1 See Memorandum to SEC Rules Committee No. 99-99, dated November 22, 1999.
[11490]
December 22, 1999
TO: SEC RULES COMMITTEE No. 109-99
SEC PRIVACY RULES WORKING GROUP
RE: INSTITUTE MAKES RECOMMENDATIONS TO SEC FOR PRIVACY
RULEMAKING
______________________________________________________________________________
As you know, Title V of the recently enacted Gramm-Leach-Bliley Act contains two provisions
requiring the Securities and Exchange Commission to promulgate rules relating to the privacy and
confidentiality of customers’ nonpublic personal information held by the financial institutions subject to
the Commission’s jurisdiction.1 The rules must be adopted by May 12, 2000. Accordingly, we expect
privacy rules to be proposed early next year.
In anticipation of that proposal, the Institute has submitted a letter providing Commission staff
with a few preliminary recommendations. Our comments address: (1) the appropriate entity or entities
to provide the notices required by the Act; (2) the form, location and content of those notices; and (3)
the standards for establishing administrative, technical and physical safeguards to protect the safety and
security of customer records that are required to be adopted by the Commission. A copy of the letter,
summarized below, is attached.
Entity Responsible for Providing Notices
In general, the Act imposes a disclosure regime with respect to privacy. All financial institutions
are required to provide customers with notice of their policies with respect to protecting the
confidentiality and security of nonpublic personal information and sharing that information with
affiliates and others (a “privacy policy notice”). Financial institutions also must provide customers with
additional disclosure before nonpublic personal information can be shared with a nonaffiliated third
party (an “opt-out notice”). These notices must be provided in accordance with regulations prescribed
by the Commission.
One of the most important questions to be resolved for the mutual fund industry concerns
which entity should be required to provide the notices prescribed by the Act. In this regard, the letter
makes two recommendations:
! For shares sold through intermediaries, the letter recommends that the intermediary be
required to provide the notices, rather than the fund. The shareholder in this situation
has entered into a direct customer relationship with the intermediary (e.g., by opening a
brokerage or other account), and it is the intermediary’s privacy policy, rather than the
fund’s, that would be relevant to the shareholder.
! For shares sold directly to investors (i.e., not through an intermediary), the letter
recommends that the Commission define the customer relationship to be between the
shareholder and the fund complex. This would permit any entity in the complex to
provide the notices required by the rules, eliminating the need for customers to receive
notices from each financial institution in the fund complex.
Initial and Annual Notices Required by the Act
The Act requires a privacy policy notice to be provided at the time a customer relationship is
established and at least annually thereafter. It also requires an opt-out notice to be provided before the
financial institution engages in certain activities, such as sharing nonpublic personal information with
nonaffiliated third parties. The letter urges the Commission to propose rules that will permit financial
institutions to determine the most appropriate vehicle for providing a required notice, so long as it is
reasonably designed to reach investors.
Standards for Administrative, Technical and Physical Safeguards
The Act requires the Commission to establish appropriate standards for administrative, technical
and physical safeguards to protect customers’ nonpublic personal information. The letter urges the
Commission to avoid prescriptive rules in this area. Rather, it recommends that the Commission
propose rules requiring fund complexes to adopt written procedures reasonably designed to protect the
security and confidentiality of customer records and information. The letter indicates that this approach
would ensure that every fund complex has appropriate procedures in place to ensure the integrity,
confidentiality and security of customer information, while allowing them the flexibility to tailor and
amend those procedures as appropriate.
Robert C. Grohowski
Assistant Counsel
Attachment