SEC Seeks Comment on Model Privacy Form That Would Provide A Safe Harbor Under Regulation S-P; Call Scheduled for April 4th
[20989]
March 23, 2007
TO: COMPLIANCE ADVISORY COMMITTEE No. 7-07SMALL FUNDS COMMITTEE No. 13-07
SEC RULES COMMITTEE No. 31-07
CHIEF COMPLIANCE OFFICER COMMITTEE No. 8-07
CLOSED-END INVESTMENT COMPANY COMMITTEE No. 12-07
INVESTMENT ADVISERS COMMITTEE No. 7-07
UNIT INVESTMENT TRUST COMMITTEE No. 3-07
TRANSFER AGENT ADVISORY COMMITTEE No. 17-07
PRIVACY ISSUES WORKING GROUP No. 3-07 RE: SEC SEEKS COMMENT ON MODEL PRIVACY FORM THAT WOULD PROVIDE A SAFE HARBOR UNDER REGULATION S-P; CALL SCHEDULED FOR APRIL 4TH
The Securities and Exchange Commission, together with other federal regulators of financial institutions, has published for comment a safe harbor model privacy form that financial institutions may use to provide the privacy notices required by the Gramm-Leach-Bliley (“GLB”) Act. [1] Once the SEC adopts its version of the model form, Form S-P, SEC registrants will no longer be able to use the Sample Clauses in the Appendix to Regulation S-P to satisfy the requirements of the GLB Act. (They will, however, be able to continue to use their existing privacy notices that are not based on the Sample Clauses.) The SEC’s proposal is discussed below.
Comments on the proposal will be due to the SEC 60 days after publication of the Release in the Federal Register. The Institute will hold a conference call on Wednesday, April 4th at 4:00 (EST) to discuss the proposal. If you plan to participate on the call, please let Tramece Jeffries know by email (Tlegal@ici.org) as soon as possible, but no later than Monday, April 2nd. If you are unable to participate in the call but have comments on the proposal, please provide them to Tami Salmon prior to the call by phone (202-326-5825) or email (tamara@ici.org).
I. Background
The Gramm-Leach-Bliley Act of 1999 required financial institutions to provide initial and annual privacy notices to their customers. The Act required federal regulators of financial institutions to jointly prescribe regulations to implement these provisions. The SEC adopted Regulation S-P for this purpose. Appendix A to Regulation S-P provides seven Sample Clauses that financial institutions may use as guidelines when drafting their Regulation S-P notices. Because Regulation S-P does not prescribe any specific format or standardized wording for the required privacy notices, the notices issued by financial institutions vary from institution to institution.
In December 2003, Congress amended the Fair Credit Report Act (“FCRA”) to expand the rights provided to consumers under the GLB Act. The FCRA amendments require financial institutions to provide customers the right to prevent a financial institution’s affiliate from using the customer’s information to market to the customer. FCRA required the federal regulators to adopt regulations implementing this provision. In July 2004, the SEC, published proposed Regulation S-AM, which would require SEC registrants to provide customers a notice and opt out before allowing an affiliate to use certain information obtained from the financial institution to market to the customer. [2] Regulation S-AM was never adopted by the SEC; nor were its counterparts adopted by the other federal regulators.
In 2004, the SEC and other federal regulators of financial institutions launched a project to fund consumer research (the “Notice Project”) to identify barriers to consumer understanding of current privacy notices and develop an alternative privacy notice that was easier for consumers to use and understand. As part of the Notice Project, a contractor was retained to design and test a paper-based notice that could be used as an alternative to existing privacy notices. [3]
In 2006, the Financial Services Regulatory Relief Act directed the federal financial institution regulators to develop jointly a safe harbor model privacy form that financial institutions may use, at their option, to provide the privacy disclosures under the GLB Act. The model form, in part, must enable consumers easily to identify information-sharing practices of, and compare privacy practices among, financial institutions. Pursuant to this mandate, the regulators have published for comment the model form developed in the Notice Project. The SEC’s version of this form is Form S-P, which is attached and described below.
II. Form S-P
The Commission has proposed the adoption of Form S-P as well as detailed instructions that specify all elements of the form. Use of the proposed model form would provide a safe harbor under Regulation S-P. Financial institutions can continue to use other types of notices that vary from the model form so long as such other notices comply with the requirements of Regulation S-P. As noted above, however, upon integration of the model form into Regulation S-P, financial institutions will no longer be able to utilize the Sample Clauses in Appendix A to Regulation S-P.
A. The Form’s Appearance
Pursuant to the proposed instructions, the model form must:
- Be two pages if an opt out is not required or three pages if it is;
- Be printed on only one side of 8.5 by 11 inch paper;
- Use at least 10-point type size;
- Use “leading”[4] that allows for sufficient spacing between lines (e.g., 10- or 11-point type should have between 1 and 3 points of leading; 12-point type should have between 2 and 4 points of leading); and
- Be printed in an easily readable type font. According to the Release, for typefaces with a smaller “x-height,”[5] an 11- or 12- point font should be used. For typefaces with a larger x-height, a 10-point font would be sufficient. Fonts that satisfy the type style and x-height guidelines include san serif fonts such as Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial, and Gill Sans and serif fonts such as the Chaparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century.
The instructions to the form note that the form “may” be printed on white or light color paper (e.g., cream) with black or suitable contrasting color ink. “Spot color” may be used to achieve visual interest so long as the color contrast is distinctive and the color does not detract from the form’s readability. The instructions also permit a financial institution to include its logo on the model form so long as the logo design does not interfere with the readability of the form or the space constraints of each page.
B. Content Requirements — Page One
Financial institutions that use the form may not include any information other than that specified in the form or permitted in the instructions to the form. As noted by the attached copy of the form, page one consists of four parts: (1) the title, which includes the financial institution’s name; (2) a “Why?,” “What?,” and “How?” section, which is intended to provide consumers context for the information being provided to them and which cannot be altered by the financial institution using the form (aside from adding the institution’s name to the “How?” section); (3) a table that describes the financial institution’s information sharing practices and the consumer’s ability to limit such sharing; and (4) the financial institution’s contact information.
With respect to (3), a fund that does not share with affiliates for marketing purposes may delete the sixth row of the table (i.e., “For our affiliates to market to you”). [6] This is the only portion of page one that may be omitted. Financial institutions must complete the middle and right columns with either “Yes,” “No,” or “We Don’t Share” as applicable. Any “Yes” in the third column will necessitate including page three of the model form, which details how a consumer may opt-out of the sharing of the information. [7] A financial institution may offer its customers opt-out rights beyond those required under federal law so long as the additional information falls within the space constraints of the model form. A financial institution using the model form cannot revise the headings in the three columns of this table or the information in the left hand column of the table.
C. Content Requirements – Page Two
Page two of the form contains supplemental information concerning the institution’s information sharing practices. While the “Sharing Practices” portion of this page may not be revised, a financial institution using the form must customize the “Definitions” portion of the page by adding information to the definitions for affiliates, nonaffiliates, and joint marketing. The information added by the institution must appear in italicized lettering to distinguish the customized portion of the form from the standardized portion. In particular, under:
Affiliate – the financial institution must identify the categories of its affiliates or state that it has no affiliates.
Nonaffiliates – a financial institution must disclose whether it shares information with nonaffiliated third parties outside exceptions provided in Regulation S-P.
Joint Marketing – A financial institution must state whether it engages in joint marketing.
The instructions to the form detail the acceptable language for the definitions added by the institution.
D. Content Requirements - Page Three
As noted above, financial institutions will only use page three of the form in the event consumers can opt out of the sharing of information. A financial institution that is required to provide page three to its consumers must customize the ways in which the consumer may exercise his or her opt-out election. The financial institution may customize the “Contact us” portion of this page to provide for the particular opt-out methods it provides (e.g., if a customer must opt-out by phone, the form need not include mailing or web information). Also, the 30-day period in the disclosure at the bottom of the “Contact us” section can only be revised if the financial institution delays its sharing of information for more than 30 days.
While a financial institution must include the “Check your choices” section of the form, if a consumer cannot opt out by mail, the institution must delete the boxes for name, address, account number, and mailing directions. The opt-out choices in this section of the form must correspond to the “Yes” answers in response to the question “Can you limit this sharing?” on page one of the model form.
III. Compliance Date
To ease the compliance burden for those financial institutions that currently use the Sample Clauses of Regulation S-P in their privacy notices, the SEC has proposed a transition period of one year, after which a financial institution could no longer rely on the guidance of the Sample Clauses. [8] The annual privacy notices required by Regulation S-P may continue to use the Sample Clauses until the next annual privacy notice is due one year later, with the Sample Clauses rescinded one year after the transition period ends.
IV. Request for Comment
In addition to seeking comment on the content and format of Form S-P and its instructions, the SEC seeks comment on:
- Whether the standardized provision and vocabulary in Form S-P are sufficient to allow SEC registrants accurately to disclose their information sharing practices – in particular: (1) the description on page one of the types of personal information that may be collected and (2) the examples of the sources of information collected on page two;
- Whether SEC registrants should be able to omit certain terms from the form that may not apply to their information collection practices or their sources of information; and
- Whether the agencies should develop a Web-based design for financial institutions to use on their Internet sites and, if so, any comments on particular design and/or technical considerations.[9]
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, SEC Release No. 34-55497 (Mar. 20, 2007)(the “Release”), which is available on the SEC’s website at: http://www.sec.gov/rules/proposed/2007/34-55497.pdf.
This memorandum focuses on the SEC’s model form, which differs slightly from the model form of the other federal regulators.
[2] See Limitations on Affiliate Marketing (Regulation S-AM) SEC Release No. 34-49985 (July 8, 2004). The Institute filed a comment letter supporting the SEC’s proposal but recommending various clarifying amendments. See Institute Memorandum to Closed-End Investment Company Members No. 55-04, Investment Adviser Members No. 15-04, SEC Rules Members No. 86-04, Unit Investment Trust Members No. 34-04 [No. 17896], dated Aug. 13, 2004.
[3] In electing to design a paper-based notice, the regulators reasoned that a successful paper notice could be readily adapted to another medium, such as the Internet.
[4] “Leading” refers to the spacing between lines of type, measured in points. The rule does not mandate a specific amount of leading so long as the amount use allows for sufficient spacing between lines.
[5] The “x-height” is the height of the lower-case “x” in relation to full height letters. X-height is apparently critical to type legibility.
[6] This item is included in Form S-P to accommodate the opt-out requirement of the FCRA, discussed above. A financial institution that elects not to use Form S-P will not be required to provide their customers the required FCRA opt out in the absence of the adoption of Regulation S-AM.
[7] Pursuant to the GLB Act and FCRA, consumers must be provided the opportunity to opt out of the sharing of certain information with non-affiliated third parties, the sharing of creditworthiness and credit report information among affiliates, and sharing with affiliates for marketing purposes. A financial institution whose affiliates receive such information but do not use it for marketing is not required to include this provision in its form.
[8] For example, if an institution provides a notice using the Sample Clauses on day 361 after the effective date of Form
S-P, it could continue to rely on the guidance of the Sample Clauses for one year until its next annual notice is due. If an institution provides a notice relying on the Sample Clauses on day 369 after the effective date of Form S-P, it would not be able to rely on the guidance provided in the Sample Clauses. See Release at nn. 46-47.
[9] The agencies contemplate that institutions that post a pdf version of the model form on their websites may obtain a safe harbor.