United States: SEC Proposes Privacy Rules

On March 2, 2000, the Securities and Exchange Commission ("Commission") proposed for public comment Regulation S-P, which is designed to implement the financial privacy provisions of last year’s financial modernization legislation, the Gramm-Leach-Bliley Act ("GLBA") (please see endnote 1). The GLBA directed the Commission and other regulators to issue rules to protect the privacy of customers of financial institutions. The federal banking agencies issued their proposed regulations on privacy a few weeks prior to the Commission, and the Commission’s regulation is substantially similar to those proposed rules.

1. Broker-Dealers, including municipal securities broker-dealers and government securities broker-dealers, whether or not registered under the Securities Exchange Act;
2. Investment Companies, whether or not registered with the Commission, which would include business development companies; and
3. Registered Investment Advisers. Unlike broker-dealers and investment companies, advisers that are not registered with the Commission (such as private investment advisers or investment advisers registered with the states) would not be covered.

The Commission’s new regulation would require investment advisers, investment companies, and broker-dealers to do four things:

1. Notice. Provide consumers with a "clear and conspicuous" notice regarding their privacy policies and practices.
2. Disclosure Conditions. Describe the conditions under which they may disclose "nonpublic personal information" about consumers to nonaffiliated third parties.
3. Opt Out. Provide a method for consumers to "opt out" of the disclosure of nonpublic personal information to third parties.
4. Policies and Procedures. Adopt policies and procedures reasonably designed to (a) insure the confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security of customer records and information; and (c) protect against unauthorized access or use of customer records or information that could result in "substantial harm or inconvenience" to any consumer.

No. The GLBA and the Commission’s proposed regulation only apply to information about a "consumers" and to "customers."

1. Consumer. A consumer is defined as any individual (or his or her legal representatives) who obtains, or has obtained, a financial product or service that is to be used primarily for personal, family, or household purposes.
2. Customer. A customer is defined as a consumer who has a continuing relationship with the institution under which he or she receives financial products or services to be used primarily for personal, family or household purposes. In general, the Commission requires that there be more than an isolated transaction to establish a sufficient continuing "customer relationship" such that a consumer becomes a customer. A one-time transaction may, however, be sufficient to establish a customer relationship, if there is an expectation of continued service or further transactions. For example, an individual’s purchase of securities through a broker with whom the customer opens an account would be sufficient to establish a customer relationship because of the continuing nature of the service.

The distinction between consumer and customer, as noted below, determines the notices that need to be provided and when such notices need to be given. The examples in the proposed regulation make clear that an investor who purchases shares from an investment company would be a customer of that investment company. An investor would not, however, be a customer of that investment company if she purchased fund shares on an undisclosed basis through an investment adviser or broker-dealer.

Note: The proposed regulation’s privacy mandates do not apply to the business or institutional customers of a financial institution.

The disclosure requirements and restrictions on sharing information with nonaffiliated third parties under the GLBA and the Commission’s proposed Regulation S-P depend on certain key definitions, on all of which the Commission has requested comments. To begin with, the privacy rules would apply to information that is "nonpublic personal information."

1. Nonpublic personal information is defined as "personally identifiable financial information" and any list, description, or grouping that is derived from personally identifiable financial information. Importantly, nonpublic personal information includes publicly available information that is "disclosed in a manner that otherwise indicates the individual is a financial institution’s consumer," such as a list of customers.
2. Personally identifiable financial information is, in turn, defined to include three categories of information:
3. Supplied by Consumer. Any information that is provided by a consumer to a financial institution in order to obtain a financial product or service from the institution. That would include, for example, material that a consumer supplies to an investment adviser when entering into an investment advisory contract.
4. Resulting from Transactions. Any information that results from a transaction with the consumer or any service performed for the consumer. This category would include information about account balances, securities positions, or financial products purchased or sold.
5. Obtained in Providing Products or Services. Any information otherwise obtained by the financial institution in connection with providing a product or service to the consumer. This would include information from a consumer report or other outside source used to verify information that a consumer provides on an application.
6. Publicly available information, however, is excluded from the definition of nonpublic personal information. Publicly available information is defined to mean information that the financial institution "reasonably believes" is lawfully available to members of the public from three sources:
7. Official Public Records. Official public records, such as real estate recordations or securities interest filings;
8. Media. Widely distributed media, which would include information obtained over the Internet if it is obtainable from a site that open to the general public and accessible without password or similar restriction; and
9. Required Disclosures. Information from disclosures -- such as securities documents -- that are required to be made to the general public by federal, state, or local law.

The rule would treat information as public if it could be obtained from one of the three public sources listed in the rules. Thus, if an institution reasonably believes that the information is lawfully made available to the public from the above-noted sources, then that information would be excluded from the scope of nonpublic personal information, whether or not the institution in fact obtains the information from a public source. Accordingly, under the proposed rule, the fact that a consumer has provided information to an institution, for example, in an advisory contract would not automatically mean that the information provided would be protected by the Commission’s privacy rule.

The Commission has sought specific comment on whether it should treat information that is public available as nonpublic if a financial institution does not obtain it from a listed public source. The federal banking agencies also have sought comment on whether to use this alternative definition of nonpublic information.

The proposed rule would require a financial institution to provide clear and conspicuous notices that accurately reflect its privacy policies and practices. As noted above, the timing of a notice depends on whether a consumer becomes a customer.

1. Notice to a Consumer. For a consumer who never becomes a customer, a financial institution is not required to provide any notice unless the financial institution determines to disclose nonpublic personal information about that consumer to a nonaffiliated third party.
2. Notices to a Customer.
3. Initial Notice. For a customer, an initial privacy notice should be provided prior to the time of establishing the customer relationship. Thus, the notice may be provided at any time before establishing the relationship, and it may be combined with other information that the institution provides. For example, an investment adviser may provide the privacy notice when it provides the initial Form ADV to its customer.
4. Annual Notice. For a customer, a financial institution also must provide annual privacy notices during the continuation of the customer relationship. The annual notice must, once again, "clearly and conspicuously" disclose the current privacy policies and practices of the financial institution.
5. Notice to an Existing Customer. For customer relationships established prior to the proposed rule’s effective date, the financial institution would need to provide an initial notice within 30 days of the effective date. That effective date, as noted below, is currently expected to be November 13, 2000.

Under the proposed rule, the notices would need to be provided in writing or, if the consumer agrees, in electronic form. Oral notices are insufficient.

For customers, the notices should be provided in a manner that allows them to retain or obtain it at a later date. The Commission also requested comment on who should receive notices when there is more than one party to an account.

The proposed regulation would allow two or more institutions to provide joint notices, as long as they are delivered in accordance with the rule and are accurate for all recipients. Institutions that could give joint notices include: (i) an introducing broker and its clearing broker (that clears on a fully disclosed basis), and (ii) an investment company and a broker-dealer that distributes its shares. This provision also may be helpful for affiliated firms that are part of the same holding company.

The proposed rules would require a financial institution to provide the following information in both its initial and its annual privacy notices:

• Collected Information. The categories of nonpublic personal information about consumers that the institution collects.
• Disclosed Information. The categories of nonpublic personal information about consumers that the institution may disclose.
• With Whom is the Information Shared. The categories of affiliates and (please see endnote 2) nonaffiliated third parties to whom the institution discloses nonpublic personal information.
• Information About Former Customers. The categories of nonpublic personal information about former customers that the institution discloses and the categories of affiliates and nonaffiliated third parties to whom the institution discloses this information.
• Information Disclosed to Non-Affiliated Service Providers. The categories of nonpublic personal information that are disclosed and the categories of third parties providing the services.
• Right to Opt Out. An explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, and the methods by which a consumer may exercise that right.
• Fair Credit Disclosures. Disclosures, if any, regarding sharing of "consumer reports" with affiliates that are required by the Fair Credit Reporting Act.
• Policies and Practices. The institution’s policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information.

The proposed regulations require a financial institution to provide a consumer with a reasonable opportunity to prevent the institution from disclosing the consumer’s nonpublic personal information to nonaffiliated third parties – i.e., to "opt out."

1. Form and Method. The opt-out notice must, like the other required notices, be clear and conspicuous. The notice should:
2. state that the financial institution reserves the right to disclose nonpublic personal information to nonaffiliated third parties;
3. state that the consumer has the right to opt out of that disclosure, i.e., to direct that the information not be shared; and
4. afford a reasonable means by which the consumer may exercise that right (e.g., check-off boxes in a prominent position on relevant forms with the opt-out notice). Requiring the consumer to write a letter to the financial institution in order to opt out is insufficient.
5. 30 Days to Opt Out. The proposed rule would generally require that a consumer be given 30 days in which to opt out of information sharing. In the case of isolated transactions, the consumer should be able to decide whether to opt out "before completing the transaction." The Commission has invited comment on whether 30 days is a reasonable opt-out period.
6. Ability to Opt Out Later. The proposed rule notes that a consumer who does not exercise his right to opt out does not lose that right. He may exercise the right later. If he does so, the institution must stop information sharing as soon as possible thereafter.
7. Partial Opt Out. A financial institution may -- but is not required to -- provide a consumer with the option of a partial opt out in addition to the opt out required by this rule. The partial opt out may, for example, allow the consumer to limit the types of recipients of nonpublic personal information about that consumer.
8. Change of Policy. If an institution changes its policy, it must provide a revised notice and a new opportunity to opt out before disclosing nonpublic personal information to a nonaffiliated third party.

The Commission has requested specific comment on certain aspects of the opt-out requirement. For example, the Commission has asked whether, for joint accounts, each accountholder should have the right to opt out. In addition, the Commission has sought comment on how the right to opt out should apply to an investment adviser that manages an account on behalf of multiple beneficiaries.

Yes. The proposed regulations would incorporate statutory exceptions enabling a financial institution to share information with certain nonaffiliated third parties without having to provide a right to opt out.

1. Service Providers and Joint Marketing. An important exception would allow a financial institution to disclose nonpublic personal information to a nonaffiliated third party for use by that third party to perform services for, or functions on behalf of, the financial institution, including the marketing of the financial institution’s products or services. As a general matter, a consumer does not have the right to opt out in this situation if the financial institution (a) fully discloses to the consumer that it will provide this information to the nonaffiliated third party before it is shared, and (b) enters into a contract with the third party to maintain the confidentiality of the information.
2. Processing Transactions at the Customer’s Request. The opt out requirements also would not apply if a financial institution discloses nonpublic personal information "as necessary to effect, administer, or process a transaction" that is authorized by the consumer.
3. At the Direction of the Consumer or for Other Limited Reasons. Other exceptions include disclosures made the direction or with the consent of the consumer, to protect against fraud, and to respond to judicial process.

Yes. The proposed regulation would prohibit a nonaffiliated third party that receives nonpublic personal information from a financial institution from disclosing that information, directly or through an affiliate, to any person not affiliated with the financial institution (or with the third party, if the third party is a financial institution) unless the disclosure would be lawful if made directly by the financial institution. For example, a nonaffiliated fund service provider that receives nonpublic personal information from a mutual fund may not directly or indirectly disclose information to a nonaffiliated third party of the fund and the service provider unless the institution could lawfully share the information with that party.

In general, no. The proposed Regulation S-P would incorporate the GLBA statutory provision that prohibits a financial institution from disclosing -- other than to a consumer reporting agency -- a customer’s account number to a nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail.

The Commission has invited comment on whether an exception to this prohibition is appropriate, the circumstances under which such an exception would be appropriate, and how such an exception should be formulated to provide consumers with adequate protection. The proposal also seeks comment on whether a flat prohibition might unintentionally disrupt certain routine practices, such as the disclosure of account numbers to a service provider who handles the preparation and distribution of monthly account statements for a financial institution coupled with a request by the institution that the service provider include marketing literature with the statement about a product. In addition, the Commission has invited comments on whether a consumer ought to be able to consent to the disclosure of his or her account number, notwithstanding the general prohibition and, if so, what standards should apply.

Yes. A financial institution would be required to establish appropriate standards to safeguard customer records and information. The Commission’s proposed rule does not prescribe specific procedures; rather, the Commission has indicated that it believes that each institution should tailor its policies and procedures to its own systems and the needs of its customers. The Commission has requested comment on whether it should provide more specific guidance on what procedures are necessary.

Comments are due on the proposed rule by March 31, 2000. In accordance with the GLBA, the Commission has stated that it plans to issue a final regulation by May 13, 2000, and then have the rule become effective six months thereafter -- November 13, 2000. The Commission has sought comments on whether having Regulation S-P become effective six months after its promulgation would provide financial institutions sufficient time to comply.

If you would like a copy of the release proposing Regulation S-P or more information on the proposed regulation, please contact Jeremy Rubenstein at (202) 663-6086, Satish Kini at (202) 663-6482, or Franca Harris at (212) 230-8808.

This letter is for general informational purposes only and does not represent our legal advice as to any particular set of facts, nor does this letter represent any undertaking to keep recipients advised as to all relevant legal developments.

1. Privacy of Consumer Financial Information (Regulation S-P), Release Nos. 34-42484, IC-24326, IA-1856 (Mar. 2, 2000) (available at www.sec.gov/rules/proposed/34-42484.htm).
2. An "affiliate" of a broker-dealer, investment company, or registered investment adviser is defined as any company that controls, is controlled by, or is under common control with that institution. The proposal regulation also provides that a broker-dealer, investment company, or registered investment adviser will be considered an affiliate of another company for purposes of the privacy rules if: (i) the other company is subject to privacy regulations issued by one of the other financial regulators, and (ii) those privacy rules treat the broker-dealer, investment company, or registered investment adviser as an affiliate of that other company. The Commission explained that this part of the proposed definition was designed to prevent the disparate treatment of affiliates within a holding company structure. The Commission noted that, without this provision, a broker-dealer in a bank holding company structure might not be considered affiliated with another entity in that organization under the Commission’s proposed rules, even though the two entities would be considered affiliated under the federal banking agencies’ privacy proposal.