threats or hazards to the security of customer records, and protect against unauthorized access to consumer records. The proposal also would require a financial institution to provide an initial notice of its privacy policy and practices in two circumstances: (1) upon entering into a customer relationship; and (2) prior to disclosing nonpublic personal information about a consumer to a nonaffiliated third party. Financial institutions will be required to issue annual notices to customers with whom an ongoing relationship exists and permit customers to stop a financial institution, in the form of an opt-out notice, from disclosing nonpublic personal information to certain nonaffiliated third parties. The release indicates that the regulation will likely become effective November 13, 2000 and require financial institutions to deliver initial privacy notices within 30 days of the effective date.
I. INTRODUCTION
As the SEC recognizes, due to the fiduciary relationship between an investment adviser and client, investment advisers generally do not disclose client information to other parties.4 In addition to the client confidentiality implicit in a fiduciary relationship, all ICAA member firms are required to endorse the ICAA Standards of Practice, which since 1937 have required client confidentiality. The Standards of Practice currently state: "Information concerning the identity of security holdings and financial circumstances of clients is confidential."5 The ICAA's specimen advisory contract, which is distributed to all ICAA member firms, also contains a confidentiality provision stating: "All information and advice furnished by either party to the other shall be treated as confidential and shall not be disclosed to third parties unless requested by a regulatory authority or otherwise as required by law."6
The Gramm-Leach-Bliley Act is intended to prevent abusive practices that violate a customer's reasonable privacy expectations. Such abusive practices include the sale to nonaffiliated third parties of sensitive customer information or customer lists by financial institutions. We are unaware of any evidence indicating that these types of abusive practices exist in the investment advisory profession. Even disregarding that client confidentiality is an important aspect of an adviser's fiduciary obligations, it simply does not make sense from a business point of view for investment advisers to share client information with nonaffiliated third parties unless it is required or desirable as part of the advisory relationship. In fact, due to the highly competitive nature of advisory services, we believe it is the norm in the investment advisory profession for firms to guard client information jealously.
While it is our firm belief that advisers generally do not participate in the types of abusive practice that the law is intended to address, it is nonetheless true that investment advisers do and must share nonpublic personal information with other entities - often third-party nonaffiliates - in the normal course of business. Typically, an investment adviser will share nonpublic personal information with the custodian of the client's assets, one or more broker-dealers, and, in certain circumstances, third-party service providers (such as providers of portfolio management services). Given the wide disparity among advisory firms, the nature and number of third-party relationships may vary significantly from firm to firm.
We strongly support a commonsense approach to privacy regulation - one that focuses on abusive practices the law intends to address without imposing needless regulatory requirements on transactions and practices that are integral to or authorized by the advisory relationship. We commend the Commission for recognizing the fact that investment advisers typically have not engaged in the types of abusive practices that the Gramm-Leach-Bliley Act seeks to eliminate. We likewise commend the Commission for working with other agencies in issuing the proposed regulations within a very short period of time. We appreciate the opportunity to provide these comments and believe that explicit clarification on the issues identified below is necessary and desirable to provide more certainty and to avoid confusion on issues that may arise when an adviser provides nonpublic information to nonaffiliated third parties.
II. REQUESTS FOR CLARIFICATION
While many investment advisers already have privacy policies, conforming them to the Commission's standards and instituting the notice requirements will require a significant effort. To that end, to the extent the Commission can issue specific guidance in the adopting release, both investment advisory professionals and consumers will be better served. The ICAA requests the Commission to address the following specific areas in the adopting release: (A) definitions of consumer and customer; (B) exceptions to the notice and opt-out requirements; (C) limits on third-party redisclosure and reuse; (D) content of the initial and annual notices; and (E) wrap fee and subadvisory accounts.
A. Scope of the Regulation: Definition of Consumer and Customer
The definitions of consumer and customer are the keys to determining if and when a financial institution must issue the privacy and opt-out notices. These definitions must be clear so it is readily apparent when a financial institution must issue the notice. The proposal defines consumer, and thus derivatively customer,7 as an "individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, and that individual's legal representative."8 The term "individual" is not defined. However, the Commission implies that it has a meaning different from "natural person."9
In an advisory relationship where the client is a natural person, applying the consumer definition will be straightforward. Similarly, an investment adviser's relationship with institutional clients plainly will not come under the auspices of the notice and opt-out provisions. However, because "individual" is undefined, it is not clear whether or how the regulation applies in circumstances where the client is not a natural person. For example, an investment adviser may have clients that are trusts, limited partnerships, retirement accounts, general partnerships, or non-traditional corporate accounts, any of which may have some element of personal, family, or household purpose. Yet, the individuals behind these entities are not parties to the advisory contract. Are these accounts "customers"?
Because the term "individual" currently provides no guidance, the definition of consumer appears to turn on whether the financial service is primarily provided for personal, family or household purposes. It may be difficult to make this facts-and-circumstances determination on a case-by-case basis under the current definition. We therefore request that the Commission issue a definition for the term "individual" or provide a safe harbor for situations where the account is not in the name of a natural person. For example, under a safe harbor, advisers could assume that trusts and individual retirement accounts are consumers, while general partnerships, other retirement plans, and corporate accounts are not.
The ICAA also is concerned about the effect the regulation may have on an investment adviser whose only clients are institutions - which do not meet the consumer or customer definitions. The proposed regulation appears to require all registered investment advisers to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. But investment advisers that only have institutional clients will not have to issue privacy and opt-out notices because those provisions of the regulation apply only to "consumers." Further, since institutional-only advisers would not have customer information, the adoption of policies and procedures to safeguard such information is pointless. Thus, the ICAA respectfully recommends amending the proposal to clarify that policies and procedures will only be required of investment advisers that have consumers as clients.10
B. Exceptions to Privacy Notice and Opt-out Provisions
The Gramm-Leach-Bliley Act sets out several exceptions to when a financial institution is required to send a privacy and opt-out notice.11 The SEC's proposal would incorporate the Act's exceptions at Sections 248.9, 248.10, and 248.11. These exceptions permit a financial institution to disclose nonpublic personal information to third-party nonaffiliates without giving the consumer the right to opt out. Further, some of the exceptions provide that a financial institution does not have to disclose in its privacy notice the details of with whom it shares the nonpublic information.
Section 248.9 provides an exception to the opt-out provision only - notice is still required - if a financial institution shares information with service providers or joint marketers.12 For a financial institution to rely on this exception it must fully disclose to the consumer, before releasing the nonpublic personal information, the types of third parties it provides information to and what types of information it releases.13 The financial institution also must enter into a contract with the third party designed to ensure that the third party will maintain the confidentiality of the information and will use the information solely for the purposes for which it is disclosed.
Section 248.10 is an exception generally for servicing or processing a transaction at the consumer's request.14 Section 248.11 covers other miscellaneous exceptions in the Act, such as sharing nonpublic information with the consent of the consumer or as required by local law.15 Sections 248.10 and 248.11 are different from Section 248.9 in that a financial institution relying upon them does not have to include details in the privacy notice regarding its disclosure of nonpublic personal information to third-party nonaffiliates. The regulation does require that a financial institution generally include in its privacy notice that it is making disclosures to third-party nonaffiliates as permitted by law.16
As noted earlier, investment advisers share nonpublic personal information with third-party nonaffiliates, some of which may have a separate customer relationship with the advisory client. For example, when a person enters into a contract with an investment adviser the person also enters into an agreement with a custodian - typically not affiliated with the investment adviser - to hold its assets.17 The custodial agreement establishes that the investment adviser has discretion to direct the investment of the assets in custody and that the custodian will act in accordance with the adviser's directions. The investment adviser also must interact with one or more broker-dealers to buy and sell securities on the client's behalf. This interaction necessarily will include nonpublic information such as custodial and transaction information. Thus, a constant stream of nonpublic personal information is shared between the investment adviser, custodian, and broker-dealers to effectuate an investment adviser's investment decisions for the client.
When an investment adviser shares information with nonaffiliated custodians and broker-dealers, the investment adviser is excepted under Section 248.10 from both the notice and opt-out restrictions of the proposal. However, in certain circumstances, sharing information between an adviser and nonaffiliated third parties takes on characteristics of more than one of the exceptions provided for in the regulation. The sharing of information most logically fits into the exceptions under Section 248.10(a)(1) or (2), as "necessary to effect ... a transaction requested or authorized by the consumer" or to "service or process a financial product or service requested or authorized by the consumer." Accordingly, we request the SEC to confirm that, with respect to investment advisers sharing information in the normal course of business with broker-dealers and custodians, the notice and opt-out provisions do not apply.
Similarly, an investment adviser often retains the services of a third party to perform account maintenance, transfers and recordkeeping functions, manage proxy voting, prepare and deliver account statements, or perform other services for a customer's account. These arrangements should also be excepted under Section 248.10 and not Section 248.9, even though both could apply. Although by title the Section 248.9 exception includes service providers, the substance of the services provided by the parties an investment adviser may retain are more akin to the Section 248.10 exception to "service or process a financial product or service" requested by the consumer. We request the Commission to clarify that the substance of the service the nonaffiliate is providing will dictate the exception on which the financial service provider relies, i.e., if a service provider is performing a function that a financial institution or consumer initiates to service or process a financial product or service, the applicable exception is Section 248.10.
As a corollary, the ICAA requests the Commission to clarify that the Section 248.10 exception is not solely a "transactional" exception, but also applies when a financial institution's service is based on a relationship. The proposed title of the section indicates that the exception is for processing and servicing transactions.18 An investment adviser may retain third-party nonaffiliates to perform services on behalf of the customer that are not transaction oriented. The ICAA believes, as indicated above, that these types of services are excepted under Section 248.10 because the third-party nonaffiliate is facilitating a financial product or service - not a transaction - requested by the consumer.19 Because these services are not transactional in nature, we recommend that the Commission recharacterize the title and text of the exception to include the words "transactions or accounts" where it currently references only "transactions." For example, the title of the section should be renamed as, "Exceptions to notice and opt out requirements for processing and servicing transactions or accounts."
The ICAA also suggests that the Commission amend proposed Section 248.11(a)(1) to clarify that a financial institution is excepted from the privacy notice and opt-out provisions if it provides nonpublic personal information to a third-party nonaffiliate at the direction of the consumer's representative or fiduciary.20 The rule permits a financial institution to disclose information with the consent or at the direction of the consumer and also permits disclosure to a person acting in a fiduciary or representative capacity on behalf of the consumer, but does not explicitly permit disclosure to a third party with the consent or at the direction of a consumer's fiduciary or representative. Incorporating the proposed amendment will permit custodians, broker-dealers, and other third-party nonaffiliates to release nonpublic personal information at the request of the investment adviser. For instance, advisory clients often request performance reports on their accounts. The investment adviser should be able to instruct the custodian to release its clients' nonpublic personal information to the performance reporting company, and the custodian should be able to rely on that instruction without having to obtain independent approval by the customer. Similarly, high net worth clients sometimes retain consultants, who should be included in the permissible information flow. This amendment would not substantively expand the exception, but streamline its operation. Clarifying all the exceptions to the fullest extent practicable will assist the industry greatly in implementing the regulation.
C. Limits on Redisclosure and Reuse of Information
Proposed Section 248.12 limits the redisclosure and reuse of information by third-party nonaffiliates when they receive nonpublic personal information. The Release states that when a nonaffiliated third party receives nonpublic personal information from a financial institution, it is subject to the same restrictions as the financial institution itself. Further, a nonaffiliated third party may use the information received under one of the exceptions to the notice and opt-out provisions (Sections 248.9-.11) only for the purpose for which the information was provided.
Investment advisers share nonpublic financial information with other entities as necessary to service their client's account. Because the information sharing will likely come under one of the exceptions to the notice and opt-out provisions of the regulation, the customer will not have the ability to opt out or be explicitly notified that their information is being shared. Thus, third-party nonaffiliates that receive nonpublic personal information should not be permitted to use the information for any other purpose. For example, if an investment adviser releases client information to a broker-dealer to allocate a block trade of securities, the broker-dealer and its affiliates should not be able to use such information to market its services to the adviser's clients.
The ICAA requests the SEC to confirm that Sections 248.12(a)(2)21 and 248.12(b)(2)22 require third-party nonaffiliates to use nonpublic information only for the purpose for which it was received. Accordingly, we suggest that the language be rephrased in the negative. Because the intent of the rule is to limit the use of the information and the previous subsection is stated in the negative, the effect may be clearer if it provides: "You may not use nonpublic personal information about a consumer that you receive from a nonaffiliated financial institution in accordance with an exception under Sections 248.9, 248.10, or 248.11 except for the purpose for which the information was provided to you."
D. Content of Initial and Annual Notices
Because the fiduciary relationship between investment advisers and their clients requires confidentiality, the initial and annual notices of an investment adviser's privacy policies and practices are likely to be brief. Many of the disclosures required in Section 248.6 - including the categories of nonpublic personal information that are disclosed, the affiliates and nonaffiliated third parties to whom information is disclosed, the information about former customers that is disclosed, and the description of the information disclosed pursuant to a service contract - do not apply to investment advisers that maintain client confidentiality.
For financial institutions that do not disclose nonpublic personal information to affiliates or nonaffiliated third parties, an example of a simplified notice is included in Section 248.6. The simplified notice consists of a statement that the financial institution does not disclose nonpublic personal information to affiliates or nonaffiliated third parties, the categories of nonpublic personal information that the financial institution collects, the policies and practices adopted to protect the confidentiality, security, and integrity of nonpublic personal information, and a disclosure that information is disclosed to nonaffiliated parties as permitted by law if the financial institution relies on the exceptions to the notice and opt-out provisions in Sections 248.10 or 248.11.
The ICAA believes that many investment advisers will be able to satisfy the notice requirements of the regulation by delivering the simplified notice to their customers. As proposed, the simplified notice is included as an example of how to comply with the regulation. This approach is at odds with the banking regulators' in that compliance with the examples are not safe harbors but are only issued as guidance. 23 To provide certainty in applying the regulation, we request that the SEC promulgate the simplified notice concept as part of the rule itself and not merely as an example to the rule. In the alternative, the SEC could take the banking regulators' approach of deeming the examples to be safe harbors.
E. Wrap Fee Programs and Subadvisory Accounts
Many investment advisers are engaged as money managers for wrap fee programs or retained as subadvisers by other investment advisers. Depending on how the relationship between the investment adviser, client, and sponsor of a wrap arrangement is structured, the investment adviser may or may not have direct customer contact. Similarly, investment advisers retained as subadvisers rarely have access to detailed information regarding the individual clients of the originating investment adviser. Where investment advisers do not have significant customer contact, the ICAA believes the Commission should not require the adviser to issue a privacy notice or should clarify that the entity with principal customer contact - the wrap sponsor or originating investment adviser - has the responsibility to issue the privacy notice.
Wrap fee programs typically are established either with individualized contracts between the investment adviser and client or through a master agreement between the investment adviser and the sponsor. If the investment adviser has direct client contact (which usually includes an advisory contract) the privacy regulation should apply. However, where a wrap fee program is established with a master agreement between the investment adviser and sponsor, the sponsor often collects the clients' personal nonpublic information for the benefit of the investment adviser. Account statements and subsequent communications also are created and sent to the client by the sponsor. In this context, the investment adviser is given only the individualized information that is necessary to manage the account and generally does not have direct contact or access to the client. Under the proposed regulation the wrap fee clients would have a customer relationship with the investment adviser, but the adviser may not have the necessary information to deliver the required notice.
Similarly, investment advisers engaged by other investment advisers as subadvisers typically do not have access to detailed customer information. The subadviser may only be given cursory account information and a lump sum of money to invest deploying a specific investment strategy. There may be little, if any, contact between the subadviser and the end client.
The release indicates that the SEC believes that omnibus clearing brokers do not have a consumer or customer relationship with the clients of the introducing broker-dealer.24 While the master wrap fee and subadvisory arrangements are not entirely analogous to the omnibus clearing arrangement, the circumstances are similar enough to warrant relief from the notice and opt-out requirements if the investment advisers engaged in these types of arrangements do not have access to detailed customer information.
If the SEC does not issue relief in this context, the ICAA supports the adoption of the joint notice concept discussed in the proposal. A joint notice would permit the broker-dealer and investment adviser to have one notice in the wrap fee context, as well as all subadvisers to an account. We support expanding the joint notice concept to permit a financial institution that maintains the client contact in such situations to have the sole responsibility for sending the privacy notices to joint customers.
III. SPECIFIC QUESTIONS POSED IN THE RELEASE
A. Should the definition of nonpublic personal information cover information about a consumer that contains no indicators of a consumer's identity?
The definition of "nonpublic personal information" should exclude information that includes no indicators of a consumer's identity. Preventing a financial institution from disclosing anonymous information does not further the intent of the privacy provisions of the Gramm-Leach-Bliley Act and actually may act as a disservice to consumers. Financial institutions disclose nonpublic information to third-party nonaffiliates for legitimate purposes, such as measuring the risk or verifying the return of a portfolio. Investment advisers also may commission studies to analyze statistical characteristics of their accounts. Although nonpublic personal information is disclosed to third-party nonaffiliates, it is done to benefit the consumer and the investment adviser. Absent identity-type information, there is no compelling threat of abuse and little gain in requiring a financial institution to include these types of disclosures in its notice.
B. Who should receive notice in situations in which there is more than one party to an account? How should the right to opt out apply in joint accounts? How should opt out rights apply to an investment adviser who manages a trust account on behalf of multiple beneficiaries?
Where there is more than one party to an account, the privacy notice should be sent to the party or parties that control the account. For investment advisers, the party that receives the privacy notice should be the signatory to the advisory contract or, absent a contract, the individual that has the authority to terminate the relationship with the investment adviser. Further, if multiple parties to an account would receive the privacy notice at the same address, the investment adviser should have the authority to "household" the notice.25
With respect to providing opt-out rights where there is more than one party to the same account, the SEC should promulgate a flexible rule permitting the financial institution to develop an appropriate practice. The assumption for the rule should be that if one party to an account opts out of information sharing, that opt out is binding on all the other parties to the account. However, if a financial institution wants to provide opt-out notices to individual parties to the same account, and cope with the resulting tracking issues, the rules should provide for that option.
The Commission specifically requests comment on how the opt-out requirement should apply to trust accounts. Assuming that a trust meets the definition of "customer," we believe the trustee in its sole discretion should have the authority to opt out. A trustee has a fiduciary obligation to the beneficiaries of the trust to act in their best interest. Additionally, investment advisers rarely have contact with individual beneficiaries. The regulation thus should clarify that an adviser may rely upon a trustee's decision whether to opt out.
C. What methods do financial institutions anticipate using to provide the notices?
The ICAA believes most investment advisers will issue the required privacy notice with other account documents. The initial notice to a new customer will likely be delivered with, or as part of, the advisory contract or the adviser's brochure.26 Annual notices are likely to be included in account statements, but also may be included with the required annual delivery, or offer of delivery, of the adviser's brochure. Although these are the likely methods of delivery, investment advisers should not be limited to these options. Some advisers may have separate mailings while others may wish to implement an electronic delivery system.
D. Should the SEC require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information?
The SEC should not require a financial institution that discloses nonpublic personal information to a third-party nonaffiliate to develop policies and procedures to monitor the nonaffiliate. First, establishing effective policies and procedures would be very difficult because the party to be monitored is a nonaffiliated entity. Second, with no affiliate relationship, the third party has little incentive to permit the financial institution access to determine its compliance. Third, few financial institutions and companies servicing the industry are going to risk regulatory action and the potential loss of business to violate the limitations placed on them by the privacy laws. Finally, a financial institution that legally discloses nonpublic personal information to a third-party nonaffiliate should not face liability for the actions of a nonaffiliate.
E. How long will financial institutions need to implement the final rules as adopted and when should they be required to deliver notices to existing customers?
The Gramm-Leach-Bliley Act requires the Commission to promulgate final privacy rules 6 months from enactment of the law, but gives the agency flexibility to prescribe the effective date.27 As stated in the Release, the Commission does not intend to make the privacy regulation effective until at least six months after adoption of the final rules. In addition, the Commission proposed a transition rule that would give financial institutions 30 days from the effective date of the regulation to deliver privacy notices to existing customers.
Although the ICAA anticipates that many investment advisers will issue the simplified privacy notice, the proposed effective date of November 13 is too ambitious. Large financial institutions may wish to develop comprehensive policies and procedures, which will necessitate integrating tracking mechanisms into existing computer systems. At a minimum, the ICAA requests that the regulation not take effect until January 1, 2001. Regardless of the effective date, the transition rule should be altered to permit investment advisers to coordinate their privacy notices with other account mailings that typically take place at year-end. Most investment advisers send year-end account statements as well as tax reporting forms to clients at the beginning of the year. Therefore, the ICAA requests the Commission to adopt a rule such that financial institutions have at least until mid-February 2001 to issue initial notices to existing customers.
IV. STATE AND FEDERAL GOVERNMENT COORDINATION
Although we realize the SEC cannot alter the provisions of the Gramm-Leach-Bliley Act, the ICAA is very concerned with the provision of the Act that permits states to adopt privacy provisions that are not consistent with the federal standard.28 Press reports have indicated that many states are considering doing just that. While the ICAA does not necessarily oppose tougher privacy laws, we have consistently opposed duplicative and inconsistent standards among and between the SEC and the various states. The ICAA suggests that the SEC work with state governments, state agencies and/or other federal agencies to the fullest extent possible to harmonize privacy policies across the United States with respect to federally registered investment advisers.29
V. CONCLUSION
Maintaining a consumer's personal privacy is an important issue in today's electronic age. The ICAA believes the interests of the consumer are best served with a regulation that does not impede the delivery of financial services, yet provides the consumer with a simple and concise notice that is easy to comprehend. For the most part, we believe the SEC has proposed such a regulation.
The ICAA commends the Commission staff for issuing such a thorough proposal in the short time period provided by Congress. We appreciate your consideration of our comments and would be pleased to work with you to clarify our letter or provide additional information. Please do not hesitate to contact us if we may be of assistance.
Sincerely,
David G. Tittsworth
Executive Director
Cc: The Honorable Arthur Levitt
The Honorable Norman S. Johnson
The Honorable Isaac C. Hunt, Jr.
The Honorable Laura S. Unger
The Honorable Paul R. Carey
Paul F. Roye, Esq.
1 The ICAA is a national not-for-profit association that exclusively represents federally registered investment adviser firms. Founded in 1937, our membership today consists of over 250 investment advisory firms that collectively manage in excess of $2 trillion for a wide variety of institutional and individual clients. For more information, please see the ICAA's web site at www.icaa.org.
2 SEC Release Nos. 34-42484, IC-24326, IA-1856, File No. S7-6-0 (Mar. 2, 2000), 65 FR 12354 (March 8, 2000).
3 Pub. Law No. 106-102 (1999).
4 "[We] assume that most investment advisers do not share [nonpublic personal] information with any third parties." Release at 12366.
5 For the full text of the ICAA Standards of Practice, please see the ICAA web site at www.icaa.org.
6 The ICAA Investment Adviser, Volume 2, pg. II-23.
7 "Customer means a consumer who has a customer relationship with you." Section 248.3(j), Release at 12371.
8 Section 248.3(g)(1), Release at 12370.
9 "We also request comment on how the opt out right should apply to an investment adviser who manages a trust account on behalf of multiple beneficiaries." Release at 12362. If the Commission treats "individual" as a "natural person," an investment adviser would not have to issue privacy or opt-out notices to clients that are not natural persons, e.g., a trust.
10 Investment advisers with a primarily institutional clientele often have natural persons as accommodation clients. With respect to such accommodation clients, the regulation should apply.
11 The exceptions are established in Sections 502(b)(2) and 502(e) of the Act. Section 502(b)(2) provides an exception from the opt-out provisions if a financial institution enters into a contractual agreement with a nonaffiliated third party to perform services for or functions on its behalf, or if services are offered pursuant to a joint agreement. Section 502(e) permits a financial institution to share information with a nonaffiliated third party in certain circumstances, including: (1) to effect, administer, or enforce a transaction requested or authorized by the consumer, (2) with the consent of the consumer, or (3) to prevent fraud.
12 Exception to opt out requirements for service providers and joint marketing. Section 248.9, Release at 12374.
13 Full disclosure consists of a separate description in the privacy notice of the categories of information the financial institution discloses and the categories of the financial institutions with whom it has contracted. Section 248.6(a)(5), Release at 12373.
14 Exceptions to notice and opt out requirements for processing and servicing transactions. Section 248.10, Release at 12375.
15 Other exceptions to notice and opt out requirements. Section 248.11, Release at 12375.
16 "...When describing the categories with respect to those parties, you are only required to state that you make disclosures to other nonaffiliated third parties as permitted by law." Section 248.6(b), Release at 12373.
17 Custodians are typically banks or broker-dealers, both of which come under the auspices of the Gramm-Leach-Bliley Act's privacy provisions. When a person opens an account with a custodian, the custodian will also have to deliver its own privacy and opt-out notice.
18 Supra, fn. 15.
19 Section 248.10 excepts disclosures from the notice and opt-out requirements if a financial institution discloses nonpublic personal information "to service or process a financial product or service requested or authorized by the consumer." Release at 12375.
20 The requirements for initial notice and opt out do not apply when you disclose nonpublic personal information "(1) with the consent or at the direction of the consumer...[or] to persons acting in a fiduciary or representative capacity on behalf of the consumer..." Section 248.11(a), Release at 12375.
21 Section 248.12(a)(2) limits a financial institution's disclosure of nonpublic personal information it receives from a nonaffiliated financial institution. Release at 12375, 12376.
22 Section 248.12(b)(2) limits a third-party nonaffiliate's disclosure of nonpublic personal information it receives from a financial institution. Release at 12376.
23 "The banking agencies' proposal provides that, to the extent applicable, compliance with the examples would constitute compliance with the applicable rule. See, e.g., Banking Agencies' Proposal, proposed §§ 40.2, 216.2, 332.2, 573.2. The examples in [the SEC's] proposed rules, however, would not provide the same safe harbor. The examples are intended to describe ordinary situations that would comply with the applicable rule, but the particular facts and circumstances relating to each specific situation will determine whether compliance with an example constitutes compliance with the rule." Release at fn. 5.
24 "An individual who has an account with an introducing broker and whose securities are carried by a clearing broker in a special omnibus account in the name of the introducing broker is not a consumer for purposes of the clearing broker if it receives no nonpublic personal information about the consumer." Release at 12356.
25 Delivery of Proxy and Information Statements to Households, Rel. Nos. 33-7767, 34-42102, IC-24124, File No. S7-26-99 (Nov. 5, 1999).
26 Rule 204-3 of the Investment Advisers Act of 1940 requires an adviser to deliver its brochure at least 48 hours prior to entering into an advisory contract or at the time of entering into the contract. Use of a separate privacy heading in the advisory contract or Form ADV should be deemed "clear and conspicuous."
27 See Section 504(a)(3) and Section 510, Pub. Law No. 106-102 (1999).
28 See Gramm-Leach-Bliley Act, Relation to State Laws, Section 507, Pub. Law No. 106-102 (1999).
29 See March 27, 2000 letter from Karen L. Barr, ICAA General Counsel to Jonathan G. Katz, Secretary, SEC, re: Release No. 33-7808, File No. S7-08-00, Annual Conference on Uniformity of Securities Laws.