INSTITUTE COMMENTS ON PROPOSED REGULATION S-P

1 SEC Release Nos. 34-42484, IC-24326, IA-1856 (March 2, 2000), 65 Fed. Reg. 12354 (March 8, 2000) (the “Release”). See also Memorandum to Board of Governors No. 11-00, Investment Adviser Associate Members No. 5-00, Investment Adviser Members No. 5-00, SEC Rules Members No. 17-00, and Unit Investment Trust Members No. 3-00, dated March 6, 2000. [11775] April 4, 2000 TO: BOARD OF GOVERNORS No. 19-00 INVESTMENT ADVISER ASSOCIATE MEMBERS No. 10-00 INVESTMENT ADVISER MEMBERS No. 9-00 SEC RULES MEMBERS No. 21-00 UNIT INVESTMENT TRUST COMMITTEE No. 12-00 SEC PRIVACY RULES WORKING GROUP RE: INSTITUTE COMMENTS ON PROPOSED REGULATION S-P ______________________________________________________________________________ The Securities and Exchange Commission recently proposed Regulation S-P relating to the privacy of consumer financial information.1 The Institute’s comment letter on the proposal, which was filed on March 31st, is attached. The Institute generally supported the proposal, although we had a number of comments and requests for clarification. Our comments addressed: (1) the use of examples in the rules; (2) several issues relating to the notices required under the rules; (3) certain definitional issues concerning what information triggers the notice requirements; (4) issues related to sharing information with nonaffiliated third parties; (5) the proposed effective date and transition rule; and (6) the proposal concerning procedures to safeguard customer records and information. Our principal comments are summarized below. Background The Gramm-Leach-Bliley Act (the “G-L-B Act”) requires the Commission to prescribe regulations relating to the privacy and confidentiality of customers’ nonpublic personal information held by the financial institutions subject to the Commission’s jurisdiction. Proposed Regulation S-P satisfies this mandate by requiring every broker-dealer, investment company and investment adviser to: (i) Provide each of its customers with a notice of its privacy policies and practices at the time of establishing the customer relationship (the "initial notice") and annually thereafter (the "annual notice"); (ii) Provide each of its consumers (who have not yet become customers) with an initial notice before disclosing nonpublic personal information about that consumer to a nonaffiliated third party; 2 The distinction between consumer and customer determines the notices that a financial institution must provide. If a consumer never becomes a customer, the institution is not required to provide any notices to the consumer unless the institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties (outside of the enumerated exceptions) – in which case the institution would provide initial and opt out notices. By contrast, if a consumer becomes a customer, the institution must provide an initial notice before it establishes the customer relationship and an annual notice during the continuation of the customer relationship (as well as an opt out notice if necessary). 2 (iii) Refrain from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution has provided the consumer with an initial notice and an additional notice describing that practice and the consumer’s right to prevent it (the "opt out notice"); and (iv) Adopt policies and procedures reasonably designed to: (a) insure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Institute Comments The use of examples. Regulation S-P includes a number of examples designed to illustrate how the rules would apply in particular circumstances. Although we supported the use of examples, we strongly encouraged the Commission to give the examples the force and legal effect of a safe harbor, as the parallel privacy proposals issued by the other federal regulators would do. The method of providing the required notices. We made a number of comments relating to the method of providing initial, annual and opt out notices under the rule. In particular, we urged the Commission to clarify that an investment company would satisfy its initial and annual notice obligations with respect to a customer if he or she receives a fund prospectus, annual report or investor newsletter that contains the relevant privacy disclosure in a clear and conspicuous manner. Similarly, we recommended adding a further example stating that initial notices may be included in account application forms. The timing of the required notices. We urged the Commission to delete the requirement that initial notices be delivered “prior to” establishing a customer relationship. We stressed that the Commission should permit investment companies to provide initial privacy notices at the time of the confirmation of a purchase of fund shares. The persons entitled to receive notices: consumers and customers. Consistent with the G-L-B Act, proposed Regulation S-P draws a distinction between “consumers” and “customers.”2 While we supported the adoption of the definitions of consumer and customer as proposed, we had a number of comments and requests for clarification. We strongly recommended deletion of the example indicating that an individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain brokerage services or investment advisory services is a consumer, whether or not the financial institution actually provides such services or establishes an ongoing relationship. We suggested clarifying that an investor that purchases shares of an investment company in his or her own name has, in effect, entered into a relationship with the entire fund complex of which the fund is a part. 3 We recognized that a fund complex may have individual plan participant information and therefore noted that if the Commission disagreed with our recommendation, it should treat these situations in a manner analogous to our recommendation above with respect to purchases of fund shares through intermediaries. Thus, where a fund complex has nonpublic personal information about individual retirement plan participants, those participants would be considered consumers of that complex, rather than customers. 3 We recommended that the Commission clarify that a fund transfer agent is a service provider to the investment company and does not, by acting in that capacity, establish a customer relationship with fund shareholders for purposes of Regulation S-P. Finally, we recommended that the Commission clarify that an investment company shareholder can be provided with a single notice on behalf of the entire fund complex. The application of the notice requirements to purchases through intermediaries. The proposed rule provides that an investment company shareholder who is not the record owner of fund shares does not have a customer relationship with the investment company. We generally supported this approach, but we noted that tying the existence of a customer relationship to record ownership of fund shares may be inappropriate in certain circumstances. We therefore recommended that the Commission provide that a shareholder who purchases fund shares through an intermediary is a consumer, rather than a customer, of a fund complex where (i) the complex has nonpublic personal information about the consumer and (ii) the complex does not use that shareholder’s personal information for any purpose other than servicing or administering his or her account. The application of Regulation S-P to retirement plans. Neither the Release nor the proposed rules specifically address the application of proposed Regulation S-P to retirement plans. We recommended that the Commission clarify that the rules are not intended to apply in this context.3 Sharing information with nonaffiliated third parties. The G-L-B Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless, in addition to other things, the institution provides the consumer with a reasonable opportunity to opt out of that disclosure and the consumer does not opt out. We commented on the meaning of “a reasonable opportunity to opt out,” supporting the inclusion of an example discussed in the Release relating to notices sent by traditional mail. We also strongly supported the addition of one or more examples relating to electronic media, since the length of time necessary to afford a reasonable opportunity to exercise an opt out may substantially differ according to the medium by which the opt out is offered. The proposed rules also provide that consumers and customers have the right to opt out at any time and that, if they do so, the financial institution must stop sharing information as soon as reasonably practicable. We strongly supported the flexible, “as soon as reasonably practicable” standard as proposed. The effective date and the transition rule. In accordance with the G-L-B Act, the Commission proposed an effective date for proposed Regulation S-P of November 13, 2000. In addition, under the proposal, initial privacy notices would have to be provided to consumers who are customers as of the effective date within 30 days of the effective date. We noted that while compliance with Regulation S-P will be a significant undertaking for financial institutions, implementing these extensive new privacy protections as soon as reasonably practicable is good public policy. Accordingly, we supported the November 13th effective date as proposed. We strongly recommended, however, that the Commission extend the proposed transition period for providing initial privacy notices to persons who are customers as of the effective date to 90 days after the effective date. This would allow these notices to be included in year-end statements for 2000. Standards relating to administrative, technical and physical safeguards. The 4Commission proposed that every broker, dealer, investment company and registered investment adviser be required to adopt policies and procedures reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. We strongly supported this rule as proposed, particularly its flexible, process-based approach. However, we recommended that the Commission add an example clarifying that the various financial institutions in a fund complex could (but are not required to) satisfy their obligations under this rule by adopting a single, complex-wide set of policies and procedures. We further recommended that the example clarify that these policies and procedures could be administered by the entity that maintains the information, which typically would be the fund’s transfer agent. Robert C. Grohowski Assistant Counsel Attachment Note: Not all recipients receive the attachment. To obtain a copy of the attachment referred to in this Memo, please call the ICI Library at (202) 326-8304, and ask for attachment number 11775. ICI Members may retrieve this Memo and its attachment from ICINet (http://members.ici.org).