PRIVACY RULES ARE PROPOSED BY SEC
PURSUANT TO GRAMM-LEACH-BLILEY ACT
The Gramm-Leach-Bliley Act (the "GLB Act"), enacted November 12, 1999, provides that institutions engaged in certain financial-related activities must (a) establish privacy policies with regard to information they accumulate regarding consumer customers, (b) notify consumer customers of those privacy policies, and (c) give consumers the right to "opt-out" of any disclosures of such consumers' nonpublic information to certain third parties (i.e., instruct the financial institution that information about the consumer may not be disclosed to unaffiliated third parties). The GLB Act also restricts such institutions' right to share nonpublic customer information with third parties. The Securities Exchange Commission (SEC), along with banking regulators and the Federal Trade Commission recently proposed rules to implement the new privacy requirements. The proposed rules include requirements for investment advisors registered with the SEC as well as for brokers, dealers, and investment companies.
"Clear and Conspicuous" Notice
The SEC's proposals require a firm to provide clear and conspicuous initial and annual notices of its privacy policies and practices to customers. A notice is "clear and conspicuous" if it is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. It should be noted that while the proposed rules do not require any specific methods of compliance, they do offer suggestions for how financial institutions may conform to the rules. The proposed rules offer the following methods of meeting the clear and conspicuous standard:
·
· use everyday words whenever possible,
· avoid multiple negatives,
· avoid technical legal and business language,
· use a plain-language heading to call attention to the notice,
· use a typeface that is easy to read, and
· use wide margins and ample line spacing.
When the notice is part of a larger document, the proposed rules suggest using larger type sizes, boldface or italics for key words, or shading or sidebars to highlight the notice.
Under the GLB Act, the initial and annual notices that a financial institution provides must include:
· a description of the categories of nonpublic personal information about its consumers that the
institution collects (e.g., application information, transaction information and consumer report information),
· the categories of personal information about customers that the institution discloses,
· the categories of affiliates and unaffiliated third parties to whom current and former customer information is
disclosed, and
· an explanation of the customer's right to opt-out of the disclosure of nonpublic personal information to
unaffiliated third parties, including the means by which the customer may exercise such right.
The proposed rules also require a description of the institution's policies and practices with respect to protecting the confidentiality, security and integrity of personal information.
Notice Delivery Requirements
The proposed rules require that the initial notice be provided so that each recipient can reasonably be expected to receive actual notice. Under the proposal, acceptable ways of delivering notice include hand-delivering a copy of the notice, mailing a copy to the consumer's last known address, or sending it by electronic mail to a consumer who obtains a financial product or service from the institution electronically. For clients, the notice must be provided at the time the relationship is established. For consumers who do not (or have not yet) become clients, the notice must be provided before disclosing nonpublic personal information about the consumer to unaffiliated third parties.
Electronic delivery generally should be in the form of e-mail to ensure that the customer actually receives notice. The proposed rules provide that notice is not considered effective if some firm posts a sign in its office or sends the notice by e-mail to a consumer who has dealt with the firm in person or through the mail and has not agreed to receive the notice electronically.
Consumer Opt-Out Provision
A financial institution cannot share a consumer's personal information with an unaffiliated third party unless it gives a consumer clear and conspicuous notice disclosing:
· that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to unaffiliated third parties,
· that the consumer has the right to opt-out of the disclosure, and
· reasonable means by which the consumer may exercise the opt-out right.
The proposed rules provide the following ways a financial institution may provide reasonable means for a consumer to opt-out:
· a check-off box in a prominent position,
· a reply form with the opt-out notice, or
· a form sent by electronic mail or a process at the institution's web site through which the consumer may opt-out, (provided the consumer agrees to the electronic delivery of information).
A firm does not give reasonable means to opt-out if the only way in which the consumer can opt-out is by sending his or her own letter.
The GLB Act provides that opt-out is not required when disclosure is made with consent or direction by the consumer, provided that the consumer has not revoked the consent or direction. Examples include instances in which the consumer consents to disclosure in order to effect a transaction or process a financial service requested by the consumer. A consumer may, however, revoke consent and exercise the right to opt-out of future disclosures.
The proposed rules also provide an exception to the opt-out requirement which permits firms to disclose nonpublic personal consumer information to a third party that provides marketing for the firm's services or products. The proposal obligates the firm to fully disclose that it will provide this information to the third party before disclosure and requires the third party to maintain the confidentiality of the information.
Protecting Customer and Account Information
The proposed rules require financial institutions and advisers to adopt policies and procedures designed to: insure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records, and protect against unauthorized access to customer records or information that could result in substantial harm to any customer. The SEC did not propose specific procedures that a financial institution must adopt in this regard since the agency believes that each institution should be able to tailor its policies and procedures to the needs of its own customers.
The GLB Act flatly prohibits a financial institution from disclosing (other than to a consumer reporting agency) account numbers or similar access numbers or access codes for a credit card, deposit, or transaction account of a consumer to any unaffiliated third party for use in telemarketing, direct mail marketing, or marketing through electronic mail to the consumer.
While the GLB Act provides no exception, the conference report for the GLB Act encouraged the SEC to allow disclosures of account numbers or access codes in an encrypted, scrambled or similarly coded form. The Commission declined to propose an exception to the flat prohibition, however, based upon the risks associated with third parties having direct access to a consumer's account.
Effective Date and Initial Notice Requirements
The proposed effective date of the rules is November 13, 2000. Financial institutions and advisers should plan accordingly since no later than 30 days after the effective date, financial institutions would be required to provide initial notice of the firm's privacy policies and practices with respect to disclosure, opt-out, and confidentiality to consumers who were the institution's customers on the effective date. The SEC intends to provide at least six months after the adoption of the final rule for financial institutions to bring their policies and procedures into compliance.
In the first year after the rules are adopted, broker-dealers, investment companies, and registered investment advisers will have to comply with the following requirements:
· provide an initial privacy notice and opt-out form to each existing customer,
· provide an initial privacy notice to each new customer,
· provide an annual privacy notice to each existing customer; and
· adopt policies and procedures that address the protection of customer information and records.
Following the first year, institutions would be required to revise notices only to reflect changes in their privacy policies. However, institutions would have to revise their policies and procedures on safeguarding customer information as appropriate to ensure the protection of the information.
* * * * *
The Investment Counsel Association of America ("ICAA") has asked the SEC to clarify how the rules will impact investment advisers. The ICAA noted that it is unclear to what extent the rules will effect most advisers, since it is common practice for advisers to keep client information confidential. The ICAA has also voiced concerns about the administrative hardships the proposed rules would impose upon investment advisers. We will keep you informed as developments occur.
For those investment advisors who have always kept client information confidential, the GLB Act and the proposed rules will have little substantive impact. Nevertheless, in the absence of clarification from the SEC, compliance may involve significant operational, programming and other costs for investment advisors that have not historically had to consider the need for formal confidentiality policies and disclosure mechanisms. Also, compliance will, no doubt, be included in future regulatory field examinations. It is, therefore, important that all investment advisers begin thinking about privacy issues in order not to be unprepared as the year draws to a close.
If you would like further information about investment adviser registration requirements or to discuss other issues relating to hedge funds and their investment managers, contact Howard A. Neuman at (212) 818-9200 or visit the Satterlee Stephens Burke & Burke LLP Website at:
To take action on any of the information contained in this report, you should seek professional advice.
For more information, please contact Howard Neuman in the firm's New York office at (212)818-9200.
[Home | Attorneys | Practice Areas | Articles | Contact Us | New Uploads | Site Search | CyBarrister Page | Immigration Law Center | Hedgefund Resource]