Independent Community Bankers of America
Public Information Room
Office of the Comptroller of the Currency
250 E Street, SW
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 03-27
Becky Baker, Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Regulation Comments
Chief Counsel’s Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: No. 2003-62
Federal Trade Commission
Office of the Secretary
Room 159-H
600 Pennsylvania Avenue, NW
Washington, DC 20580
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Re: Docket No. R-1173
Jean A. Webb, Secretary
Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street, NW
Washington, DC 20581
Robert E. Feldman, Executive Secretary
Attention: Comments/Executive Secretary Section
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
Attention: File No. S7-30-03
Re: Alternative Forms of Privacy Notices
Dear Sir or Madam:
The Independent
Community Bankers of America (ICBA)1 appreciates the opportunity
to comment on possible amendments to the current
privacy rules implementing sections 502 and 503 of the Gramm-Leach-Bliley
Act. The amendments would be designed to allow or require financial
institutions to provide alternative forms of privacy notices, such
as a short form privacy notice, that would be easier for consumers
to understand and should reduce regulatory burden for financial institutions.
Overview
The ICBA supports the development of a short-form privacy notice to facilitate
consumer understanding of individual financial institutions’ privacy
policies and procedures. However, since banks have developed and revised
privacy notices over the past three years to meet existing compliance standards,
the ICBA strongly urges that the use of any new alternative privacy notice
be optional and not mandatory. This is especially critical for smaller institutions
that are only likely to share information as permitted by existing exceptions
such that they are not required to offer consumers an option to opt out from
information sharing and, as a result, are likely to already have shorter
notices.
If an optional short form alternative notice is developed, it should
be one that can be used in lieu of the existing long form, as it
would be burdensome and confusing for financial institutions to be
required to have both a short form privacy notice and a long form
privacy notice. And it is equally important to develop model language
to help consumers understand that not all banks are required to offer
the right to opt out since they only share information as permitted
by one of the statutory exceptions.
Background
The Gramm-Leach-Bliley Act (GLBA) requires banks and other financial institutions
to send customers annual privacy notices that describe the bank’s policies
and practices for disclosing nonpublic personal information to both affiliated
and non-affiliated third parties. In addition, where applicable, the notice
must describe how a customer can opt out from information sharing with non-affiliated
third parties.
Under current
rules, privacy notices generally must include the following information:
(1) categories of nonpublic personal information
the bank collects; (2) categories of nonpublic personal information
that the bank discloses; (3) categories of affiliates and nonaffiliated
third parties to which the bank discloses nonpublic personal information;
(4) categories of information disclosed about former customers; (5)
a separate statement about information disclosed for joint marketing
purposes; (6) an explanation of the consumer’s right to opt
out from disclosure of nonpublic personal information to nonaffiliated
third parties (including an explanation about how to exercise that
right); (7) an explanation about the bank’s information sharing
with affiliates; (8) the bank’s policies and procedures for
protecting the confidentiality and security of nonpublic personal
information; and (9) any disclosures that the bank makes “as
permitted by law,” such as disclosures for government reports
or to complete transactions.
When privacy
notices were first developed and distributed in 2001, critics complained
about
their length and complexity. To begin to
address these problems, the regulatory agencies held a forum in December
2001 to discuss how to make privacy notices more effective. The agencies
are now considering options for a more streamlined notice format
that will meet consumers’ needs and at the same time reduce
burden.
Development of a Short Form Notice
Generally, the ICBA believes that the purpose of a privacy notice should be
to explain to customers the bank’s policy of collecting non-public
personal information about consumers, how the bank might share that information
and, where applicable, how the customer can opt out from that information
sharing.
The ICBA has long advocated the creation of a short-form privacy
notice. Anecdotal evidence suggests that few consumers read privacy
notices, and a short form notice would more be likely to be read,
making it both more useful and more in keeping with its intended
purpose.
However, many banks have already developed and established procedures
to comply with existing requirements, and any change in existing
procedures will require redesign of forms, retraining of staff, and
possibly reprogramming of software that is currently in place to
ensure compliance with new requirements. Therefore, the ICBA believes
that if the agencies develop a short-form privacy notice, use of
the short form should be optional and not mandatory.
Moreover, since
any new notices will not be the result of substantive changes to
a bank’s
privacy policies and procedures, it will be important that consumers
understand that the change is merely
a change in format to facilitate comparison of privacy policies and
not a change in privacy rights. Therefore, it will be vitally important
for the agencies to take steps to educate the public about any changes
to ensure that the general public understands why the notices are
being changed and what significance the changes portend for individual
consumers.
Utility
of Existing Privacy Notices for Consumers. The
ICBA believes that the current privacy
notices are somewhat useful for bank customers,
as they disclose the bank’s information sharing practices.
However, they are only somewhat useful because the sample language
and required disclosures can often be confusing for bank customers.
Community bankers report that the majority of their customers are
not especially concerned about the disclosures in the privacy notice.
Rather, most community banks have established trust and confidence
with their customers that serve as the foundation for the relationship
and the privacy notice merely reaffirms a pre-existing trust and
confidence.
It has been
suggested that a simpler form would allow customers to shop and
compare privacy
practices and policies between different
institutions. Since the great majority of bank customers are more
likely to shop based on fees and the location of a bank branch rather
than a bank’s privacy policies, the ICBA questions how extensively
consumers would use the privacy notice to compare financial institutions.
However, a simplified, consistent document would make it easier for
individual consumers to understand privacy policies and would make
it easier for those consumers that want to make comparisons to do
so.
Annual Notice. The ICBA believes
a shorter notice would be preferable, with disclosures made at the
time an account is opened. However,
we believe that
an annual notice of a bank’s privacy policies is unnecessary. The current
requirement that all consumer customers receive an annual copy of the bank’s
privacy notice is unduly burdensome, with the costs far outweighing any minimal
benefits. We recognize there is an annual notice provision in the statute,
but the statute also grants the agencies leeway in drafting regulations. Specifically,
section 504(b) permits the agencies to grant exceptions to the provisions of
section 502(a) through (d) when it would be consistent with statutory purpose.
Section 502(a) requires a notice that substantially complies with the provisions
of section 503, the annual notice requirement.
The ICBA submits that it would be possible for the regulators to interpret
these provisions to allow an exception from the annual notice requirement for
financial institutions that only share information in such a way that they
are not required to offer consumers an opt-out option. If the agencies do not
feel comfortable with such an interpretation, the ICBA strongly urges the agencies
to recommend that Congress consider eliminating the annual mailing requirement
to reduce cost and regulatory burden.
Providing the bank’s privacy notice at account opening would ensure that
the provisions are called to the consumer’s attention and should be thoroughly
adequate for the great majority of consumers, especially customers of banks
that are not required to offer an opt-out option. If and when the bank’s
information sharing practices change, a revised notice could be provided. There
would be an added benefit in providing notice only when there is a change in
the bank’s information sharing practices and procedures: the notice would
call attention to the changes, as opposed to the current requirement of annual
mailing by all financial institutions that merely ensures customer indifference
to notices, making it increasingly likely that the notices are unheeded and
unread.
Right to Opt Out. Many community banks only
share information as permitted by one of the exceptions provided in the statute
and the rule. As a result,
they are not required to offer their customers an opt-out. However, because
of media coverage of privacy issues, consumers believe that all banks must
offer an opt-out. The ICBA encourages the agencies to make additional efforts
to help the public understand how the right to opt out works and that not all
banks must offer the option. The ICBA also recommends that the agencies clarify
how banks should handle opt-out requests where the bank is not required to
offer one. For example, if a customer requests an opt-out from a bank that
only shares information as permitted by one of the existing exceptions, the
bank should be able to treat that request as invalid and not retain any record
of the request.
If a bank is required to offer customers the right to opt out, the ICBA is
concerned that highlighting that information, such as through the use of highlighted
text, a special font or by placing the disclosure in a separate box, may be
a disservice to customers by encouraging the opt-out and preventing the bank
from providing good customer service by making it more difficult to offer a
broad variety of financial products and services through affiliates or non-affiliated
third parties. However, if the agencies deem highlighting of the opt-out option
is appropriate, then it should be a recommended, but not required, practice.
And, since so many community banks are not required to offer the right to opt
out because they only share information following one of the statutory or regulatory
exceptions, the ICBA also believes it would be extremely useful for the agencies
to develop model language that explains in very brief and simple terms why
the bank is not offering a right to opt out. Such model language would be helpful
in eliminating some of the confusion engendered by media reports when privacy
notices were first used in 2001.
Key Elements for a Short Form Notice. Community
banks and their customers generally believe that the same elements of privacy
are important. Essentially, a bank’s
privacy notice should stress that the bank protects the security and confidentiality
of each customer’s information, that it may disclose that information
to provide services and products, and, where applicable, a brief explanation
of what the customer must do to opt out from information sharing. Generally,
the privacy notice should not be more than four or five items, since the more
detailed and complex the notice becomes, the less likely consumer will actually
read it and the less useful the privacy notice will be.
If the bank
only shares information under the existing exceptions such that
it is not required
to offer an opt-out, the requirements
for a privacy notice should be very short. Primarily, the notice
should alert customers to whether the bank shares non-public personal
information about its customers for marketing non-financial products
and services. Banks are in the business of providing financial products
and services for their customers and community banks often rely on
third parties to provide financial services and support their customers’ financial
needs; anecdotal evidence suggests that customers are not offended
when a bank makes arrangements to provide financial services. The
objections arise when banks use non-public personal information to
market non-financial services, such as magazine subscriptions, dental
or legal services or travel services.
Where a consumer does not have the right to opt out from information
sharing with third parties, such as where the bank enters into joint
marketing ventures with other financial service providers to offer
its customers financial products and services, the ICBA does not
believe that it is necessary to highlight this element in the privacy
notice.
Possible Notice Formats or Templates
One option being considered by the regulators would be a short-form privacy
notice that gives abbreviated disclosures but does not provide all the disclosures
mandated by the Gramm-Leach-Bliley Act. Under this option, a separate long-form
would have to be available on request to meet statutory requirements.
While the ICBA agrees that if the short form does not contain all
the elements required by the Gramm-Leach-Bliley Act, the abbreviated
notice should include a simple statement informing customers how
to obtain the full, long-form privacy notice. However, we do not
agree this avenue is likely to be useful in reducing customer confusion
or reducing regulatory burden. While a short form would reduce distribution
and mailing costs, it could actually increase regulatory burden,
since banks would be required to maintain two privacy notices: a
new short form and a long form containing all the information required
by the statute. Having two privacy forms would require banks to train
staff on the use of two forms and would require banks to maintain
supplies of two parallel forms. Moreover, having a bifurcated system
of privacy notice forms would be confusing to customers, since every
financial institution would have two related but different privacy
notices. The ICBA believes that if a shorter privacy notice is created,
it should replace the current long form.
While it would be preferable to have a new short form replace the
long form, if there must be two forms, the most logical requirement
would be to make the long form available at account opening for customers
that request it. Banks should have the option of providing either
the short form or the long form at account opening. If a bank elects
to provide a short form privacy notice to customers at account opening,
the bank should then make the long form available if the customer
requests it. After an account relationship has been established,
if an annual notice is still required, the short form could be used.
It is important
that all banks have the option of using only one privacy notice
form. This
is especially important for community banks
that do not share information outside one of the permitted exceptions,
that are therefore not required to offer an opt-out, and that already
use a “long” form that is actually relatively short.
Those banks should be allowed to continue to use their existing form.
The agencies
have identified four possible notice formats for consideration,
with the caveat
that they are solely designed to encourage discussion.
The three notice formats provide varying degrees of flexibility in
making privacy disclosures. The first would be the least flexible,
since it provides a standard template where bankers merely indicate “yes” or “no” on
each category. The second offers slightly greater flexibility, permitting
banks to supplement the mandated information in each category. The
third template allows the greatest flexibility, setting out a format
of various categories for disclosures, but allowing individual banks
to describe their information sharing practices for that particular
category. All three sample forms are designed to facilitate consumer
comparison of privacy policies and practices among different financial
institutions. While each form has individual merits, the ICBA believes
that greater flexibility may be the most decisive factor.
The less flexibility permitted for individual financial institutions
to disclose their privacy policies and procedures, the less information
is actually conveyed to consumers. The current food nutrition labels
have often been cited as an ideal model to emulate. Unfortunately,
the information included in a privacy notice is subjective and
cannot be distilled to the absolutes that nutrition labels are
designed to convey. In fact, software programs that can distill
and analyze privacy policies have been difficult to develop for
this reason. Therefore, sufficient flexibility is critical in any
required disclosures of a bank’s information sharing practices.
Optional
vs. Mandatory. Again, it is important to stress
that any new short-form privacy
notice should be optional and not mandatory.
As noted above, for the past three years, banks have been issuing
privacy notices to their customers, and have reached a point where
existing notices meet compliance requirements and are familiar to
bank customers. A mandatory change in format, however well intentioned,
will be expensive and burdensome. And since a new format will not
be the result of substantive changes to a bank’s privacy policies
or procedures, it may be confusing for consumers. Since costs may
outweigh benefits for many banks, a revised format should be optional.
This is especially important for community banks that already use
shorter privacy notices that meet the requirements of the current
regulations. While the ICBA urges that any new privacy notice formats
be optional for all financial institutions, at a minimum, community
banks that are not currently required to offer customers with an
opt-out should be allowed to continue using their existing privacy
notices.
Language.
Privacy notices should provide information to consumers in a meaningful
way. Since much of the language in the current regulatory
models have been subjected to criticism, it would be useful for the
regulatory agencies to test proposed language changes with focus
groups. When developing alternative privacy notices, the ICBA suggests
incorporating standard phrases in model clauses, since standard terminology
ensures consistency and facilitates consumer understanding and comparison.
However, banks also should be allowed some flexibility to develop
their own language for disclosures as long as certain mandatory information
is included. Individual banks know their own customer base and should
be able to communicate information to their own customers in the
most appropriate manner. Permitting flexibility allows banks to tailor
disclosures based on their unique market and circumstances, although
providing a safe harbor for use of model language would encourage
its use. But while standard language is useful for model clauses,
it should not be mandatory.
Presentation
Format. There may be advantages to standardized
presentation, but the less flexibility permitted individual financial
institutions,
the less opportunity the bank has to accurately communicate its information
sharing practices to its customers. The key advantage to a standardized
format for presentation, perhaps following the model of the Schumer
Box used for Truth-in-Lending disclosures, is that it would permit
consumers to compare privacy policies for different financial institutions,
if they so desire. For a short-form privacy notice, one page would
most likely be the optimal length.
State
Law Considerations.
Because the provisions of the Gramm-Leach-Bliley Act allow individual
states to develop requirements that differ from
federal requirements, it is important that any changes to the existing
federal regulations permit banks sufficient flexibility to include
any disclosures required by state law in their federal privacy notices
at the bank’s option and when state law permits.
Safe
Harbor. While the use of any short form privacy
notice should be optional, whenever a bank uses the standard
form template or model
language furnished by the agencies, the bank should have a safe harbor
to protect it from examiner criticism or litigation.
Conclusion
The ICBA supports the development of an optional short-form privacy notice
that is clear and concise and that helps consumers understand an individual
financial institution’s information sharing practices. However, inasmuch
as banks and their customers have had three years of experience with existing
requirements, any new alternative forms of privacy notice should be at the
option of the institution, especially community banks that are not required
to offer an opt-out.
If an alternative notice format is developed, it should be a template
that banks can use, and the regulatory template should provide a
safe harbor from examiner criticism and litigation. Any alternative
form of privacy notice should include all the disclosures mandated
by the Gramm-Leach-Bliley Act so that it can be used instead of the
existing long form and not as a companion or supplemental notice
form.
The ICBA also strongly encourages the agencies to strive to eliminate
the annual notice requirement, especially for those banks that are
not required to offer an opt-out. Finally, the ICBA urges the agencies
to develop model language and undertake a public education effort
to help consumers understand that not all banks are required to offer
a right to opt out.
Thank you for the opportunity to comment. If you need additional
information or have any questions, please contact me by phone at
202-659-8111 or by e-mail at robert.rowe@icba.org.
_______________________________
1 ICBA represents the largest constituency of community banks in
the nation and is dedicated exclusively to protecting the interests
of the community banking industry. We aggregate the power of our
members to provide a voice for community banking interests in Washington,
resources to enhance community bank education and marketability,
and profitability options to help community banks compete in an ever-changing
marketplace.
Sincerely,
Robert G. Rowe, III
Regulatory Counsel
|
