[23968]
November 20, 2009
TO: SEC RULES MEMBERS No. 124-09SMALL FUNDS MEMBERS No. 69-09
COMPLIANCE MEMBERS No. 50-09
CLOSED-END INVESTMENT COMPANY MEMBERS No. 54-09
INVESTMENT ADVISER MEMBERS No. 23-09
UNIT INVESTMENT TRUST MEMBERS No. 9-09
TRANSFER AGENT ADVISORY COMMITTEE No. 84-09
OPERATIONS MEMBERS No. 25-09
PRIVACY ISSUES WORKING GROUP No. 16-09 RE: SEC ADOPTS MODEL REGULATION S-P PRIVACY NOTICE
Earlier this week, the SEC adopted Model Form S-P, which was originally published for comment in March 2007. [1] Registrants will be able to use the new form [2] to satisfy their privacy notice requirements under Regulation S-P as soon as the Release is published in the Federal Register, which should be in the next week or two. While use of the new model form is voluntary, registrants that elect to use it will be provided a safe harbor and deemed compliant with the disclosure requirements of Regulation S-P. Along with adopting the new form, the SEC is repealing the sample clauses that currently appear in the appendices to Regulation S-P and that provide guidance on the contents of their privacy notices. Their repeal is effective December 31, 2010. The new forms are briefly described below.
Model Form S-P
As a preliminary matter, the Release expressly clarifies that, “while the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.” [3] Also, as regards the repeal of the Sample Clauses in the appendices to Regulation S-P, the Release notes that “institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule.” [4] Registrants electing to use the model form may modify it only as permitted in the instructions to the form, which provide very limited opportunity for modifications. The key features of the new form are as follows:
Structure of the Forms
Privacy notices based on the new form:
- Must be two pages in length, which may be printed on both sides of a single sheet of paper or on two separate pages;
- Have a portrait orientation;
- Printed on white or light colored paper with print in black or a contrasting color. Spot color may be used to active visual interest so long as it does not distract from the form’s readability;
- While the paper size is not mandated, it must be of a size sufficient to accommodate minimum font size (i.e.,10-point font unless otherwise specified); and
- Must use a font type that is easily readable and there must be sufficient spacing between the lines of type.
The proposed rule imposed very specific requirements on what constituted “easily readable type” (e.g., type size, type style, leading, x-height, serif versus sans serif, etc.). The adopted rule eliminates each of these except the font size (i.e., 10 point). For “ease of reference,” the Release provides some optional guidance on enhancing readability, but stresses that none of it is mandatory. [5] Registrants may produce their own forms, rather than use forms entirely identical to the model notice form, but any forms created by a registrant must conform to the structure, ordering, and content of the model forms included in the Release.
Contents of the Form
Page One – Registrants have limited ability to modify the contents of page one of the form. They must utilize the mandatory language, headings, format, and ordering of the form. Also, in the upper right-hand corner of the form, registrants must indicate the date (by month and year) of the most recent version of the notice. The body of the form indicates, through bracketed language, where it may be personalized by the registrant. Permitted modifications/additions are as follows:
- In the heading next to “FACTS,” a registrant may add the name (and logo) of the institution(s) providing the notice on the form where indicated.
- In the “What?” box on the form, a registrant must, in addition to listing the consumer’s Social Security Number, use five of the following terms to complete the bulleted list: [6] income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; or wire transfer instructions.
- In the “Reasons we can share your personal information” portion of the form, registrants may insert their name over the middle column and must check either the middle or last column for each reason for sharing information listed in the first column. [7] Registrants may omit from the first column, “For our affiliates to market to you,” if they do not permit their affiliates to use shared information for this purpose. For those registrants that do permit affiliates to market the affiliate’s product or services and that, as a result, have obligations under Regulation S-AM, this item on the form and the related opt-out can be used to satisfy Regulation S-AM’s requirements. [8]
- The next portion of the form, “To limit our sharing” is not required if the registrant is not required to (and does not) provide an opt-out as the contents of this section discusses ways for consumers to exercise their opt-out rights. For those institutions that must provide an opt out, the Instructions to the form provide that the institution “must select one or more of the applicable opt-out methods described” (i.e., by phone, [9] website, [10] or use of a mail-in opt-out form). In this section, the registrant may also specify the number of days after which they will begin sharing the consumer’s information after sending the form to the consumer. According to the instructions, “institutions may insert a number that is 30 or greater” in this space. [11]
- Questions Box – the registrant’s customer service contact information must be inserted as indicated. Institutions have the option of providing a phone number (which may, but is not required to be, a toll-free number, a web address, or both).
- Mail-in Form – this portion of the form is only required to be included if the immediately prior section of the form, (i.e., “To limit our sharing”) provides that consumers may exercise their opt-out via mail. The “account number” section of the form may be omitted if registrants do not require this information or it may be modified if another number or information is required. [12] Firms may require customers with multiple accounts to identify each account to which the opt-out should apply. The “Mail to” portion of this section must include the registrant’s opt-out mailing address, though this information can appear either at the far right version of the form or below the form. Registrants are prohibited from including any content of the model form on the reverse side of the mail-in opt-out form. The left margin of this form can be used by those institutions that permit joint accountholders to individually assert their opt-out rights. [13]
Page Two – The right hand column on page two of the form provides registrants greater ability to tailor its contents, though the information in the left-hand column can only be customized by adding the registrant’s name. Also, the top portion of the form, “Who we are” may be omitted in its entirely where only one financial institution is providing the notice and that institution is clearly identified on page one. [14] With respect to the right hand column:
Under the heading “What we do:”
In the first row, : “How does [institution name] protect my information,” registrants may provide additional information pertaining to its safeguarding practices (e.g., use of cookies) so long as the additional information does not exceed 30 additional words.
In the second row, “How does [institution name] collect my personal information,” registrants must use five terms selected from a list of several terms [15] to complete the bulleted list for this question. The items in this list that seem related to our industry include:
(1) Open an account;
(2) Seek financial or tax advice;
(3) Seek advice about your investments;
(4) Buy securities from us;
(5) Sell securities to us;
(6) Direct us to buy securities;
(7) Direct us to sell securities;
(8) Enter into an investment advisory contract;
(9) Tell us about your investment or retirement portfolio;
(10) Tell us about your investment or retirement earnings;
(11) Provide account information;
(12) Give us your contact information;
(13) Pay us by check;
(14) Make a wire transfer; and
(15) Show your driver’s license.
Registrants that either collect personal information from their affiliates and/or credit bureaus or that do not collect information from such sources but do collect it from other companies must also include a specified legend alerting consumers to such practice. Only registrants that engage in neither practice are permitted to omit such legend.
In the third row, “Why can’t I limit all sharing,” registrants may either: (1) delete the bracketed language (i.e., “See below for more on your rights under state law”) or (2) include this language and describe state privacy law provisions in the “Other important information” portion of the form.
The fourth and final row of this section, “What happens when I limit sharing for an account I hold jointly with someone else,” need only be completed by those registrants that provide opt-out options. All other registrants may omit this row. Those registrants that must include it have two response options: (1) “Your choices will apply to everyone on your account,” or (2) “Your choices will apply to everyone on your account – unless you tell us otherwise.”
Definitions
The definition section of the form consists of three definitions: Affiliates, Nonaffiliates, and Joint marketing. The Instructions provide guidance regarding how members are to complete this section of the form to disclose: whether they have affiliates and, if so, whether they share information with such affiliates; whether they share information with nonaffiliates and, if so who they are; and, whether it engages in joint marketing and, if so, with whom. While members may tailor this information to accurately disclose affiliates, nonaffiliates, and joint marketing partners, their disclosure of the information must be as specified in the instructions. [16]
Other Information
The final portion of the form, Other Important Information, is optional. If registrants elect to include it, it may only be used to provide (1) either state and/or international privacy law information; and/or (2) an acknowledgement of receipt form. [17]
Online Form Builder
To facilitate institutions creating their own customized notices using the new forms, the agencies participating in this rulemaking, including the SEC, plan to provide on each of their Websites a link to an “Online Form Builder.” This form builder will be accessible by any institution so the institution “can readily create a unique, customized privacy notice using the model form template.” This template “will be available in late 2009” with “a more robust version” available in late 2010. [18]
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Final Model Privacy Form under the Gramm-Leach-Bliley Act, SEC Release No. 34-61003, IA-2950, and IC-28997 (November 17, 2009)(the “Release”), which is available on the SEC’ website at: http://www.sec.gov/rules/final/2009/34-61003.pdf. Model Form S-P was adopted as a joint rulemaking initiative of the SEC, the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. Pages 232-253 of the joint release published by these agencies set forth the SEC’s new form and the rules of construction applicable to its use.
[2] There are really three versions of the form available for use: (1) a model form with no opt-out; (2) a model form with telephone and Web opt-out only; and (3) a model form that includes a mail-in opt-out form. (The opt-out requirement of Regulation S-AM can be accommodated through the version of Model Form S-P containing the opt-out.) As discussed below, registrants that must provide an opt-out can determine what method(s) of opt-out they will provide to consumers. There is a link to each of these forms at: http://www.sec.gov/news/press/2009/2009-248.htm. The forms, along with their instructions, will appear in the Appendix to Regulation S-P.
[3] Release at p. 6.
[4] Release at p. 7.
[5] Release at p. 34.
[6] Because the forms will be used by all registrants subject to the authority of the regulators involved in this joint rulemaking initiative, this list includes many items that may be wholly irrelevant to our members’ business. Those items that may be pertinent to our members’ business are boldfaced in this list. The list approach is new to the form. It addresses concerns the Institute had raised with having to include information wholly inapplicable to our industry (e.g., information gathered by insurance companies) on privacy notices utilized by mutual funds.
[7] While each of these reasons is largely self-explanatory, the instructions to the form, which begin on p. 241, explain each of them in more detail. See Instruction C.2.(d) on pp. 244-246 of the Release.
[8] See the Release at p. 44-45 and Instruction C.2.(d)(6) on pp. 245-246 of the Release for more information about use of the form for Regulation S-AM purposes.
[9] The phone number need not be toll free though, if it is, the form may so state.
[10] If a website is used, the registrant “must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page.” See Instruction C.2.(e) on p. 246 of the Release.
[11] Ibid.
[12] See Instruction C.2.(g) on p. 247 of the Release.
[13] See Instruction C.2.(g)(1) on p. 247 of the Release for more information about this and other provisions governing customization of the mail-in opt-out form, including use as an opt-out for Regulation S-AM.
[14] If two or more financial institutions are jointly providing the notice, they must identify themselves as required by Section 249.9(f) of Regulation S-P. The Instructions have a provision governing what to do if the list of institutions providing the notice jointly exceeds four lines. See Instruction C.3.(a)(1) on p. 249 of the Release.
[15] The full list appears in Instruction C.3.(a)(3) on p. 250 of the Release.
[16] See Instruction C.3.(b) on pp. 251-252 of the Release.
[17] The acknowledgement of receipt “was provided in response to a request by the National Automobile Dealers Association, whose members routinely ask customers to sign an acknowledgment of receipt on a copy of the dealer’s privacy notice and retain this record verifying delivery of the notice.” Release at fn. 14.
[18] Release at p. 58-59. The Release also notes that the Federal Reserve Board and the Federal Trade Commission have agreed to jointly undertake the development through consumer research of a Web-based version of the model form, which will be made publicly available for use by all institutions as soon as late 2009. Release at p. 59.