- Fund Regulation
- Retirement Security
- Trading & Markets
- Fund Governance
- ICI Comment Letters
May 29, 2007
Nancy M. Morris, Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
Re: File No. S7-09-07, Model Privacy Form
Dear Ms. Morris:
The Investment Company Institute1 is writing to support the Interagency Proposal for a model short-form privacy notice under the Gramm-Leach-Bliley (“GLB”) Act.2 The short-form privacy notice is meant to improve, simplify, and standardize required disclosure. These are all laudable goals that we fully support. We also, in particular, strongly support the extension of a safe harbor to SEC registrants that use the model privacy notice.
We have some reservations, however, about “eliminating” prior guidance on privacy notices. We are concerned that the elimination of the guidance, in combination with extending the safe harbor for use of the model notice, as a practical matter, may adversely affect registrants that use customized privacy notices in lieu of the model notice. These concerns, as well as our specific comments on the proposed short-form notice, are set forth below.
Table of Contents
If adopted, use of the short-form notice will satisfy the content requirements for privacy notices. This will provide SEC registrants using the notice “safe harbor” comfort that they do not currently have for privacy notices that are based on the sample clauses in Appendix A of Regulation S-P (the “Sample Clauses”). We strongly support the extension of “safe harbor” status to registrants using the model form.
While Model Form S-P would provide a safe harbor, the instructions make clear that use of the model form is voluntary, and the Notice further clarifies that “institutions could continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.”3 This is an important clarification. By design, a standardized form meant for use by many types of financial institutions limits the ability to tailor its contents to particular circumstances, and some institutions may prefer to continue to use the customized privacy notices that they have developed pursuant to Regulation S-P.
As mentioned above, however, we are concerned that the Commission’s proposal to formally eliminate the Sample Clauses as guidance may adversely impact registrants that choose to use custom privacy notices. The Sample Clauses do not have safe harbor status and were adopted by the SEC merely as guidance. Even taking as given the statement in the Notice that “research to date indicates that the language in the Sample Clauses is confusing,” there have been no changes to Regulation S-P that would render the Samples Clauses moot or no longer helpful in drafting the required disclosure. Accordingly, the Sample Clauses continue to serve a useful function by providing guidance to registrants who might choose not to use the model form and we recommend they be retained. Should the Commission determine to eliminate the Sample Clauses notwithstanding our objection, we strongly recommend that the Commission clarify the significance of their elimination. Specifically, the Commission should state that notices that are based on the Sample Clauses will not be deemed per se inadequate or inappropriate.
As noted above, the model form has been proposed for use by a variety of federal financial institutions including, in addition to SEC registrants, thrift institutions, banks, credit unions, commodity firms, and entities regulated by the Federal Trade Commission. Developing a standardized form for use by these varied institutions obviously limits what information specific to a particular type of institution may be included in the form. We are pleased that, notwithstanding this limitation, the Commission has expressly sought comment on two issues of interest to our members. The first is whether the standardized provisions and vocabulary in the proposed form are sufficient to allow SEC-registrants to accurately disclose their information sharing practices. As discussed in more detail below, we believe that the standardized provisions and vocabulary may not be sufficient to communicate effectively with investors and may, consequently, result in greater confusion among investors. Minor edits to the form, however, should alleviate these concerns.
The second issue is whether SEC registrants should be able to omit certain terms from the form that may not apply to their information collection or sharing practices. To ensure that investors only receive meaningful disclosure regarding a financial institution’s practices, we strongly recommend that the SEC permit registrants to omit from the form any information that is inapplicable to their practices. Requiring all registrants to include irrelevant information in the name of uniformity may cause the disclosure to be confusing, and possibly misleading, and thus may ultimately undermine one of the principal purposes of having a model form – to better communicate with investors.
Our specific recommendations are discussed in greater detail below.
As a preliminary matter, we recommend that the Commission clarify in the adopting release that the delivery requirements set forth in §248.9 of Regulation S-P will continue to govern the delivery of the model form. Section 248.9 requires privacy notices to be provided so that each consumer can reasonably be expected to receive actual notice in writing or electronically. Examples of reasonable expectation of actual notice cited in the regulation include hand-delivering or mailing a printed copy or posting the notice electronically and requiring the consumer to acknowledge receipt as a necessary step to obtaining a particular financial product or service.
Consistent with this recommendation, we further recommend that the SEC provide registrants greater flexibility in providing the form to investors than is currently proposed in the instructions to the form. Certain instructions to Model Form S-P that require the form to be produced only on 8.5” x 11” paper. Many mutual funds currently provide their privacy notices to investors by including them in their prospectuses, and many investment advisers include their privacy notices as part of their disclosure pursuant to the brochure rule (Rule 204-3 under the Investment Advisers Act of 1940). So long as a registrant reproduces the form in a way that satisfies the font, page layout, page content, format, style, pagination, shading format, logo, and color requirements of the instructions to the form, it should be permitted to deliver the form in a prospectus or an adviser’s brochure even though that delivery does not comply with the 8.5” x 11” paper requirement. In support of this recommendation we note that enabling registrants to provide the notice as part of a prospectus or advisory brochure may increase the likelihood that their customers retain the information by decreasing the likelihood that the notice will be inadvertently separated or misplaced.
We also recommend that the Commission clarify that, rather than requiring that each page of the form be produced on separate sheets of paper, registrants may print pages one and two of the form on the front an back of a single sheet of paper (including on the front and back of a prospectus page or an adviser’s brochure page). This may substantially reduce implementation costs. One member of the Institute has estimated that producing the model notice on separate sheets of paper will increase their costs between $350,000 and $400,000 annually; another has estimated their increased costs at $291,000. Such costs are likely to deter registrants from using the form.
The Notice states that the federal regulators “recognize that institutions may post their privacy notices on their Internet sites, as well as deliver paper or email versions to their customers,” and suggests that “institutions that post a PDF version of the proposed model privacy form may obtain a safe harbor.” We appreciate this clarification and strongly recommend that, in the final adopting release, the Commission again expressly affirm the right of registrants to deliver the model form electronically. As you know, Regulation S-P provides registrants with the ability to satisfy notice delivery requirements by posting the notice on an electronic site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.4 Many registrants take advantage of this to electronically provide their privacy notices. In light of this and the fact that certain instructions to Model Form S-P presuppose a hard copy notice,5 the Commission should provide further guidance as to how registrants can deliver Model Form S-P electronically can furnish the form and still be eligible for the safe harbor protection.6
The Notice seeks comment on whether federal regulators should develop a web-based design for financial institutions to use on their Internet sites. The Institute supports such an effort. Because disclosure on the Internet is not bound by the four corners of a paper document, it can provide more user-friendly, interactive, and layered disclosure. For example, as applied to Model Form S-P, instead of reading a list of “affiliates” in a pdf version of the form, which complies with the space limitations of the paper form, a link in the web-version of the form could take the user to a complete list of affiliates not limited by size constraints. Similarly, instead of page three of the form providing a web address that can be used to contact the registrant, the web-based form could enable the user to interact directly with the registrant. These functionalities could make the form more robust and interactive than a paper document and we believe that the Commission should capitalize on these benefits. We recommend, therefore, that the Commission develop a web-based version of the model form that is accorded safe-harbor treatment and can be used in lieu of a pdf version. If the Commission pursues this initiative, we would ask it to seek additional public comment on these issues because of the differences between Internet-based and paper-based disclosures.
The Institute supports the ability of registrants to use the Model Form for purposes of sending out joint notices with their affiliates and other financial institutions that are subject to the privacy provisions of the GLB Act. Notwithstanding our recommendations set forth below that relate to tailoring Model Form S-P to reflect more accurately the information collection and sharing practices of SEC registrants, we support the regulators providing registrants the ability to utilize joint notices that cover a variety of financial institutions that are subject to multiple regulators’ jurisdiction. As part of the current initiative, we strongly recommend that the Commission work with its fellow regulators either to establish a single joint form or provide guidance to registrants to enable them to tailor their chosen model form to cover more than one type of financial institution.
We also recommend that the Commission clarify, consistent with Section 248.9(f) of Regulation S-P, that a registrant can provide a Model Form S-P that covers financial institutions other than the registrant’s affiliates that are identified in the form so long as the disclosure in the form is accurate with respect to the registrant and the other institutions. This clarification is particularly necessary for mutual funds that may be reliant on non-affiliated financial institutions (e.g., an external transfer agent) to process customers’ mutual fund transactions.
To enhance the disclosures in Model Form S-P, the Institute recommends a number of specific revisions to the form. A “redlined” example of the form, showing all of our recommendations, is attached at the end of our letter.
The instructions governing what must be included in the “FACTS” section of the form specify that either the name of the institution or of the group of affiliated institutions providing the notice must be inserted in this section. For a mutual fund complex, the space limitations of this section may preclude listing each of the institutions or even the group of affiliated institutions covered by a single notice. We therefore recommend that the Commission provide flexibility regarding the name of the entity a registrant lists in this section. For example, the Commission should permit a registrant to insert the brand name used by the registrant in lieu of listing the group of affiliated institutions. To the extent the Commission believes it important for the form to include all the institutions within the brand, this information could be set forth either in a footnote to page one of the model form or in the “affiliate” section on page two of the form.
As mentioned above, the Institute recommends that the Commission permit registrants to omit irrelevant (and potentially misleading or confusing) information from the form. For most mutual funds, the primary example of this is the form’s repeated references to credit-related information such as credit history, credit scores, creditworthiness, and credit bureaus. Most mutual funds do not, and likely never will, need to collect this information, and thus the reference to it on the form would not be meaningful to mutual fund investors. Accordingly, we recommend that the SEC permit registrants that do not collect credit history or credit scores or share information with credit bureaus to delete reference to this information from throughout the model form.7 (The first such reference appears in the “WHAT” section of the form, which lists “credit history, and credit scores” as types of personal information the financial institution may collect.)
We also recommend that the Commission consider adding a bullet in the “WHAT” section of the form to read “ bank account information if you sign up for certain account options we offer.” This would address those instances in which some investment companies collect bank account information from shareholders who sign up for certain account options (e.g., ACH transfer of dividends or redemption proceeds).
First Row: We recommend that the disclosure in this portion of the form be supplemented to disclose some of the more widely-used purposes for which information is shared for business purposes. In particular, we recommend that this row read: “For our everyday business purposes – to process your transactions, maintain your account, protect against or prevent fraud or unauthorized transactions, or comply with federal, state, or local laws or other applicable legal requirements. This sharing may be with non-affiliates.”
Fifth Row: We recommend that the Commission permit registrants whose affiliates do not obtain creditworthiness information on the registrant’s customers be permitted to delete this entire row to avoid misleading recipients of the form.
First Row: We recommend that the right-hand column of this row be revised to more closely track each of the three instances in which an investor will be provided a copy of the institution’s privacy notice. In particular, we recommend adding the following underscored language to this section: “We must notify you about our sharing practices when you open an account, when we make a material change to our sharing practices, and each year while you are a customer.”
Second Row: Because Regulation S-P does not expressly mention “secured files and buildings,” we recommend adding the word “may” in the right-hand column of this row to read, in relevant part, “These measures may include . . .”
Third Row: To avoid recipients of the form being provided misleading or confusing information, we recommend that the SEC permit registrants to delete from the bullets in this box any information (e.g., “deposit money,” “pay your bills,” “apply for a loan,” or “use your credit or debit card”) that does not accurately reflect purposes for which the financial institution collects personal information. We also recommend adding the word “may” to the last sentence in this box, in addition to permitting registrants, as appropriate, to delete the reference to credit bureaus. This sentence as revised, in relevant part, would read “We may also collect your personal information . . .”
Fourth Row: The Institute recommends that the Commission permit registrants to delete the first bullet in its entirety if the registrant does not share information about the customer’s creditworthiness. We also recommend that the second and third bullets be collapsed into one bullet that reads “affiliates or non-affiliates for marketing purposes.” We recommend that an additional bullet consistent with Regulation S-P be added to read: “non affiliates unless the sharing is (1) related to processing and servicing your transactions, (2) for specified purposes authorized by law, or (3) with our service provider(s) for our joint marketing arrangements.”
We recommend that the last sentence in this box be deleted. The specific question posed on the form is “Why can’t I limit all sharing?” If individual companies choose to permit investors to limit all types of sharing, they should be permitted to say so in the response (e.g., by stating that, “In fact, you may. We voluntarily go beyond Federal and state law and provide you the right to limit all sharing.”). If the company does not choose to grant investors that right, the answer to the question posed is appropriately contained in the model form response that refers to Federal law.
Everyday business purposes: We recommend that the Commission permit registrants to delete the second bullet if inapplicable to the registrant’s business practices. We also recommend that the last bullet be deleted and replaced with new bullets that likely are more relevant to the sharing practices of SEC registrants. We suggest that these two new bullets read:
- protecting against or preventing fraud or unauthorized transactions
- complying with federal, state, or local laws or other applicable legal requirements including court orders and legal investigations
Affiliates: The instructions to the “Affiliate” section of the form may be confusing in that the first sentence requires the registrant to list the “categories of its affiliates,” while the second sentence, which provides an example of the required disclosure, requires the registrant to “list companies.” Also, requiring a registrant to list each affiliate or affiliated brand by company might exceed the space limitations of this box. To address these issues, we recommend that the instructions be revised to expressly provide registrants the option of listing either: (1) categories of its affiliates, or (2) a representative sample or such affiliates.8 We additionally recommend that the Commission permit registrants to omit from the list any affiliate with which it does not share information covered by Regulation S-P.
Contact us: We recommend that the last sentence in the right-hand column of this section be revised to insert immediately before the period at the end of this sentence, “and we will implement your instructions as soon as reasonably practical.” This addition, which is consistent with the requirements of § 248.7(e), would alert recipients of the notice as to when the registrant will implement any opt-out instructions received from such recipient.
* * *
The Institute appreciates the opportunity to provide you these comments on proposed Model Form S-P. If you have any questions concerning these comments or would like additional information about our views, please contact Tamara Salmon of the Institute at 202/326-5825 or email@example.com. We again commend you and the other federal regulators for your efforts to enhance and streamline the disclosure provided to customers and consumers under the GLB Act.
Securities Regulation – Investment Companies
cc: Andrew J. Donohue, Director
Penelope Saltzman, Branch Chief
Vince Meehan, Senior Counsel, Office of Regulatory Policy
Division of Investment Management
1 The Investment Company Institute is the national association of the U.S. investment company industry. The Investment Company Institute’s membership includes 8,826 open-end investment companies (mutual funds), 666 closed-end investment companies, 398 exchange-traded funds, and four sponsors of unit investment trusts. Mutual fund members of ICI have total assets of approximately $10.634 trillion (representing 98 percent of all assets of U.S. mutual funds); these funds serve approximately 93.9 million shareholders in more than 53.8 million households.
2 Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act; Proposed Rule, SEC Release No. 34-55497 ((Mar. 20, 2007), 72 Fed. Reg. 14940 (Mar. 29, 2007) (the “Notice”). The Institute’s comments relate to Model Form S-P.
3 Notice at n.22.
4 See Section 248.9(b)(1)(iii) of Regulation S-P.
5 For example the requirement in Item 3(c) of the Instructions to the Form that requires “Each page of the model form to be printed on one side of an 8.5 by 11 inch paper in portrait orientation.”
6 Previously in this letter the Institute has recommended that the SEC provide greater flexibility to registrants in providing the model form to investors so it can be incorporated into other documents registrants must deliver to investors. Similar flexibility should be provided to registrants that elect to deliver the form via their website either in a prospectus, Part II of Form ADV, as linked through an icon, or otherwise.
7 We recognize, however, that there are some SEC registrants (e.g., broker-dealers whose customers have margin accounts) that do collect or share this type of information and that would need to retain this information in their disclosure.
8 Registrants that need to truncate their list might also be required to refer the recipient of the form to a more complete list of affiliates either on the registrant’s website or in another disclosure document (e.g., a mutual fund prospectus or adviser’s Form ADV).