Skip to Content

Notice

Public Comment for Study on Information Sharing Practices Among Financial Institutions and Their Affiliates

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Department of the Treasury, Departmental Offices.

ACTION:

Notice and request for comments.

SUMMARY:

The Secretary of the Treasury (Secretary), in conjunction with the federal functional regulatory agencies and the Federal Trade Commission, is conducting a study of information sharing practices among financial institutions and their affiliates, as required by the Gramm-Leach-Bliley Act of 1999. The Secretary is requesting public comment on a number of issues to assist in preparation of the Study.

DATES:

Please submit comments and responses to the questions in this notice on or before April 1, 2002.

ADDRESSES:

All submissions must be in writing or in electronic form. Please send e-mail comments to study.comments@ots.treas.gov, or facsimile transmissions to FAX Number (202) 906-6518 re: GLBA Information Sharing Study. Comments sent by mail should be sent to: Regulations and Legislation Division, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, ATTN: Study on GLBA Information Sharing. (Senders should be aware that there have been some unpredictable and lengthy delays in postal deliveries to the Washington, DC area in recent weeks and may prefer to make electronic submissions.) Anyone submitting comments is asked to include his or her name, address, telephone number, and if available, FAX number and e-mail address. Please do not submit confidential commercial or financial information. All submissions should be captioned “Comments on the GLBA Information Sharing Study.” Comments will be available to the public in their entirety via the Treasury Department website, www.USTreas.gov, where a link will be established. The link will be clearly identified on the Treasury homepage as relating to the GLBA Study on Information Sharing Practices Among Financial Institutions and Their Affiliates. Copies of comments also may be inspected at the Treasury Department Library, Room 1428, Main Treasury Building, 1500 Pennsylvania Avenue, NW., Washington, DC 20220. Before visiting the library, visitors must call (202) 622-0990 to arrange an appointment.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Susan Hart, Financial Economist, Office of Consumer Affairs and Community Policy, Department of the Treasury, (202) 622-0129; or Brian Tishuk, Director, Office of Consumer Affairs and Community Policy, Department of the Treasury, (202) 622-1964.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Statutory Background

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (GLBA).[1] The GLBA made several fundamental changes to the laws governing the financial system, including easing the limits on the types of financial institutions that may be affiliated with one another. A Company is an affiliate of a financial institution if it controls, is controlled by, or is under Start Printed Page 7214common control with the financial institution.

The GLBA also established limits on the extent to which financial institutions[2] may disclose personal information about consumers[3] with whom they do business. The GLBA generally requires that a financial institution provide a clear and conspicuous notice of its privacy policies and practices and allow consumers to prevent (i.e., to opt out of) the disclosure of their nonpublic personal information[4] to a nonaffiliated company, unless certain prescribed exceptions apply. The financial institution also must explain how consumers can exercise their opt out rights. These limitations on disclosing nonpublic personal information do not apply when a financial institution discloses a consumer's information to its affiliates.[5]

Section 508 of the GLBA [6] requires the Secretary, in conjunction with the federal functional regulators [7] and the Federal Trade Commission, to conduct a study of information sharing practices among financial institutions and their affiliates. The Study must address: (1) The purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties; (2) the extent and adequacy of security protections for such information; (3) the potential risks for customer privacy of such sharing of information; (4) the potential benefits for financial institutions and affiliates of such sharing of information; (5) the potential benefits for customers of such sharing of information; (6) the adequacy of existing laws to protect customer privacy; (7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law; (8) the feasibility of different approaches, including opt out and opt in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and (9) the feasibility of restricting the sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.

In formulating and conducting the Study, the Secretary is required to consult with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, and also with the financial services industry, consumer organizations and privacy groups, and other representatives of the general public. The Secretary also will incorporate the views of the federal functional regulators, including their examiners, and the Federal Trade Commission in completing this Study. Upon completion of the Study, the Secretary will submit a report to the Congress of the Study's findings and conclusions, as well as any recommendations for legislative or administrative actions as may be appropriate.

II. Request for Comments

Please comment on the specific questions set forth below and on any other issues relevant to this Study. Please label comments with the number and letter corresponding to the question to which the comment relates. For purposes of the questions below, the terms “information” and “confidential customer information” mean “nonpublic personal information,” as defined in the regulations implementing the financial privacy provisions of Title V of the GLBA.[8] In addition, for the purposes of this request, the term “customer” means any individual and includes any individual who applies for or obtains a financial service or product.[9]

1. Purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties:

a. What types of information do financial institutions share with affiliates?

b. What types of information do financial institutions share with nonaffiliated third parties?

c. Do financial institutions share different types of information with affiliates than with nonaffiliated third parties? If so, please explain the differences in the types of information shared with affiliates and with nonaffiliated third parties.

d. For what purposes do financial institutions share information with affiliates?

e. For what purposes do financial institutions share information with nonaffiliated third parties?

f. What, if any, limits do financial institutions voluntarily place on the sharing of information with their affiliates and nonaffiliated third parties? Please explain.

g. What, if any, operational limitations prevent or inhibit financial institutions from sharing information with affiliates and nonaffiliated third parties? Please explain.

h. For what other purposes would financial institutions like to share information but currently do not? What benefits would financial institutions derive from sharing information for those purposes? What currently prevents or inhibits such sharing of information?

2. The extent and adequacy of security protections for such information:

a. Describe the kinds of safeguards that financial institutions have in place to protect the security of information. Please consider administrative, technical, and physical protections, as well as the protections that financial institutions impose on their third-party service providers. Start Printed Page 7215

b. To what extent are the safeguards described above required under existing law, such as the GLBA (see, e.g., 12 CFR 30, Appendix B)?

c. Do existing statutory and regulatory requirements protect information adequately? Please explain why or why not.

d. What, if any, new or revised statutory or regulatory protections would be useful? Please explain.

3. The potential risks for customer privacy of such sharing of information:

a. What, if any, potential privacy risks does a customer face when a financial institution shares the customer's information with an affiliate?

b. What, if any, potential privacy risks does a customer face when a financial institution shares the customer's information with a nonaffiliated third party?

c. What, if any, potential risk to privacy does a customer face when an affiliate shares information obtained from another affiliate with a nonaffiliated third party?

4. The potential benefits for financial institutions and affiliates of such sharing of information (specific examples, means of assessment, or evidence of benefits would be useful):

a. In what ways do financial institutions benefit from sharing information with affiliates?

b. In what ways do financial institutions benefit from sharing information with nonaffiliated third parties?

c. In what ways do affiliates benefit when financial institutions share information with them?

d. In what ways do affiliates benefit from sharing information that they obtain from other affiliates with nonaffiliated third parties?

e. What effects would further limitations on such sharing of information have on financial institutions and affiliates?

5. The potential benefits for customers of such sharing of information (specific examples, means of assessment, or evidence of benefits would be useful):

a. In what ways does a customer benefit from the sharing of such information by a financial institution with its affiliates?

b. In what ways does a customer benefit from the sharing of such information by a financial institution with nonaffiliated third parties?

c. In what ways does a customer benefit when affiliates share information they obtained from other affiliates with nonaffiliated third parties?

d. What, if any, alternatives are there to achieve the same or similar benefits for customers without such sharing of such information?

e. What effects, positive or negative, would further limitations on the sharing of such information have on customers?

6. The adequacy of existing laws to protect customer privacy:

a. Do existing privacy laws, such as GLBA privacy regulations and the Fair Credit Reporting Act (FCRA), adequately protect the privacy of a customer's information? Please explain why or why not.

b. What, if any, new or revised statutory or regulatory protections would be useful to protect customer privacy? Please explain.

7. The adequacy of financial institution privacy policy and privacy rights disclosure under existing law:

a. Have financial institution privacy notices been adequate in light of existing requirements? Please explain why or why not.

b. What, if any, new or revised requirements would improve how financial institutions describe their privacy policies and practices and inform customers about their privacy rights? Please explain how any of these new or revised requirements would improve financial institutions' notices.

8. The feasibility of different approaches, including opt-out and opt-in, to permit customers to direct that such information not be shared with affiliates and nonaffiliated third parties:

a. Is it feasible to require financial institutions to obtain customers' consent (opt in) before sharing information with affiliates in some or all circumstances? With nonaffiliated third parties? Please explain what effects, both positive and negative, such a requirement would have on financial institutions and on consumers.

b. Under what circumstances would it be appropriate to permit, but not require, financial institutions to obtain customers' consent (opt in) before sharing information with affiliates as an alternative to a required opt out in some or all circumstances? With nonaffiliated third parties? What effects, both positive and negative, would such a voluntary opt in have on customers and on financial institutions? (Please describe any experience of this approach that you may have had, including consumer acceptance.)

c. Is it feasible to require financial institutions to permit customers to opt out generally of having their information shared with affiliates? [10] Please explain what effects, both positive and negative, such a requirement would have on consumers and on financial institutions.

d. What, if any, other methods would permit customers to direct that information not be shared with affiliates or nonaffiliated third parties? Please explain their benefits and drawbacks for customers and for financial institutions of each method identified.

9. The feasibility of restricting sharing of such information for specific uses or of permitting customers to direct the uses for which such information may be shared:

a. Describe the circumstances under which or the extent to which customers may be able to restrict the sharing of information by financial institutions for specific uses or to direct the uses for which such information may be shared?

b. What effects, both positive and negative, would such a policy have on financial institutions and on consumers?

c. Please describe any experience you may have had of this approach.

Start Signature

Dated: February 4, 2002.

Sheila C. Bair,

Assistant Secretary of the Treasury.

End Signature End Supplemental Information

Footnotes

2.  Under subtitle A of title V of the GLBA, a financial institution generally is any banking institution, credit union, securities entity (such as a broker-dealer, mutual fund, or investment adviser), or insurance company, as well as any other business that engages in activities that are financial in nature under section 4(k) of the Bank Holding Company Act of 1956. See 15 U.S.C. 6809(3); 12 U.S.C. 1843(k). Futures entities (futures commission merchants, commodity trading advisors, commodity pool operators, and introducing brokers) are also financial institutions for purposes of subtitle A of title V of the GLBA, 7 U.S.C. 7b-2(a).

Back to Citation

3.  Under the GLBA, a consumer in an individual who obtains from a financial institution financial product or services to be used primarily for personal, family, or household purposes, or that person's legal representative. See, e.g., 12 CFR 40.3(e)(1).

Back to Citation

4.  As further discussed below, nonpublic personal information generally is any personally identifiable financial information about the consumer, other than publicly available information. See, e.g., 12 CFR. 40.3(n).

Back to Citation

5.  Under the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681 et seq.), financial institutions generally must give consumers clear and conspicuous notice and the opportunity to opt out of transfers of certain types of information to affiliates to avoid becoming consumer reporting agencies, subject to certain exceptions. Consequently, some disclosures of information to affiliates whether or not limited by the GLBA, may be subject to the notice and opt-out provisions of the FCRA.

Back to Citation

7.  The federal functional regulators are: the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Securities and Exchange Commission, and the Commodity Futures Trading Commission.

Back to Citation

8.  See, e.g., 12 CFR 40.3(n), “Nonpublic personal information” means: (i) “Personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. “Personally identifiable financial information” means any information: (i) A consumer provides to a financial institution to obtain a financial product or service from the institution; (ii) about a consumer resulting from any transaction involving a financial product or service between a financial institution and a consumer; or (iii) the financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer. See, e.g., 12 CFR 40.3(o).

Back to Citation

9.  See, e.g., 12 CFR 40.3(e)(1) and 40.3(h). Under GLBA regulations, a “customer” has an established, on-going relationship with a financial institution, whereas a “consumer” need not. No distinction is made for the purposes of questions raised in this notice: The terms are interpreted as equivalents, and thus a customer need not have a continuing or on-going relationship with a financial institution.

Back to Citation

10.  This question seeks views on a general opt out for sharing of information with affiliates and represents a broadening of opt-out provisions for affiliate sharing under the FCRA.

Back to Citation

[FR Doc. 02-3781 Filed 2-14-02; 8:45 am]

BILLING CODE 4810-25-P