Hillcrest Bank
March 29, 2004
Robert E. Feldman, Executive Secretary
ATTN: Comments/Executive Secretary Section
Federal Deposit Insurance Corporation
550 17th St., NW
Washington, DC 20429
RE: Alternative Forms of Privacy Notices
Dear Mr. Feldman,
Thank you for the opportunity to submit comment on the advanced
notice of proposed rulemaking (ANPR) regarding privacy. Hillcrest
Bank is a Kansas chartered commercial bank with close to one billion
dollars in assets. We have branches in the Kansas City and Wichita
metropolitan areas. We have submitted comment on numerous issues
you presented in the ANPR.
Goals of a Privacy Notice
We believe the primary goal of a privacy notice is to tell the customer
what happens to the nonpublic personal information they provide to
us as part of our financial service relationship. We believe the
customer wants to trust us to treat their nonpublic personal information
securely and confidentially, as they themselves would. As such, we
believe the secondary goal of a privacy notice is to inform the customer
whether a financial institution shares this information outside of
the allowable exceptions and how the customer can opt out of such
information sharing.
Hillcrest Bank
does not share nonpublic personal information about consumers with
nonaffiliated
third parties outside of the exceptions
so we are not required to provide an opt out capability to consumers
or customers. We used the sample clauses from the final regulation
in our initial privacy notice in 2001. Even so, we received numerous
requests from our customers to provide the ability to opt out. It
appeared to us that customers were confused as to their rights under
the Act. For example, many customers requested that we not disclose
any nonpublic personal information for any reason. We spent a great
deal of time explaining to these customers that we must provide nonpublic
personal information in some cases in order to provide the financial
services they have requested and that the final regulation rightly
allows this exception to opt out. The most common example we gave
of nonpublic personal information disclosure is that we provide an
unaffiliated third party with the customer’s account number
in order to obtain checks for their checking accounts. Providing
examples of servicing and processing transactions not subject to
opt out has alleviated our customers concerns, but it is apparent
to us that many people simply do not want their nonpublic information
shared. The theme behind most of the customers concerns is that they
are tired of receiving marketing solicitations by phone and mail
and do not want banks to promote this activity with third parties.
In response to customer requests, we now offer customers the choice
whether to opt out of our own marketing or joint marketing campaigns.
Further, we developed our own plain language annual notice for 2002
and used it again in 2003. We have received substantially fewer comments
and opt out requests since improving our privacy notice to make it
more readable and useful to consumers. Thus, while we believe improvement
can be made regarding privacy notices, we appreciate the flexibility
the current regulation provides us in designing a privacy notice
for our specific use and do not support the Agencies’ development
of a short notice. We do not believe it makes sense to develop an
additional notice when an existing notice is already effective.
We know of no differences between federal and Kansas or Missouri
laws that would pose any special issues for developing a short privacy
notice.
We believe the most important way a privacy notice would be useful
to a consumer is to inform the consumer about how their nonpublic
personal information is treated and whether they can opt out of further
disclosure. We believe the least important way a privacy notice would
be useful is to provide a mechanism for the consumer to opt out in
the same medium used to provide the privacy notice.
Elements of a Privacy Notice
We are not in favor of pursuing a short notice, however, if the
Agencies decide to do so, we believe the key element should be how
a financial institution shares nonpublic personal information about
a consumer. We believe this is the key element from the perspective
of the financial institution and the consumer. We believe that elements
deemed important enough to be included in the development of an additional
notice should be given equal prominence to one another.
Language of a Privacy Notice
We believe that if the Agencies decide to pursue a short notice,
financial institutions should be required to use standardized clauses
rather than develop its own language.
Format of a Privacy Notice
We would not
be in favor of developing a standard graphic design. We don’t believe this will assist a consumer in determining
privacy policy and practice differences between financial institutions.
We believe it may be more advantageous to a consumer to have visually
recognizable graphics to recall one financial institution’s
short notice from another.
Our current privacy
notice is a tri-folded, double-sided, 8 ½” x
11” page with at least a 12-point font size. Thus, if a short
notice is developed, we believe it should be limited to a single,
double-sided, 3 ¾” x 8 ½” sheet, or, a
third of the size of our current notice.
We believe elements
of a privacy notice required by state law should be allowed to
be
included in a short notice. This may be accomplished
by listing such elements under a heading such as “State Law
Requirements.”
If a short notice is developed, we prefer the format described in
Appendix A.
Mandatory or Permissible Aspects of a Privacy Notice
We believe a
short notice should not be mandatory for all financial institutions.
It is our
opinion that for financial institutions,
like our own, that do not disclose information to third parties that
would be subject to a consumer’s right to opt out under the
Fair Credit Reporting Act or the Gramm Leach Bliley Act, a short
notice would essentially be unnecessary as the current, standard,
complete privacy notice is likely already short. We believe the agencies
should allow such financial institutions to continue to use the simple,
abbreviated notices they currently use and be exempt from short notices.
If a short notice is made mandatory, we believe all the language
and the format for such should be mandatory in order to provide simple
comparisons. We believe, however, that it is best to continue to
allow financial institutions the flexibility to design their own
complete privacy notice.
As noted earlier, we now offer customers the choice whether to opt
out of our own marketing or joint marketing campaigns. If a short
notice is mandated, we would like to be able to include this information
in our short notice.
Costs and Benefits of a Short Notice
The cost of developing a privacy notice for distribution at account
opening, upon request, and for annual mailing does impose a significant
burden on financial institutions. The costs of developing a short
notice would most certainly be affected by whether the notice is
mandatory. If it is not made mandatory, we believe that many financial
institutions will not develop a short notice, and if their complete
privacy notice is sufficient, they would be justified in not developing
a new notice. If it is made mandatory in addition to a complete privacy
notice, our costs to produce the disclosure will be significant.
We do not believe that whether the format or language is standardized
would affect the cost of development any differently than if we were
allowed to design our own short notice.
Additional Information
We are pleased that you expect consumer testing will be a key component
in developing proposed interpretations or amendments. Consumers,
in many cases, receive numerous privacy notices throughout the year
and we believe it will be advantageous to ask them about the effectiveness
of the privacy notices they receive.
We respectfully
request that you consider asking consumers if they would find it
most useful
to receive privacy notices annually or
only upon changes to privacy policies or practices. We are concerned
that the number of notices received annually by a typical household
diminishes the importance of their content. Essentially, we don’t
believe customers will read each notice annually, compare previous
notices to the current one to note changes (if the consumer has even
kept previous notices), and act accordingly in response to any change
in policy or practice. We believe the more notices received without
changes, the less likely a customer will be to read the notice if/when
a privacy policy change has been made. It is our belief that most
privacy notices will be tossed in the trash and thus are of no benefit
to the customer. As noted above, the cost of annual mailings does
impose a significant burden on financial institutions and our concern
is that the cost of an annual mailing outweighs the customer benefit.
We would, of course, be open to always making a copy of our policy
and practices available upon request in addition to being provided
at account opening.
Sincerely,
Brad Bischoff
Compliance and Privacy Officer
Hillcrest Bank
Overland Park, KS
|