- Fund Regulation
- Retirement Security
- Trading & Markets
- Fund Governance
- ICI Comment Letters
Institute Comments on SEC Privacy Proposal
Washington, DC, April 4, 2000 - The Securities and Exchange Commission recently proposed Regulation S-P relating to the privacy of consumer financial information. In a comment letter, the Institute generally supported the proposal, but had a number of comments and requests for clarification. Institute comments addressed:
- the use of examples in the rules;
- several issues relating to the notices required under the rules;
- certain definitional issues concerning what information triggers the notice requirements;
- issues related to sharing information with nonaffiliated third parties;
- the proposed effective date and transition rule; and
- the proposal concerning procedures to safeguard customer records and information.
Gramm-Leach-Bliley Act Requirements
The Gramm-Leach-Bliley Act requires the Commission to prescribe regulations relating to the privacy and confidentiality of customers’ nonpublic personal information held by the financial institutions subject to the Commission’s jurisdiction. Proposed Regulation S-P satisfies this mandate by requiring every broker-dealer, investment company and investment adviser to:
- provide each of its customers with a notice of its privacy policies and practices at the time of establishing the customer relationship (the "initial notice") and annually thereafter (the "annual notice");
- provide each of its consumers (who have not yet become customers) with an initial notice before disclosing nonpublic personal information about that consumer to a nonaffiliated third party;
- refrain from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution has provided the consumer with an initial notice and an additional notice describing that practice and the consumer’s right to prevent it (the "opt out notice"); and
- adopt policies and procedures reasonably designed to: (a) ensure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The use of examples. Regulation S-P includes a number of examples designed to illustrate how the rules would apply in particular circumstances. Although the Institute supported the use of examples, it strongly encouraged the Commission to give the examples the force and legal effect of a safe harbor, as the parallel privacy proposals issued by the other federal regulators would do.
The method of providing the required notices. The Institute made a number of comments relating to the method of providing initial, annual and opt out notices under the rule. In particular, the Institute urged the Commission to clarify that an investment company would satisfy its initial and annual notice obligations with respect to a customer if he or she receives a fund prospectus, annual report or investor newsletter that contains the relevant privacy disclosure in a clear and conspicuous manner. Similarly, the Institute recommended adding a further example stating that initial notices may be included in account application forms.
The timing of the required notices. The Institute urged the Commission to delete the requirement that initial notices be delivered "prior to" establishing a customer relationship. The Institute stressed that the Commission should permit investment companies to provide initial privacy notices at the time of the confirmation of a purchase of fund shares.
The persons entitled to receive notices: consumers and customers. Consistent with the Gramm-Leach-Bliley Act, proposed Regulation S-P draws a distinction between "consumers" and "customers." While the Institute supported the adoption of the definitions of consumer and customer as proposed, it had a number of comments and requests for clarification.
The Institute strongly recommended deletion of the example indicating that an individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain brokerage services or investment advisory services is a consumer, whether or not the financial institution actually provides such services or establishes an ongoing relationship.
The Institute suggested clarifying that an investor that purchases shares of an investment company in his or her own name has, in effect, entered into a relationship with the entire fund complex of which the fund is a part.
The Institute recommended that the Commission clarify that a fund transfer agent is a service provider to the investment company and does not, by acting in that capacity, establish a customer relationship with fund shareholders for purposes of Regulation S-P.
Finally, the Institute recommended that the Commission clarify that an investment company shareholder can be provided with a single notice on behalf of the entire fund complex.
The application of the notice requirements to purchases through intermediaries. The proposed rule provides that an investment company shareholder who is not the record owner of fund shares does not have a customer relationship with the investment company. The Institute generally supported this approach, but noted that tying the existence of a customer relationship to record ownership of fund shares may be inappropriate in certain circumstances. The Institute therefore recommended that the Commission provide that a shareholder who purchases fund shares through an intermediary is a consumer, rather than a customer, of a fund complex where (i) the complex has nonpublic personal information about the consumer and (ii) the complex does not use that shareholder’s personal information for any purpose other than servicing or administering his or her account.
The application of Regulation S-P to retirement plans. Neither the Release nor the proposed rules specifically address the application of proposed Regulation S-P to retirement plans. The Institute recommended that the Commission clarify that the rules are not intended to apply in this context.
Sharing information with nonaffiliated third parties. The Gramm-Leach-Bliley Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless, in addition to other things, the institution provides the consumer with a reasonable opportunity to opt out of that disclosure and the consumer does not opt out. The Institute commented on the meaning of "a reasonable opportunity to opt out," supporting the inclusion of an example discussed in the Release relating to notices sent by traditional mail. The Institute also strongly supported the addition of one or more examples relating to electronic media, since the length of time necessary to afford a reasonable opportunity to exercise an opt out may substantially differ according to the medium by which the opt out is offered. The proposed rules also provide that consumers and customers have the right to opt out at any time and that, if they do so, the financial institution must stop sharing information as soon as reasonably practicable. The Institute strongly supported the flexible, "as soon as reasonably practicable" standard as proposed.
The effective date and the transition rule. In accordance with the Gramm-Leach-Bliley Act, the Commission proposed an effective date for proposed Regulation S-P of November 13, 2000. In addition, under the proposal, initial privacy notices would have to be provided to consumers who are customers as of the effective date within 30 days of the effective date. The Institute noted that while compliance with Regulation S-P will be a significant undertaking for financial institutions, implementing these extensive new privacy protections as soon as reasonably practicable is good public policy. Accordingly, the Institute supported the November 13 effective date as proposed. The Institute strongly recommended, however, that the Commission extend the proposed transition period for providing initial privacy notices to persons who are customers as of the effective date to 90 days after the effective date. This would allow these notices to be included in year-end statements for 2000.
Standards relating to administrative, technical and physical safeguards. The Commission proposed that every broker, dealer, investment company and registered investment adviser be required to adopt policies and procedures reasonably designed to:
- ensure the security and confidentiality of customer records and information;
- protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Institute strongly supported this rule as proposed, particularly its flexible, process-based approach. However, the Institute recommended that the Commission add an example clarifying that the various financial institutions in a fund complex could (but are not required to) satisfy their obligations under this rule by adopting a single, complex-wide set of policies and procedures. The Institute further recommended that the example clarify that these policies and procedures could be administered by the entity that maintains the information, which typically would be the fund’s transfer agent.