[Federal Register Volume 67, Number 32 (Friday, February 15, 2002)]
[Notices]
[Pages 7213-7215]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-3781]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Public Comment for Study on Information Sharing Practices Among
Financial Institutions and Their Affiliates
AGENCY: Department of the Treasury, Departmental Offices.
ACTION: Notice and request for comments.
-----------------------------------------------------------------------
SUMMARY: The Secretary of the Treasury (Secretary), in conjunction with
the federal functional regulatory agencies and the Federal Trade
Commission, is conducting a study of information sharing practices
among financial institutions and their affiliates, as required by the
Gramm-Leach-Bliley Act of 1999. The Secretary is requesting public
comment on a number of issues to assist in preparation of the Study.
DATES: Please submit comments and responses to the questions in this
notice on or before April 1, 2002.
ADDRESSES: All submissions must be in writing or in electronic form.
Please send e-mail comments to [email protected], or
facsimile transmissions to FAX Number (202) 906-6518 re: GLBA
Information Sharing Study. Comments sent by mail should be sent to:
Regulations and Legislation Division, Chief Counsel's Office, Office of
Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, ATTN:
Study on GLBA Information Sharing. (Senders should be aware that there
have been some unpredictable and lengthy delays in postal deliveries to
the Washington, DC area in recent weeks and may prefer to make
electronic submissions.) Anyone submitting comments is asked to include
his or her name, address, telephone number, and if available, FAX
number and e-mail address. Please do not submit confidential commercial
or financial information. All submissions should be captioned
``Comments on the GLBA Information Sharing Study.'' Comments will be
available to the public in their entirety via the Treasury Department
website, www.USTreas.gov, where a link will be established. The link
will be clearly identified on the Treasury homepage as relating to the
GLBA Study on Information Sharing Practices Among Financial
Institutions and Their Affiliates. Copies of comments also may be
inspected at the Treasury Department Library, Room 1428, Main Treasury
Building, 1500 Pennsylvania Avenue, NW., Washington, DC 20220. Before
visiting the library, visitors must call (202) 622-0990 to arrange an
appointment.
FOR FURTHER INFORMATION CONTACT: Susan Hart, Financial Economist,
Office of Consumer Affairs and Community Policy, Department of the
Treasury, (202) 622-0129; or Brian Tishuk, Director, Office of Consumer
Affairs and Community Policy, Department of the Treasury, (202) 622-
1964.
SUPPLEMENTARY INFORMATION:
I. Statutory Background
On November 12, 1999, President Clinton signed into law the Gramm-
Leach-Bliley Act (GLBA).\1\ The GLBA made several fundamental changes
to the laws governing the financial system, including easing the limits
on the types of financial institutions that may be affiliated with one
another. A Company is an affiliate of a financial institution if it
controls, is controlled by, or is under
[[Page 7214]]
common control with the financial institution.
---------------------------------------------------------------------------
\1\ Pub. L. 106-102.
---------------------------------------------------------------------------
The GLBA also established limits on the extent to which financial
institutions\2\ may disclose personal information about consumers\3\
with whom they do business. The GLBA generally requires that a
financial institution provide a clear and conspicuous notice of its
privacy policies and practices and allow consumers to prevent (i.e., to
opt out of) the disclosure of their nonpublic personal information\4\
to a nonaffiliated company, unless certain prescribed exceptions apply.
The financial institution also must explain how consumers can exercise
their opt out rights. These limitations on disclosing nonpublic
personal information do not apply when a financial institution
discloses a consumer's information to its affiliates.\5\
---------------------------------------------------------------------------
\2\ Under subtitle A of title V of the GLBA, a financial
institution generally is any banking institution, credit union,
securities entity (such as a broker-dealer, mutual fund, or
investment adviser), or insurance company, as well as any other
business that engages in activities that are financial in nature
under section 4(k) of the Bank Holding Company Act of 1956. See 15
U.S.C. 6809(3); 12 U.S.C. 1843(k). Futures entities (futures
commission merchants, commodity trading advisors, commodity pool
operators, and introducing brokers) are also financial institutions
for purposes of subtitle A of title V of the GLBA, 7 U.S.C. 7b-2(a).
\3\ Under the GLBA, a consumer in an individual who obtains from
a financial institution financial product or services to be used
primarily for personal, family, or household purposes, or that
person's legal representative. See, e.g., 12 CFR 40.3(e)(1).
\4\ As further discussed below, nonpublic personal information
generally is any personally identifiable financial information about
the consumer, other than publicly available information. See, e.g.,
12 CFR. 40.3(n).
\5\ Under the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681
et seq.), financial institutions generally must give consumers clear
and conspicuous notice and the opportunity to opt out of transfers
of certain types of information to affiliates to avoid becoming
consumer reporting agencies, subject to certain exceptions.
Consequently, some disclosures of information to affiliates whether
or not limited by the GLBA, may be subject to the notice and opt-out
provisions of the FCRA.
---------------------------------------------------------------------------
Section 508 of the GLBA \6\ requires the Secretary, in conjunction
with the federal functional regulators \7\ and the Federal Trade
Commission, to conduct a study of information sharing practices among
financial institutions and their affiliates. The Study must address:
(1) The purposes for the sharing of confidential customer information
with affiliates or with nonaffiliated third parties; (2) the extent and
adequacy of security protections for such information; (3) the
potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of
such sharing of information; (5) the potential benefits for customers
of such sharing of information; (6) the adequacy of existing laws to
protect customer privacy; (7) the adequacy of financial institution
privacy policy and privacy rights disclosure under existing law; (8)
the feasibility of different approaches, including opt out and opt in,
to permit customers to direct that confidential information not be
shared with affiliates and nonaffiliated third parties; and (9) the
feasibility of restricting the sharing of information for specific uses
or of permitting customers to direct the uses for which information may
be shared.
---------------------------------------------------------------------------
\6\ 15 U.S.C. 6808.
\7\ The federal functional regulators are: the Office of the
Comptroller of the Currency, the Office of Thrift Supervision, the
Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the National Credit Union
Administration, the Securities and Exchange Commission, and the
Commodity Futures Trading Commission.
---------------------------------------------------------------------------
In formulating and conducting the Study, the Secretary is required
to consult with representatives of State insurance authorities
designated by the National Association of Insurance Commissioners, and
also with the financial services industry, consumer organizations and
privacy groups, and other representatives of the general public. The
Secretary also will incorporate the views of the federal functional
regulators, including their examiners, and the Federal Trade Commission
in completing this Study. Upon completion of the Study, the Secretary
will submit a report to the Congress of the Study's findings and
conclusions, as well as any recommendations for legislative or
administrative actions as may be appropriate.
II. Request for Comments
Please comment on the specific questions set forth below and on any
other issues relevant to this Study. Please label comments with the
number and letter corresponding to the question to which the comment
relates. For purposes of the questions below, the terms ``information''
and ``confidential customer information'' mean ``nonpublic personal
information,'' as defined in the regulations implementing the financial
privacy provisions of Title V of the GLBA.\8\ In addition, for the
purposes of this request, the term ``customer'' means any individual
and includes any individual who applies for or obtains a financial
service or product.\9\
---------------------------------------------------------------------------
\8\ See, e.g., 12 CFR 40.3(n), ``Nonpublic personal
information'' means: (i) ``Personally identifiable financial
information''; and (ii) any list, description, or other grouping of
consumers (and publicly available information pertaining to them)
that is derived using any personally identifiable financial
information that is not publicly available. ``Personally
identifiable financial information'' means any information: (i) A
consumer provides to a financial institution to obtain a financial
product or service from the institution; (ii) about a consumer
resulting from any transaction involving a financial product or
service between a financial institution and a consumer; or (iii) the
financial institution otherwise obtains about a consumer in
connection with providing a financial product or service to that
consumer. See, e.g., 12 CFR 40.3(o).
\9\ See, e.g., 12 CFR 40.3(e)(1) and 40.3(h). Under GLBA
regulations, a ``customer'' has an established, on-going
relationship with a financial institution, whereas a ``consumer''
need not. No distinction is made for the purposes of questions
raised in this notice: The terms are interpreted as equivalents, and
thus a customer need not have a continuing or on-going relationship
with a financial institution.
---------------------------------------------------------------------------
1. Purposes for the sharing of confidential customer information
with affiliates or with nonaffiliated third parties:
a. What types of information do financial institutions share with
affiliates?
b. What types of information do financial institutions share with
nonaffiliated third parties?
c. Do financial institutions share different types of information
with affiliates than with nonaffiliated third parties? If so, please
explain the differences in the types of information shared with
affiliates and with nonaffiliated third parties.
d. For what purposes do financial institutions share information
with affiliates?
e. For what purposes do financial institutions share information
with nonaffiliated third parties?
f. What, if any, limits do financial institutions voluntarily place
on the sharing of information with their affiliates and nonaffiliated
third parties? Please explain.
g. What, if any, operational limitations prevent or inhibit
financial institutions from sharing information with affiliates and
nonaffiliated third parties? Please explain.
h. For what other purposes would financial institutions like to
share information but currently do not? What benefits would financial
institutions derive from sharing information for those purposes? What
currently prevents or inhibits such sharing of information?
2. The extent and adequacy of security protections for such
information:
a. Describe the kinds of safeguards that financial institutions
have in place to protect the security of information. Please consider
administrative, technical, and physical protections, as well as the
protections that financial institutions impose on their third-party
service providers.
[[Page 7215]]
b. To what extent are the safeguards described above required under
existing law, such as the GLBA (see, e.g., 12 CFR 30, Appendix B)?
c. Do existing statutory and regulatory requirements protect
information adequately? Please explain why or why not.
d. What, if any, new or revised statutory or regulatory protections
would be useful? Please explain.
3. The potential risks for customer privacy of such sharing of
information:
a. What, if any, potential privacy risks does a customer face when
a financial institution shares the customer's information with an
affiliate?
b. What, if any, potential privacy risks does a customer face when
a financial institution shares the customer's information with a
nonaffiliated third party?
c. What, if any, potential risk to privacy does a customer face
when an affiliate shares information obtained from another affiliate
with a nonaffiliated third party?
4. The potential benefits for financial institutions and affiliates
of such sharing of information (specific examples, means of assessment,
or evidence of benefits would be useful):
a. In what ways do financial institutions benefit from sharing
information with affiliates?
b. In what ways do financial institutions benefit from sharing
information with nonaffiliated third parties?
c. In what ways do affiliates benefit when financial institutions
share information with them?
d. In what ways do affiliates benefit from sharing information that
they obtain from other affiliates with nonaffiliated third parties?
e. What effects would further limitations on such sharing of
information have on financial institutions and affiliates?
5. The potential benefits for customers of such sharing of
information (specific examples, means of assessment, or evidence of
benefits would be useful):
a. In what ways does a customer benefit from the sharing of such
information by a financial institution with its affiliates?
b. In what ways does a customer benefit from the sharing of such
information by a financial institution with nonaffiliated third
parties?
c. In what ways does a customer benefit when affiliates share
information they obtained from other affiliates with nonaffiliated
third parties?
d. What, if any, alternatives are there to achieve the same or
similar benefits for customers without such sharing of such
information?
e. What effects, positive or negative, would further limitations on
the sharing of such information have on customers?
6. The adequacy of existing laws to protect customer privacy:
a. Do existing privacy laws, such as GLBA privacy regulations and
the Fair Credit Reporting Act (FCRA), adequately protect the privacy of
a customer's information? Please explain why or why not.
b. What, if any, new or revised statutory or regulatory protections
would be useful to protect customer privacy? Please explain.
7. The adequacy of financial institution privacy policy and privacy
rights disclosure under existing law:
a. Have financial institution privacy notices been adequate in
light of existing requirements? Please explain why or why not.
b. What, if any, new or revised requirements would improve how
financial institutions describe their privacy policies and practices
and inform customers about their privacy rights? Please explain how any
of these new or revised requirements would improve financial
institutions' notices.
8. The feasibility of different approaches, including opt-out and
opt-in, to permit customers to direct that such information not be
shared with affiliates and nonaffiliated third parties:
a. Is it feasible to require financial institutions to obtain
customers' consent (opt in) before sharing information with affiliates
in some or all circumstances? With nonaffiliated third parties? Please
explain what effects, both positive and negative, such a requirement
would have on financial institutions and on consumers.
b. Under what circumstances would it be appropriate to permit, but
not require, financial institutions to obtain customers' consent (opt
in) before sharing information with affiliates as an alternative to a
required opt out in some or all circumstances? With nonaffiliated third
parties? What effects, both positive and negative, would such a
voluntary opt in have on customers and on financial institutions?
(Please describe any experience of this approach that you may have had,
including consumer acceptance.)
c. Is it feasible to require financial institutions to permit
customers to opt out generally of having their information shared with
affiliates? \10\ Please explain what effects, both positive and
negative, such a requirement would have on consumers and on financial
institutions.
---------------------------------------------------------------------------
\10\ This question seeks views on a general opt out for sharing
of information with affiliates and represents a broadening of opt-
out provisions for affiliate sharing under the FCRA.
---------------------------------------------------------------------------
d. What, if any, other methods would permit customers to direct
that information not be shared with affiliates or nonaffiliated third
parties? Please explain their benefits and drawbacks for customers and
for financial institutions of each method identified.
9. The feasibility of restricting sharing of such information for
specific uses or of permitting customers to direct the uses for which
such information may be shared:
a. Describe the circumstances under which or the extent to which
customers may be able to restrict the sharing of information by
financial institutions for specific uses or to direct the uses for
which such information may be shared?
b. What effects, both positive and negative, would such a policy
have on financial institutions and on consumers?
c. Please describe any experience you may have had of this
approach.
Dated: February 4, 2002.
Sheila C. Bair,
Assistant Secretary of the Treasury.
[FR Doc. 02-3781 Filed 2-14-02; 8:45 am]
BILLING CODE 4810-25-P