SEC SEEKS COMMENT ON REGULATION TO REQUIRE CONSUMER OPT-OUT PRIOR TO SHARING INFORMATION WITH AFFILIATES FOR MARKETING

[17762] July 13, 2004 TO: SEC RULES COMMITTEE No. 60-04 SMALL FUNDS COMMITTEE No. 39-04 COMPLIANCE ADVISORY COMMITTEE No. 70-04 CLOSED-END INVESTMENT COMPANY COMMITTEE No. 26-04 INVESTMENT ADVISERS COMMITTEE No. 8-04 UNIT INVESTMENT TRUST COMMITTEE No. 16-04 TRANSFER AGENT ADVISORY COMMITTEE No. 61-04 PRIVACY ISSUES WORKING GROUP No. 2-04 RE: SEC SEEKS COMMENT ON REGULATION TO REQUIRE CONSUMER OPT-OUT PRIOR TO SHARING INFORMATION WITH AFFILIATES FOR MARKETING As discussed in detail below, in accordance with recent changes to federal law, the Securities and Exchange Commission has published for comment a new regulation, Regulation S-AM, that would impose specific regulatory requirements on financial institutions that share certain consumer information with their affiliate if the information is used by such affiliate to make or send marketing solicitations.1 Comments on the proposal must be filed with the Commission no later than 30 days after the regulation is published in the Federal Register. The Institute will hold a conference call on Tuesday, July 20th at 2:00 p.m. EST to discuss the proposed Regulation. The dial-in number for the call is 888-566-5779 and the pass code is 16203. If you plan to participate in the call, please send an e-mail to Stephanie Gerace at sgerace@ici.org. If you are unable to participate in the call, please provide your comments on the proposed amendments, before the call, to the undersigned by phone (202-326-5825), fax (202-326-5839), or e-mail (tamara@ici.org). 1 See Limitations on Affiliate Marketing (Regulation S-AM) Commission Release Nos. 34-49985, IC-26494, and IA-2259, July 8, 2004, (the “Release”). A copy of the Release is available on the SEC’s website at: http://www.sec.gov/rules/proposed/34-49985.htm. (Cites in this memorandum to the Release are to the version available on the Commission’s website.) The Federal Trade Commission and the federal banking regulators have published for comment their proposed rules to implement Section 624 of FACTA. Their rules are available on their respective websites: www.ftc.gov and www.fdic.gov. 2 I. BACKGROUND Last December, the President signed into law the Fair and Accurate Credit Transactions Act (FACTA). In addition to updating the Fair Credit Reporting Act and strengthening its provisions relating to identity theft, FACTA includes a provision (new Section 624) that requires the same regulators that promulgated privacy rules under the Gramm-Leach-Bliley Act (GLB Act) to promulgate regulations that give consumers the right to restrict a person from making marketing solicitations using certain information about the consumer that was obtained from the person’s affiliate. FACTA requires the regulators to work in consultation and coordination with one another to adopt the required implementing rules no later than September 5, 2004, with an effective date no later than six months after the rules’ issuance. FACTA expressly provides that the implementing rules must require: (1) clear and conspicuous notice to consumers of their right to opt-out; (2) a simple method by which consumers may exercise their right to opt out; (3) that a customer’s election to opt out be effective for at least five years; and (4) that, prior to the expiration of a customer’s election to opt out, the customer be provided notice of his or her right to extend the opt-out for a minimum of five more years. In addition, FACTA requires that the implementing rules provide guidance regarding compliance with the above requirements and include certain exceptions set forth in FACTA. Pursuant to FACTA’s mandate, the Commission has published for comment proposed Regulation S-AM, which is described below. II. PROPOSED REGULATION S-AM Generally speaking, proposed Reg. S-AM would prohibit an affiliate of a broker, dealer, investment company, an SEC-registered investment adviser, or registered transfer agent (hereinafter referred to collectively as “financial institution”) from using any “eligibility information” it has received from the financial institution to “make or send marketing solicitations to the consumer” unless prior to the affiliate’s use of the information, the financial institution has: (1) provided a “clear and conspicuous notice” to the consumer letting the consumer know that the information may be shared and used by the financial institution’s affiliate for marketing purposes; (2) provided the consumer a reasonable opportunity and a “simple method” to opt out of such sharing; and (3) the consumer has chosen not to opt out. The sections within the proposed regulation provide greater detail regarding these requirements as well as other provisions required by FACTA to be in the implementing rules. A. Definitions Section 247.3 of proposed Reg. S-AM sets forth definitions for various terms used in the Regulation, including the following terms. 1. “Eligibility Information” As proposed to be defined in the Regulation, the term “eligibility information” would track the language in FACTA that defines eligibility information as “any information the communication of which would be a consumer report if the exclusions from the definition of ‘consumer report’ in section 603(d)(2)(A) of the FCRA did not apply.” The Release provides 3 greater detail about the meaning of this term. In particular, it notes that, in accordance with this definition, eligibility information would mean: . . . any information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment purposes, or any other purpose authorized by Section 604 of FCRA.2 As mentioned above, the provisions of the Regulation are triggered only when (1) eligibility information is shared by a financial institution with its affiliate and (2) the affiliate uses it for marketing solicitation purposes. If the eligibility information is shared with, but not used by, the affiliate for marketing solicitation purposes, the Regulation does not apply. Similarly, if the information shared with the financial institution’s affiliate for marketing purposes is not “eligibility information,” the Regulation’s provisions are not triggered. 2. “Marketing Solicitation”3 The term “marketing solicitation” would be defined to include marketing initiated by a person to a particular consumer that is (1) based on eligibility information communicated to that person by its financial institution affiliate and (2) intended to encourage the consumer to purchase or obtain such product or service. It would include telemarketing calls, direct mail or e-mail, or other communications directed to a particular consumer based on eligibility information. Expressly excluded are communications directed at the general public without the use of eligibility information communicated by a financial institution affiliate (e.g., television or print ads, billboards). 3. “Pre-Existing Business Relationship” This term, which is relevant for an exemption from the proposed Regulation’s requirements,4 would be defined to mean a relationship between a person and a consumer based on: (1) a financial contract between the person and the consumer that is force on the date a marketing solicitation governed by the Regulation is sent to the consumer; (2) a financial transaction, including holding an active account, between the consumer and the person during the 18-month period immediately preceding the marketing solicitation; or (3) an inquiry or 2 Release at p. 4. 3 The Release notes that, while FACTA uses the term “solicitation,” the Commission has determined to use instead the term “marketing solicitation” in order to “avoid any confusion with the concept of solicitation under the federal securities laws.” See Release at fn. 63. 4 Proposed 247.20(c)(1) provides an exception that permits a person to use eligibility information it has received from an affiliated financial institution if the person has a “pre-existing business relationship” with the consumer. See discussion of exemptions and 247.20(c), below. 4 application by the consumer regarding a product or service offered by the person during the 3- month period immediately preceding the marketing solicitation.5 B. Affiliate Use of Eligibility Information for Marketing Cumulatively, the provisions in Regulation S-AM would provide that, before an affiliate of financial institution may use any eligibility information provided to it by the financial institution to make or send marketing solicitations to a consumer of the financial institution, the financial institution must provide notice to the consumer and the ability to opt out of such sharing. Various exceptions are provided in the regulation from these requirements. Also, if the eligibility information was shared with the affiliate prior to the mandatory compliance date for the final rule, the proposed rule would not apply to the affiliate’s use of such information, even if the consumer opted out of its sharing. 1. The Required Notice Section 247.20(a)(i) would require the notice to be “clear and conspicuous”6 and inform the consumer that information may be communicated to, and used by, the financial institution’s affiliate to make or send marketing solicitations to the consumer about the affiliate’s products and services. The contents of the opt-out notice would be set out in proposed 247.21. In addition to requiring the notice to be clear and conspicuous, 247.21 would require the notice to be “concise.” According to this rule, the notice must accurately disclose that the consumer may elect to limit the financial institution’s affiliate from using eligibility information about the consumer it obtains from the financial institution to make or send marketing solicitations to the consumer. If the financial institution elects to have a consumer’s opt-out request expire,7 the notice must state the period during which the election will be effective (which may be no less than five years) and that the consumer will be allowed to extend his or her election once that period expires. The notice must also include a “reasonable and simple” method for the consumer to opt out. The rule clarifies that the opt-out notice may be combined with other disclosure required or authorized by federal or state law (e.g., the privacy notices under the GLB Act). With respect to the consumer’s opt-out choices, the notice may allow a consumer to choose from a menu of alternatives when opting out of affiliate use of eligibility information for marketing. For example, the notice may allow the consumer to select certain types of affiliates, certain types of information, or certain methods of delivery from which to opt out so long as one of the alternatives would provide the consumer the opportunity to opt out with respect to all affiliates, all eligibility information, and all methods of delivery. Section 247.21 additionally makes clear that, if a financial institution provides a consumer with a broader right to opt out than that required by law, the financial institution satisfies the rule’s notice requirements, 5 As noted in the Release, this definition is substantially similar to the definition of “established business relationship” under the amended Telemarketing Sales Rules, which has been incorporated into the telemarketing rule of the NASD (NASD Rule 2212). Release at p. 14 and fn. 75. 6 The term “clear and conspicuous” is defined in proposed paragraph 247.3(c) to mean “reasonably understandable and designed to call attention to the nature and significance of the information presented.” 7 As discussed below, each consumer’s opt-out election must be effective for at least 5 years. 5 provided that the consumer is provided a notice that accurately discloses the consumer’s opt- out rights. The required opt-out notice may be provided in the name of the financial institution with which the consumer does or previously has conducted business or in one or more common corporate names shared by members of an affiliated group of companies. The notice may be provided: (1) by the financial institution directly to the consumer; (2) by the financial institution’s agent provided that if such agent is an affiliate, the agent does not include any marketing solicitations other than those of the financial institution (unless it is permitted to do so under an exception discussed below); or (3) jointly with one or more of the financial institution’s affiliates or under a common corporate name or names used by the family of companies.8 The rule would also permit individual affiliates of a financial institution to avoid sending duplicative notices so long as the notice and opt-out sent by one affiliate is broad enough to cover the use of the eligibility information by other affiliates.9 2. Reasonable Opportunity to Opt-Out Before an affiliate may use eligibility information received from a financial institution to make or send marketing solicitations, the financial institution must provide the consumer with a reasonable opportunity, following the delivery of the opt-out notice, to opt out of such use by the affiliate. If the opt-out notice is mailed to the consumer, the consumer must be given at least 30 days from the date of mailing to opt out; if the notice is provided by electronic transmission, it would be reasonable for the consumer to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction, so long as the process to opt out on the website is simple. Alternatively, the opt-out notice could be provided with the financial institution’s GLB Act notice provided the consumer is allowed to exercise the opt-out within a reasonable period of time and in the same manner as under the GLB Act. According to 247.22(b)(5) of Regulation S-AM, in lieu of providing consumers the opt-out that would be required by the Regulation, the financial institution could instead provide them an opt-in (e.g., the financial institution would agree not to share the consumer’s information with an affiliate unless the consumer opts in to such sharing), so long as the financial institution documents and abides by the consumer’s choice. 3. Reasonable and Simple Methods of Opting Out Section 247.23 of the Regulation would distinguish methods of opting out that are reasonable from those that are not. Reasonable methods would include: (1) designating check- off boxes in a prominent position on the notice required by the Regulation; (2) including a reply 8 With respect to joint notices, proposed 247.24(c) would require: (1) that the information in the joint notice to be accurate with respect to each affiliate; and (2) that the joint notice identify separately each affiliate covered by the notice unless each affiliate shares a common name. In such instance, the notice could state that it applies to “all affiliates in the ABC family of companies.” If, however, an affiliate does not have “ABC” in its name, the notice would be required to separately identify such affiliate. 9 The proposed rule includes examples that “are intended to describe the broad outlines of ordinary situations that would constitute compliance” with various provisions of the proposed rule. According to the Release, however, compliance with the examples in the rule would not provide a safe harbor. Instead, “the specific facts and circumstances relating to each particular situation would determine whether compliance with an example constitutes compliance with the rule.” See Release at fn. 23. 6 form and a self-addressed envelope together with the opt-out notice; (3) providing an electronic means so long as the consumer agrees to electronic delivery of information; and (4) providing a toll-free telephone number that can be used to opt out. Unreasonable methods would include requiring the consumer: to write a letter to the financial institution; to call or write to obtain an opt-out form; or, in the case of a consumer who transacts business with the financial institution electronically, to opt out solely by telephone or by paper mail. 4. Delivery of Opt-Out Notices Section 247.24 would require that the financial institution deliver the opt-out notice such that each consumer can be expected to receive actual notice. Examples provided in the rule for how a financial institution could reasonably expect that a consumer will receive actual notice include: hand delivering a printed copy to the consumer; mailing a copy of the notice to the last known mailing address of the consumer; or, for those consumers that transact business with the financial institution electronically, posting the notice on the financial institution’s website and requiring the consumer to acknowledge receipt as a necessary step to obtaining a particular product or service. If two or more consumers jointly obtain a product or service from the financial institution, 247.24(d) would provide that the financial institution may provide a single opt-out notice and any of the joint consumers may exercise the right to opt out. The financial institution may either treat an opt-out direction by one joint consumer as applying to all associated joint consumers or permit each joint consumer to opt out separately. If the latter, the financial institution must permit one of the joint consumers to opt out on behalf of all of the joint consumers and one or more of the joint consumers to notify the financial institution of their opt- out directions in a single response. A financial institution may not require all joint consumers to opt out before it implements any of the joint consumers’ opt-out directions. A financial institution’s notice must explain how the financial institution handles joint consumers under its opt-out policies. 5. Duration and Extension of Opt-Out A consumer may exercise his or her opt-out right at any time. Sections 247.25 and 247.26 would govern, respectively, the duration and extension of a consumer’s opt-out direction. Generally speaking, these rules provide that an opt-out election by a consumer shall last no less than five years. This period would be required to begin as soon as reasonably practicable after the consumer’s election is received by the financial institution. A financial institution may, however, provide a consumer an opt-out election that is effective indefinitely. During the effectiveness of a consumer’s opt-out election, while a financial institution may share eligibility information with an affiliate, the affiliate may not use such information to make or send a marketing solicitation.10 10 According to the Release, “the opt-out would be tied to the consumer, not to the information. Thus, if a consumer initially elects to opt out but does not extend the opt-out upon expiration of the opt-out period, the receiving affiliate could use all of the eligibility information it has received about the consumer from the affiliate, including eligibility information that it received during the opt-out period. However, if the consumer subsequently opts out again, the receiving affiliates could not use any of the eligibility information it obtained after the rule’s mandatory compliance date.” Release at p. 20. 7 Prior to the expiration of an opt-out election, the financial institution must provide the consumer notice that his or her previous election is about to expire and the opportunity to extend the consumer’s election for an additional period of no less than five years. Section 247.26 would set forth the contents of the extension notice. This rule would also provide that the opt- out period may not be shortened to a period of less than five years by sending an extension notice to the consumer before expiration of the opt-out period. 6. Exceptions As proposed, Regulation S-AM would include various exceptions that would be set out in 247.20(c). These exceptions permit an affiliate that has received eligibility information from a financial institution to use it in the following instances without triggering the Regulation’s requirements: • To make or send a marketing solicitation to a consumer with whom the affiliate has a pre-existing business relationship; • To facilitate communications to an individual for whose benefit the affiliate provides employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship or status of the individual as a participant or beneficiary of an employee benefit plan; • To perform services on behalf of an affiliate except that this would not permit the affiliate to make or send marketing solicitations on its own behalf if the affiliate would not be permitted under the rule to make or send the marketing solicitation to the consumer based upon the consumer’s opt-out election; • In response to a communication initiated by the consumer orally, electronically, or in writing; • In response to an affirmative authorization or request by the consumer to receive a marketing solicitation; or • If the affiliate’s compliance with the Regulation would prevent it from complying with any provision of state insurance laws pertaining to unfair discrimination. In addition to listing these exemptions, this rule provides examples of their application to various situations (see 247.20(d)). III. APPENDIX Appendix A to the proposed Regulation includes three model forms that could be used by financial institutions to comply with the Regulation’s notice and opt-out requirements. These forms are as follows: • Model Form A-1: Form for Initial Opt-Out Notice – which sets forth a proposed form of an initial opt-out notice; 8 • Model Form A-2: Form for Extension Notice – which sets for a proposed form of an extension notice that could be used when the consumer’s prior opt-out has expired or is about to expire; and • Model Form A-3: Form for Voluntary “No Marketing” Notice – which sets forth a proposed form that financial institutions could use to offer consumers a broader right to opt out of marketing than is required by law. The Release makes clear that use of these model forms is voluntary, and that financial institutions can either modify these model forms to suit particular circumstances or use other forms so long as the proposed Regulation’s requirements are met. IV. REQUEST FOR COMMENT In addition to seeking comment on the Commission’s proposal generally, the Release seeks comment specifically on the following issues: (1) FACTA does not specify whether the entity communicating the eligibility information, or the entity receiving such information should be required to provide the required notice and opt out. The federal functional regulators have determined that the financial institution communicating the information should have this burden, but comment is sought on this aspect of the Regulation. (2) As discussed above, the Regulation would include various exceptions from its notice and opt-out requirements. The Commission seeks comment on whether additional exceptions are warranted and whether there are other circumstances that should fall within the proposed definition/exception for pre-existing business relationships. (3) The Commission seeks comment on whether there are additional communications that should be excluded from the definition of “solicitation.” In addition, the Commission seeks comment on whether, and to what extent, various tools used in Internet marketing (e.g., pop-up ads) could constitute marketing solicitations instead of communications directed to the general public. (Commenters are invited to discuss whether the Commission should provide persons subject to the rules with further guidance to address Internet marketing.) (4) The Commission seeks comment on whether the provisions of the Regulation should apply to the “constructive sharing” of eligibility information to conduct marketing. (According to the Release, constructive sharing would occur when, for example, a broker-dealer that is affiliated with a financing company has a relationship with a consumer and the broker-dealer, on behalf of the financing company, sends marketing materials to those clients of the broker-dealer that meet certain eligibility criteria. Alternatively, the broker-dealer could send out the financing company’s marketing materials to all clients of the broker-dealer but code the responses to indicate those responders that meet certain eligibility criteria.) The Commission seeks comment on whether this type of activity would violate the policy objectives of FACTA. 9 (5) The Commission seeks comment on whether there are circumstances in which oral notice and opt-out elections should be permitted and, if so, how the notice might satisfy the Regulation’s “clear and conspicuous” standard. (6) The Commission seeks comment on what the mandatory compliance date should be for the Regulation once it is adopted in order to permit financial institutions to incorporate the affiliate marketing notice into their next annual GLB Act privacy notice. (7) The Commission seeks comment on the provisions in the Regulation that would apply to notices provided to joint consumers, which provisions are patterned after similar provisions in the GLB Act privacy rules. Tamara K. Salmon Senior Associate Counsel