FINANCIAL INSTITUTION REGULATORS REJECT PROPOSAL RELATING TO THE DISCLOSURE OF CUSTOMER ACCOUNT NUMBERS TO MARKETING FIRM

[13737] July 17, 2001 TO: BANK INVESTMENT MANAGEMENT MEMBERS No. 6-01 COMPLIANCE ADVISORY COMMITTEE No. 31-01 SEC RULES COMMITTEE No. 58-01 SMALL FUNDS COMMITTEE No. 10-01 RE: FINANCIAL INSTITUTION REGULATORS REJECT PROPOSAL RELATING TO THE DISCLOSURE OF CUSTOMER ACCOUNT NUMBERS TO MARKETING FIRM In June, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively referred to as the “Financial Institution Regulators”) together issued that attached interpretive letter under the privacy provisions of the Gramm- Leach-Bliley Act (“GLB Act”) that rejected a proposal involving the sharing of customer account information with a nonaffiliated marketing firm. THE PROPOSED SHARING ARRANGEMENT The sharing arrangement proposed would have involved a financial institution entering into an agreement with a firm that would market insurance products by direct mail to customers of the financial institution. Under the agreement, the financial institution would disclose a list of its customers’ names, addresses, and encrypted account numbers to the marketing firm. The marketing firm would then mail materials to the customers of the financial institution. In the event a customer of the financial institution decided to enroll in the insurance plan, the customer would sign an authorization for the financial institution to provide the customer’s unencrypted account number to the marketing firm, which would then charge the customer for the insurance plan. THE REGULATORS’ JOINT RESPONSE In response to this proposed arrangement, the Financial Institution Regulators noted that Section 502(d) of the GLB Act prohibits a financial institution from disclosing customer account information to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing. While Section 504(b) of the GLB Act authorizes the regulatory agencies to provide exceptions to Section 502’s prohibitions, the rules adopted by the Financial Institution Regulators under the GLB Act only provide two such exceptions. These exceptions permit financial institutions to disclose account numbers to (1) their agents to market the 2financial institution’s own products or services and (2) their partners in a private label credit card or affinity program. The Financial Institution Regulators noted that the proposed joint marketing arrangement did not fit within either of these two exceptions. According to the letter, “We believe that interpreting the Act to consider marketing to have ended at the time the customer accepts the product would substantially undermine the prohibition, effectively limiting its application to the sharing of account numbers for tracking purposes while not denying third party marketers access to customer accounts.” The letter concludes: While a financial institution may not provide a customer account number to a third party under the circumstances you describe, a financial institution may initiate charges to its customer’s account for the [product marketed by the marketer] where the customer has agreed to purchase the product. Of course, an individual is free to provide [the marketer], or any other merchant, with his or her own account number to purchase a product. RELEVANCE TO REGULATION S-P As noted in footnote 1 of the attached letter, the privacy regulations adopted by each of the Financial Institution Regulators under the GLB Act are in substantially identical form. While the Securities and Exchange Commission was not a party to this letter, the privacy regulation cited in the letter to support the Financial Regulators’ conclusion (i.e., Section ____.12) is substantively identical to Section 248.12 of Regulation S-P. Tamara K. Reed Associate Counsel Attachment Attachment (in .pdf format)