Privacy Regs Proposed

The agencies that will administer and interpret the privacy provisions of the Financial Modernization Act (we like calling it "FinMod") have published proposed regulations to implement the privacy provisions.

Comments are due on the FRB's proposal by March 31, 2000. Comments on the proposals of other agencies should be due about the same time.

Which Agencies are Involved
When it comes to the privacy regulations, there are more than the usual list of agencies involved. The list of regulators includes the Securities and Exchange Commission, the Secretary of the Treasury, state insurance authorities, and the Federal Trade Commission in addition to the five federal financial regulatory agencies that are members of the FFIEC (FRB, OCC, FDIC, OTS, and NCUA). Each of these agencies may issue regulations on the protection of consumer and customer information. When dealing with entities or affiliates that are subject to another agency's regulations, you will need to follow that agency's regulations as well as those for your bank to be sure you have taken all the correct steps.

Schedule
The proposals are now out. Study them and comment on them by the end of March. The agencies are committed to publishing final regulations in May, well before the November 13, 2000 effective date, so that industry members will have ample time to develop compliance programs.

Format
This proposal from the FRB takes a new approach to regulation writing. First, the regulation is written to "you", the entity that must comply. It is a bit more like talking with "Mother Fed" than reading a set of rules written in the passive tense or third person. Second, the regulation itself incorporates the commentary approach. The regulation includes examples and guidance that the FRB ordinarily places in Official Staff Commentary. One of the positive results of this approach is that everything you need is in one document and pertinent parts are grouped together. There is no need to flip between regulation and commentary.

Scope
The regulations will be limited to consumer purpose transactions or relationships. Business customers will not enjoy the same protections. A consumer-purpose or covered transaction must involve products or services for personal, family or household purposes. Unlike Regulation Z, which describes the exemption through describing business purpose transactions, this regulation would describe what is covered. This approach is similar to that in the Federal Trade Commissions rules. Other definitions, such as financial product or service, are broad and inclusive. If a financial institution offers it or does it, it's covered.

Customer or Consumer?
The regulations will contain definitions of "consumer" and "customer." Different types of information protection will apply to the two categories. The short way of looking at it is that a customer is an individual about whom the bank knows enough to do harm.

A consumer is an individual who obtains or has obtained a financial product or service from the bank. This definition is quite broad and includes situations such as filing applications, providing information to determine qualifications for a product, and using bank facilities or services.

In contrast, a customer is a consumer who has an ongoing relationship with the bank. This goes beyond the "one-shot" relationship and focuses more on an ongoing relationship. For example, maintaining an account, purchasing a product such as insurance, holding a loan that you service, or obtaining financial advisory services for a fee would be sufficient to make the consumer a customer.

Personal or public
This is one of the areas of debate and therefore one to which you should give careful attention. Definitely comment on it. The proposal right now is fairly bank-friendly and applies a test that is manageable.

The information that is subject to the protection is personally identifiable financial information. This includes information that you obtain from the consumer through applications, requests for services and the use of products and services. Clearly included in the private category is information about accounts, including account numbers, account balances, and patterns of transactions.

Private information would not include information that is easily available through public sources, such as a phone book, courts, or government title recordings. However, under the regulation, the primary test of public v. private information would be the institution's source. Essentially, information obtained from the consumer or information that is the result of consumer transactions would be protected.

The Notice
The timing requirements would be simple. Just remember two key words: "before" and "annually." They should become the privacy mantra. Banks must give the notice to consumers before establishing a relationship. Then, the bank should send a notice to each customer no less frequently than annually. More often would be fine.

The notice should contain an explanation of the consumer's rights, the categories of nonpublic personal information that you collect, the categories of that information that you disclose, and the categories of affiliates and nonaffiliated third parties to whom you disclose. How specifically your notice describes these categories will have an effect on future disclosure requirements if you change your information sharing plans. It is in your interest to be specific.

The notice must also explain the consumer's rights to opt out and explain how to opt out. The proposal does not currently contain a requirement for providing the consumer with a method for opting out. However, it does recommend including a form that the consumer can use.

There are also stylistic guidelines for the notice. Type size, clear format and organization, and more conspicuous than other information would be tests for measuring the effectiveness of the notice.

Delivering the Notice
The proposed rule allows a variety of delivery methods, ranging from paper to electronic. There are several fundamental principles that would apply. First, notices may not ever be oral. The spoken word won't cut it.

Second, the notice should be delivered in a way that the customer can reasonably be expected to receive it. Electronic notices should be delivered and also be available on the bank's website.

Opting In and Opting Out
First, there is the "clear and conspicuous" requirement. The term is defined as "reasonably understandable and designed to call attention to the nature and significance of the information." The proposal provides some guidance on what would satisfy these concepts. Examples include >
Another principle in the practice of opting out is that the consumer may opt out at any time. The institution must accept and act on an opt out whenever it comes in. For example, if the bank sends its annual notice in January, and the customer exercises the opt-out in July, that should be immediately implemented. There is no concept of a limited time frame within which the consumer must exercise the right. The right is ongoing.

Categories
Your notice must disclose the categories of information you maintain and may share. It must also disclose the categories of entities with which you may share the information. Determining and describing the category is clearly an art form that has the potential for growth and change. In fact, there are some CRA-like dimensions to this.

The most important measurement for the accuracy of a disclosure will be what a reasonable consumer would understand. In short, this is not something to get clever with. Clarity of meaning will be fundamental to the question of whether the institution disclosed in good faith or attempted to deceive the customer.

First, there is the question of the categories of "nonpublic personal information" or "NPI" that you collect. Scour every place that customer information may enter the bank, including new accounts, credit applications, and the sale of innovative products.

Second, there is the question of the categories of NPI that you disclose. There is a simple solution to this problem for small banks: don't disclose any customer information. A practice of non-disclosure will pretty much keep the bank in compliance or at least in a very defensible position. But if you do disclose or sell information, review the type of information carefully and consider how to describe it.

Third, you must accurately categorize and describe the categories of affiliates and nonaffiliated third parties to whom you disclose NPI. This will start with setting precise parameters within the bank.

One of the concerns raised by consumer advocates is that consumers have no way of knowing who the third parties are and what their relationship with the bank may be. In order for the consent or opt-out to be effective, the consumer must understand from the disclosure what information you may share and with whom.

Finally, you must give the same attention to the categories of information concerning former customers.

Change in Terms
A change in terms really means that the institution has changed its information practices. The proposed regulation would require any such institution to re-notify its customers before making any new use of the information. The timing requirements would not be specific, but would use a reasonableness standard. Notice should be given to all affected customers with time for them to receive the notice and opt out before the practice is put into effect.

Preparing Comments
You will want to collect input throughout your bank before you prepare comments.

ACTION STEPS

Compile a list of all third parties and vendors with whom your bank has any relationship. Determine and document the full scope of the relationship.
Collect copies of the contracts you have with all vendors. Review them for any provisions that protect customer information.
Compile a list of all products and services that you offer - and that you may offer in the future. Use this list to identify needs for your compliance program.
Discuss this proposal with all staff that support or use the bank's web site. Get their ideas on how the rule would work and what steps they would take to ensure compliance.
Find out who has access to customer information. Learn about the circumstances surrounding their use of it and consider whether internal procedures are needed.
Draw up a list of all affiliates and non-affiliates with whom you share information. Also determine what information you share, have shared, or plan to possibly share some time in the future. This should give you a measurement of your privacy compliance issues.