SEC Adopts Financial Privacy Rules
Washington, DC, June 29, 2000 - The Securities and Exchange Commission adopted on June 22 Regulation S-P, relating to the privacy of consumer financial information. As required by the Gramm-Leach-Bliley Act enacted last November, Regulation S-P limits the ability of every investment company, broker-dealer, and registered investment adviser to disclose its consumers’ and customers’ nonpublic personal information to nonaffiliated third parties. Regulation S-P also requires those financial institutions to provide initial, annual and opt-out privacy notices in various instances and to adopt policies and procedures to protect the nonpublic personal information of their consumers and customers.
Effective and Compliance Dates
Regulation S-P becomes effective on November 13, 2000, although compliance is not mandatory until July 1, 2001. Joint marketing and service agreements that are in effect as of July 1, 2000 will have to be brought into compliance with section 248.13 of Regulation S-P by July 1, 2002.
The Release notes that to be in full compliance with the rules’ restrictions on disclosures on July 1, 2001, broker-dealers, funds, and registered advisers must have provided their existing customers with an initial privacy notice, an opt-out notice, and a reasonable amount of time to opt out before that date. Financial institutions that both provide the required notices and allow a reasonable period of time to opt out before July 1, 2001 may continue to share nonpublic personal information with nonaffiliated third parties after that date for customers who do not opt out.
The Commission received 115 comment letters on proposed Regulation S-P, including one from the Institute. The rule was adopted substantially as proposed, although the Commission made a number of clarifying and technical changes in response to the comments it received. Significant changes from the proposal are briefly summarized below.
General Clarifying Changes
In an effort to clarify the rules, the Commission added a number of examples to Regulation S-P. The Commission reiterated that the examples merely illustrate the application of the general rules. The Commission also provided additional guidance for firms that do not disclose, or reserve the right to disclose, information in ways that would trigger the opt-out requirements. The Release also includes sample privacy notice clauses. These provisions are not intended to be model clauses, but rather are intended to illustrate the appropriate level of detail in the required privacy notices.
Specific Issues Addressed in the Release
Form and Location of Privacy Notices. The Release makes clear that privacy notices may be combined with other disclosures. The Commission notes, however, that privacy notices contained in other disclosure documents may be subject to multiple disclosure standards. For example, a fund that includes a privacy notice in its prospectus would have to make the privacy notice clear and conspicuous according to Regulation S-P and would have to prepare the prospectus according to disclosure standards under the Securities Act of 1933. The Commission also notes that funds may reduce the burden of complying with the annual notice provisions by including annual privacy notices in shareholder reports.
Timing of the Initial Notices. The Commission has deleted the proposed requirement that a financial institution provide an initial notice prior to the time that it establishes a customer relationship with a customer. Commenters pointed out that it would be difficult, if not impossible, for funds sold through nonaffiliated broker-dealers to comply with this requirement, and recommended that investment companies instead be permitted to provide initial privacy notices at the time of the confirmation of a purchase of fund shares.
In place of the "prior to" requirement, the final rule requires financial institutions to provide a customer with an initial notice not later than when the financial institution establishes the customer relationship. There are three exceptions to this rule, one of which permits a fund to delay delivery of the initial notice when a nonaffiliated broker-dealer or registered adviser purchases fund shares on behalf of a customer without the fund's knowledge. In such a case, the initial notice must be provided a reasonable time after establishing the customer relationship.
Timing Issues Related to the Opt Out. The final rules add several examples clarifying what would be considered a reasonable opportunity for a consumer or customer to opt out of the sharing of his or her information. The Commission refrained from adopting a prescriptive rule in this regard, however, instead adopting the flexible rule as proposed.
The Commission also adopted as proposed the rule requiring financial institutions to honor an opt-out request as soon as reasonably practicable. The Commission had sought comment on whether the rule should specify a time within which an institution must stop sharing information.
Householding of Privacy Notices. The Commission agreed with commenters that householding is appropriate in certain circumstances, and added an example that allows a broker-dealer or fund to include an annual privacy notice with or in a prospectus or shareholder report delivered in accordance with the Commission’s householding rules for prospectuses and shareholder reports.
Joint Notices. The Commission clarified that a financial institution is not obligated to provide more than one notice to joint accountholders. A broker-dealer, fund or adviser may, in its discretion, provide notices to each party to the account. However, under the final rule, each of the accountholders must have the right to opt out.
Transfer Agents. The Commission clarified that an individual does not have either a consumer or a customer relationship with an entity acting as an agent for a financial institution. The Commission specifically noted that mutual fund consumers would not become consumers of the transfer agent that services the fund’s accounts.
Investment Advisers. The Commission clarified that although registered investment advisers are covered by Regulation S-P, an investment company’s adviser does not have customer relationships with the fund’s shareholders in the absence of individual advisory contracts with those shareholders.
Retirement Plans. The Commission clarified that Regulation S-P does not apply to employee benefit plans. However, the final rules add an example that an individual will be deemed to establish a customer relationship when a broker-dealer, fund, or registered adviser acts as a custodian for securities or assets in an IRA.
Publicly Available Information. In its proposing release, the Commission sought comment on whether the definition of "publicly available information" should include information that could be obtained from a public source or only information that actually was obtained from a public source. The Commission did not adopt either standard in the final rules. Instead, the definition of "publicly available information" turns on whether the financial institution reasonably believes that the information is lawfully made available to the general public from one of three categories of information listed in the rule.
Limits on Reuse of Information. The Commission revised the limits on redisclosure and reuse of information to clarify their scope. Under the final rule, these limits will depend on whether the information was provided pursuant to one of the exceptions enumerated in section 502(e) of the GLB Act. If a broker-dealer, fund, or registered adviser receives nonpublic personal information provided under section 502(e), it may disclose the information to its affiliates or to the affiliates of the financial institution from which it received the information. If a broker-dealer, fund, or registered adviser receives nonpublic personal information outside one of the section 502(e) exceptions, it may disclose the information to (i) its affiliates, (ii) the affiliates of the financial institution that made the initial disclosure, or (iii) any other person if the disclosure would be lawful if made directly by the financial institution from which the information was received. As the Institute recommended, the Commission clarified that financial institutions do not have to monitor compliance by non-affiliated third parties with the redisclosure and reuse provisions of the rule.
Policies and Procedures to Protect Information. The Commission adopted as proposed the rule requiring financial institutions to adopt policies and procedures to safeguard their customers’ records and information. Also, the Commission clarified that a fund complex could, but is not required to, adopt a single set of policies and procedures for the entire fund complex. The Commission noted that the policies and procedures would have to be determined to be appropriate for each institution to which they apply.