SEC ADOPTS REGULATION S-P GOVERNING PRIVACY OF PERSONAL FINANCIAL INFORMATION

[12113] June 29, 2000 TO: BOARD OF GOVERNORS No. 37-00 INVESTMENT ADVISER ASSOCIATE MEMBERS No. 19-00 INVESTMENT ADVISER MEMBERS No. 22-00 SEC RULES MEMBERS No. 44-00 UNIT INVESTMENT TRUST MEMBERS No. 17-00 RE: SEC ADOPTS REGULATION S-P GOVERNING PRIVACY OF PERSONAL FINANCIAL INFORMATION On June 22, 2000, the Securities and Exchange Commission adopted Regulation S-P relating to the privacy of consumer financial information.1 As required by the Gramm-Leach-Bliley Act enacted last November, Regulation S-P limits the ability of every investment company, broker-dealer, and registered investment adviser to disclose its consumers’ and customers’ nonpublic personal information to nonaffiliated third parties. Regulation S-P also requires those financial institutions to provide initial, annual and opt out privacy notices in various instances and to adopt policies and procedures to protect the nonpublic personal information of their consumers and customers. A copy of the Release is attached.2 The Commission received 115 comment letters on proposed Regulation S-P,3 including one from the Institute.4 The rule was adopted substantially as proposed, although the Commission made a number of clarifying and technical changes in response to the comments it received. Significant changes from the proposal are briefly summarized below. General Clarifying Changes In an effort to clarify the rules, the Commission added a number of examples to Regulation S-P. Although the Institute strongly recommended that the examples be given the force or legal effect of safe harbors, the Commission reiterated that the examples merely illustrate the application of the general rules. The Commission also provided additional guidance for firms that do not disclose, or reserve the right to disclose, information in ways that would trigger the opt out requirements. The Release also includes 1 SEC Release Nos. 34-42974, IC-24543, IA-1883 (June 22, 2000), 65 Fed. Reg. 40334 (June 29, 2000) (the “Release”). 2 The Release also is available on the Commission’s website at www.sec.gov. 3 See Memorandum to Board of Governors No. 11-00, Investment Adviser Associate Members No. 5-00, Investment Adviser Members No. 5-00, SEC Rules Members No. 17-00, and Unit Investment Trust Members No. 3-00, dated March 6, 2000, transmitting proposed Regulation S-P. 4 See Memorandum to Board of Governors No. 19-00, Investment Adviser Associate Members No. 10-00, Investment Adviser Members No. 9-00, SEC Rules Members No. 21-00, and Unit Investment Trust Committee No. 12-00, dated April 4, 2000, transmitting the Institute’s comment letter. 2sample privacy notice clauses. These provisions are not intended to be model clauses, but rather are intended to illustrate the appropriate level of detail in the required privacy notices. Specific Issues Addressed in the Release Form and Location of Privacy Notices. In its comment letter, the Institute made a number of comments relating to the method of providing initial, annual and opt out notices. In particular, the Institute urged the Commission to clarify that an investment company would satisfy its initial and annual notice obligations with respect to a customer if he or she receives a fund prospectus, annual report or investor newsletter that contains the relevant privacy disclosure in a clear and conspicuous manner. The Release makes clear that privacy notices may be combined with other disclosures.5 The Commission notes, however, that privacy notices contained in other disclosure documents may be subject to multiple disclosure standards. For example, a fund that includes a privacy notice in its prospectus would have to make the privacy notice clear and conspicuous according to Regulation S-P and would have to prepare the prospectus according to disclosure standards under the Securities Act of 1933.6 Timing of the Initial Notices. In its comment letter, the Institute urged the Commission to revise the proposed requirement that a financial institution provide an initial notice prior to the time that it establishes a customer relationship with a customer. We pointed out that it would be difficult, if not impossible, for funds sold through nonaffiliated broker-dealers to comply with this requirement and recommended that investment companies instead be permitted to provide initial privacy notices at the time of the confirmation of a purchase of fund shares. We are pleased that the Commission has modified this aspect of the final rule.7 As we recommended, the “prior to” requirement has been deleted. In its place, the rule requires financial institutions to provide a customer with an initial notice not later than when the financial institution establishes the customer relationship. There are three exceptions to this rule, one of which permits a fund to delay delivery of the initial notice when a nonaffiliated broker-dealer or registered adviser purchases fund shares on behalf of a customer without the fund's knowledge.8 In such a case, the initial notice must be provided a reasonable time after establishing the customer relationship. New “Short-Form” Notice to Accompany the Opt Out Notice. As under the proposal, the final rules require financial institutions to provide each of their consumers with an initial notice and an opt out notice before disclosing the consumer’s nonpublic personal information to a nonaffiliated third party. The Commission has created an exception, however, allowing financial institutions to provide a “short- form” initial privacy policy notice along with the opt out notice to consumers with whom the institution does not have a customer relationship.9 The rule also requires the financial institution to provide a consumer who is interested in the more complete privacy disclosures with a reasonable means to obtain them. 5 Release at n.30, 65 Fed. Reg. at 40337. 6 Release at n.29 and accompanying text, 65 Fed. Reg. at 40337. The Commission also notes that funds may reduce the burden of complying with the annual notice provisions by including annual privacy notices in shareholder reports. Release at n.59, 65 Fed. Reg. at 40341. 7 See section 248.4(a)(i) and Release at n.91 and accompanying text, 65 Fed. Reg. at 40345. 8 See section 284.4(e)(iii) and Release at n.97 and accompanying text, 65 Fed. Reg. at 40346. A fund shareholder who is the record owner of the fund shares has a customer relationship with the fund, regardless of whether the shareholder opens his or her account directly or through a broker-dealer. Section 248.3(k)(2)(i)(C) of Reg. S-P. 9 Section 248.6(d) of Reg. S-P. 3Timing Issues Related to the Opt Out. The final rules add several examples clarifying what would be considered a reasonable opportunity for a consumer or customer to opt out of the sharing of his or her information.10 As the Institute recommended, however, the Commission refrained from adopting a prescriptive rule in this regard, instead adopting the flexible rule as proposed. The Commission also adopted as proposed the rule requiring financial institutions to honor an opt out request as soon as reasonably practicable.11 The Commission had sought comment on whether the rule should specify a time within which an institution must stop sharing information. The Institute strongly supported the flexible “as soon as reasonably practicable” standard. Householding of Privacy Notices. In its comment letter, the Institute had recommended that the rule specifically permit householding of privacy notices. The Commission agreed that householding is appropriate in certain circumstances, and added an example that allows a broker-dealer or fund to include an annual privacy notice with or in a prospectus or shareholder report delivered in accordance with the Commission’s householding rules for prospectuses and shareholder reports.12 Joint Notices. As recommended by the Institute, the Commission clarified that a financial institution is not obligated to provide more than one notice to joint accountholders.13 A broker-dealer, fund or adviser may, in its discretion, provide notices to each party to the account. However, under the final rule, each of the accountholders must have the right to opt out. Transfer Agents. As recommended by the Institute, the Commission clarified that an individual does not have either a consumer or a customer relationship with an entity acting as an agent for a financial institution. The Commission specifically noted that mutual fund consumers would not become consumers of the transfer agent that services the fund’s accounts.14 Investment Advisers. The Commission clarified that although registered investment advisers are covered by Regulation S-P, an investment company’s adviser does not have customer relationships with the fund’s shareholders in the absence of individual advisory contracts with those shareholders.15 The Institute had recommended that the Commission take the more functional approach of treating a fund shareholder as a customer of the fund complex, including the fund’s primary investment adviser. Retirement Plans. As recommended by the Institute, the Commission clarified that Regulation S- P does not apply to employee benefit plans.16 However, the final rules add an example that an individual will be deemed to establish a customer relationship when a broker-dealer, fund, or registered adviser acts as a custodian for securities or assets in an IRA.17 10 Section 248.10(a)(3) of Reg. S-P. 11 Section 248.7(e) of Reg. S-P. 12 Section 248.9(c)(ii) of Reg. S-P. 13 Release at n.102 and accompanying text, 65 Fed. Reg. at 40346. 14 Release, 65 Fed. Reg. at 40338. 15 Release at n.62 and accompanying text, 65 Fed. Reg. at 40341. 16 Release, 65 Fed. Reg. at 40339 (“We agree with the commenters who concluded that, when the financial institution serves as trustee of a trust, neither the grantor nor beneficiary is a consumer or customer under the rules. Instead, the trust itself is the entity that obtains the financial services, and the rules do not apply because the trust is not an individual.”). 17 Release at n.64 and accompanying text, 65 Fed. Reg. at 40341. 4Publicly Available Information. In its proposing release, the Commission sought comment on whether the definition of “publicly available information” should include information that could be obtained from a public source or only information that actually was obtained from a public source. The Institute recommended that the Commission adopt the definition as proposed, which included information that could be obtained from a public source. The Commission did not adopt either standard in the final rules. Instead, the definition of “publicly available information” turns on whether the financial institution reasonably believes that the information is lawfully made available to the general public from one of three categories of information listed in the rule.18 Limits on Reuse of Information. The Commission revised the limits on redisclosure and reuse of information to clarify their scope.19 Under the final rule, these limits will depend on whether the information was provided pursuant to one of the exceptions enumerated in section 502(e) of the GLB Act. If a broker-dealer, fund, or registered adviser receives nonpublic personal information provided under section 502(e), it may disclose the information to its affiliates or to the affiliates of the financial institution from which it received the information. If a broker-dealer, fund, or registered adviser receives nonpublic personal information outside one of the section 502(e) exceptions, it may disclose the information to (i) its affiliates, (ii) the affiliates of the financial institution that made the initial disclosure, or (iii) any other person if the disclosure would be lawful if made directly by the financial institution from which the information was received. As the Institute recommended, the Commission clarified that financial institutions do not have to monitor compliance by non-affiliated third parties with the redisclosure and reuse provisions of the rule. Policies and Procedures to Protect Information. As the Institute recommended, the Commission adopted as proposed the rule requiring financial institutions to adopt policies and procedures to safeguard their customers’ records and information.20 Also as recommended by the Institute, the Commission clarified that a fund complex could, but is not required to, adopt a single set of policies and procedures for the entire fund complex. The Commission noted that the policies and procedures would have to be determined to be appropriate for each institution to which they apply. Effective and Compliance Dates Regulation S-P becomes effective on November 13, 2000, although compliance is not mandatory until July 1, 2001. Joint marketing and service agreements that are in effect as of July 1, 2000 will have to be brought into compliance with section 248.13 of Regulation S-P by July 1, 2002. The Release notes that to be in full compliance with the rules’ restrictions on disclosures on July 1, 2001, broker-dealers, funds, and registered advisers must have provided their existing customers with an initial privacy notice, an opt out notice, and a reasonable amount of time to opt out before that date. Financial institutions that both provide the required notices and allow a reasonable period of time to opt out before July 1, 2001 may continue to share nonpublic personal information with nonaffiliated third parties after that date for customers who do not opt out. Robert C. Grohowski Assistant Counsel 18 Release at n.76 and accompanying text, 65 Fed. Reg. at 40343. 19 Section 248.11 of Reg. S-P. 20 Section 248.30 of Reg. S-P. 5Attachment Note: Not all recipients receive the attachment. To obtain a copy of the attachment to which this memo refers, please call the ICI Library at (202) 326-8304 and request the attachment for memo 12113. ICI Members may retrieve this memo and its attachment from ICINet (http://members.ici.org). Attachment (in .pdf format)