PRIVACY COMPLIANCE PAPER

[13102] January 31, 2001 TO: BROKER/DEALER ADVISORY COMMITTEE No. 3-01 COMPLIANCE ADVISORY COMMITTEE No. 8-01 SEC RULES COMMITTEE No. 12-01 TRANSFER AGENT ADVISORY COMMITTEE No. 10-01 PRIVACY COMPLIANCE PAPER WORKING GROUP RE: PRIVACY COMPLIANCE PAPER Enclosed is the final version of the Institute’s paper entitled “Privacy of Consumer Financial Information: Mutual Fund Compliance with Regulation S-P.” A copy of the cover memorandum that will accompany the paper to the Board of Governors and other Institute members also is enclosed. The final version reflects some significant revisions to the December 1, 2000 draft of the paper that was circulated to you. Please note, for example, the following changes: • The sections relating to the definitions of “consumer” and “customer” have been expanded and refined. In particular, the discussion of the definition of “consumer” is more detailed than in the prior draft. As a result, the paper places more emphasis on the various elements of the definition itself and less on the example in 248.3(k)(2)(i)(C) that provides a “bright line test” relating to how shares are held. See pages 8 to 13 of the paper. • The section relating to the definition of “affiliate” has been expanded and refined. The question of whether an adviser is an affiliate of a fund that it advises has been revised. The paper now states that it is possible that a fund’s adviser may control (and thus be an affiliate of) the fund for purposes of Reg S-P, but suggests that fund groups may wish to consider the impact that this conclusion may have in other contexts. In addition, a diagram has been added to demonstrate the significance of affiliate status. See pages 13 to 17. • Several sections relating to notices have been revised. The paper has been revised with regard to the question of whether delivery of an initial privacy notice in or with a prospectus and confirmation statement satisfies the timing requirements of Reg S- P. The paper notes that members of the SEC staff have suggested that outside of the unaffiliated intermediary exception in 248.4(e)(1)(iii) (allowing delayed delivery of 2initial notices in certain circumstances), this method may not constitute timely delivery of the initial notice. The paper states, however, that notwithstanding the comments of those SEC staff members, there are strong arguments that delivery of an initial notice with a confirmation should satisfy Reg S-P, even outside of the unaffiliated intermediary exception. See pages 55 to 58. In addition, a chart on the required notices has been added on page 59 and the section on joint notices (pages 28-29) has been revised to reflect recent conversations with SEC staff members. • The role of the fund board has been slightly modified. The final version of the paper is slightly less prescriptive than the prior draft with regard to the role of fund boards. In the final version, the paper suggests that it may be advisable for fund boards of directors or trustees to be kept informed, as appropriate, as to the development and ongoing implementation of privacy policies and that, while not required by Reg S-P, some fund boards may wish to take a more active role by approving or ratifying fund privacy policies. The paper also suggests that it also may be advisable to disclose any material failures of information security programs to fund boards. We appreciate the comments that many of you provided on earlier drafts of the paper. Robert C. Grohowski Associate Counsel Enclosures