The Gramm-Leach-Bliley Act (the "GLB Act"), enacted November 12, 1999, provides that institutions engaged in certain financial-related activities must (a) establish privacy policies with regard to information they accumulate regarding consumers, (b) notify consumer-customers of those privacy policies, and (c) give consumers the right to "opt-out" of any disclosures of their "nonpublic personal information" to certain third parties (i.e., instruct the financial institution that information about the consumer may not be disclosed to unaffiliated third parties). The GLB Act also restricts such institutions' right to share nonpublic customer information with third parties. The Securities Exchange Commission (SEC), along with banking regulators and the Federal Trade Commission, recently adopted rules to implement the new privacy requirements. The new rules adopted by the SEC (Regulation S-P) include requirements for investment advisers registered with the SEC as well as for broker-dealers, mutual funds and other registered investment companies (collectively, "Institutions"). The effective date for compliance with Regulation S-P is July 1, 2001.
The new rules require Institutions to adopt policies and procedures designed to:
The SEC did not adopt mandate any specific procedures that an Institution must adopt. Institutions will have to tailor their own policies and procedures to the needs of their respective customers.[1]
Key to an understanding of the new rules is the definition of "nonpublic personal information," which includes both "personally identifiable financial information" (i.e., information that:
and any list, description, or other grouping of consumers and publicly available information about them that is derived using any nonpublic personal information such as an account number or other access code.
In essence, Regulation S-P treats any personally identifiable information as "financial" if an Institution obtains the information in connection with the provision of a financial product or service to a consumer. Thus, the definition includes information that may not commonly be considered intrinsically financial, such as health status, the fact that someone is or has been a consumer or a customer of an Institution or information collected through an automated device incorporated in a web server (commonly known as a "cookie").
Publicly available information (unless provided as part of the list, description, or other grouping described above), as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is obtained without reliance upon nonpublic personal information is outside the scope of the GLB Act. Regulation S-P deems information to be "publicly available" and, therefore, excluded from the definition of "nonpublic personal information" if an Institution reasonably believes that the information is lawfully made available to the general public from:
The standard for determining that a reasonable belief exists is quite high. In fact, the standard approaches actual knowledge for, according to examples provided by the SEC, a reasonable belief that information is lawfully made available to the general public requires a determination that:
An Institution may not assume information about a particular consumer is publicly available simply because that type of information is normally provided to a government record keeper and made available to the public by the record keeper, because the consumer may have the ability to keep that information nonpublic or to screen his or her identity.[2]
Although most individuals with whom an Institution does any business at all will constitute its consumers, Regulation S-P only requires a firm to provide clear and conspicuous initial and annual notices of its privacy policies and practices to its customers (a sub-group of its consumers). Whether a consumer is a customer will, in some instances, require making a judgment about whether a customer relationship is established. Certain types of isolated transactions may not establish such a relationship if the consumer is not likely to expect further communication from the Institution. In most investment advisory situations, in which a consumer typically would receive some measure of continued service, a customer (i.e., client) relationship will be established.
Initial and annual notices to customers must be clear and conspicuous. A notice is "clear and conspicuous" if it is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. It should be noted that while Regulation S-P does not require any specific methods of compliance, the accompanying guidance does offer suggestions for how Institutions may conform to the rules. The following methods of meeting the clear and conspicuous standard are suggested:
When the notice is part of a larger document, the suggestions include the use of larger and distinctive fonts and graphic devices such as shading or sidebars to highlight the notice. The initial and annual notices that an Institution provides must include a description of:
The SEC anticipates that in most instances, the necessary disclosures will not be lengthier than a tri-fold brochure.
Although Regulation S-P does not apply at all to individuals who are neither customers nor consumers of an Institution's products or services, Institutions need to be cognizant of the application of the new rules to individuals who are their consumers even though they are not (and may never become) their customers. If an Institution does not intend to disclose nonpublic personal information about a consumer who is not a customer to unaffiliated third parties, it is not required to provide any notice at all to the consumer. If, however, an Institution intends to disclose any of a consumer's nonpublic personal information to unaffiliated third parties, the Institution is free to do so, provided it notifies the consumer about the information sharing and affords the consumer a reasonable opportunity to opt-out.
For this purpose:
An Institution may provide a "short-form" initial privacy policy notice along with the opt-out notice to a consumer with whom the Institution does not have a customer relationship. The short-form notice must clearly and conspicuously state that a complete statement of the Institution's privacy policies and practices is available on request, and must provide reasonable means by which the consumer may obtain a copy. Such a short-form notice must, however, inform the consumer about the categories of information the Institution may share and the categories of unaffiliated third parties that may receive the information.
The new rules require that notices be provided in such a manner that each recipient can reasonably be expected to receive actual notice. Under the proposal, acceptable ways of delivering notice include:
For customers, the notice must be provided not later than the time when the relationship is established. For investment advisers this is when an advisory contract (whether oral or written) is entered into (i.e., the time when the adviser's brochure must be delivered).[4] For consumers who do not (or have not yet) become customers, the notice must be provided before disclosing nonpublic personal information about the consumer to unaffiliated third parties. One notice may be sent in connection with a joint account but (except in limited instances) not to consumers who merely share the same address.
If an Institution provides a new product or service to an existing customer, an additional initial notice must be provided unless the notice most recently provided to the customer was accurate with respect to the new product or service.
A clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect must also be provided at least once annually to every customer with whom an Institution has a continuing relationship. An investment adviser may select a calendar year as the 12-month period within which notices will be provided, and deliver the first annual notice at any point in the calendar year following the year in which the customer relationship was established. The rules also require that the 12-consecutive-month period be applied consistently. Many investment advisers will, no doubt, choose to provide annual privacy notices at the same time that they inform their clients that a copy of the adviser's current brochure is available upon request.
Electronic delivery generally should be in the form of e-mail to ensure that the customer actually receives notice. Notice will not be considered effective if a firm posts a sign in its office or sends the notice by e-mail to a consumer who has dealt with the firm in person or through the mail without having expressly agreed to receive the notice electronically.
Regulation S-P clarifies that a customer's request not to receive information about his or her relationship with the Institution may be honored to the extent that annual privacy notices need not be sent to a customer who affirmatively requests no communication (provided the privacy notice is available upon request).
Posting a notice on an Internet web site and requiring a consumer to acknowledge receipt of the privacy notice as part of the process of obtaining a financial product or service is an acceptable way to comply with the rules with respect to initial notices, although merely posting the notice on a web site alone is not sufficient. To satisfy the "clear and conspicuous" requirement, Institutions posting notices on web sites are required to use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hypertext links, or sound) do not distract attention from the notice. The Institution should place a privacy notice or a conspicuous link to the notice on a screen that consumers frequently access, such as a page on which consumers conduct transactions. Any current technology may be used, such as a dialog box that pops up to provide the disclosure before a consumer provides information or a clearly labeled graphic located near the top of the page or in close proximity to the Institution's logo, directing the customer, through a hypertext link or hotlink, to the privacy disclosures on a separate web page.
Posting an annual notice on an Internet web site will only satisfy the rules with respect to those customers who (i) use the Institution's Internet web site to obtain financial products or services and (ii) have agreed to accept notices in that manner, and the Institution continuously posts a current notice of its privacy policies and practices in a clear and conspicuous manner on the web site. Other customers will have to receive paper notices.
An Institution cannot share personal information about its consumers (including its customers) with an unaffiliated third party unless it provides clear and conspicuous notice disclosing:
Like initial and annual notices to joint accounts, only one opt-out notification per joint account is required. Such notification (which may be provided in the same document as the initial notice) must state whether or not an opt-out by one holder will or will not be deemed to be an opt-out by all account holders.
The SEC offers the following ways in which an Institution may provide reasonable means for a consumer to opt-out:
An Institution may specify that only one (or more) means to opt-out will be recognized by it but does not give reasonable means to opt-out if the only way in which the consumer can opt-out is by sending his or her own letter.
An opt-out instruction must be honored as soon as reasonably practicable and will be effective until the consumer revokes it in writing (or, if the consumer agrees, electronically).
The GLB Act provides that an opt-out notice is not required when disclosure is made with the consent of or direction by the consumer, provided that the consumer has not revoked the consent or direction. Examples include instances in which the consumer consents to disclosure in order to effect a transaction or to process a financial service requested by the consumer. A consumer may, however, revoke consent and exercise the right to opt-out of future disclosures at any time.
A significant exception to the opt-out requirement permits firms to disclose nonpublic personal consumer information to an unaffiliated third party or joint marketer that provides marketing for an Institution's services or products (the "general marketing exception"). The new rules obligate the Institution to fully disclose to the consumer that it will provide this information to the third party before disclosing any information and to enter into a contract with the third party in which the third party agrees to maintain the confidentiality of the information. Although compliance with Regulation S-P will generally be required by July 1, 2001, contracts entered into on or before July 1, 2000 need not be brought into compliance until July 1, 2002.
Regulation S-P includes several exceptions from the provisions requiring Institutions to provide privacy and opt-out notices to consumers. These exceptions pertain to disclosures to unaffiliated third parties in circumstances such as maintaining or servicing a customer's account, or complying with federal, state, or local laws. One exception applies to disclosures to an unaffiliated third party who is to provide financial products or services requested or authorized by a consumer or who will service the consumer's account on behalf of the Institution.
Among the other exceptions to the privacy and opt-out notice requirements provided for in Regulation S-P are those that cover disclosures made (i) to effect, administer or enforce a transaction, such as disclosures necessary to arbitrate a dispute or to attorneys engaged in collection activities, and (ii) when a consumer consents to the disclosure of nonpublic personal information to unaffiliated third parties such as when a consumer consents to having an investment adviser confirm the amount of assets in the customer's account to an unaffiliated mortgage lender so that the lender can evaluate the customer's loan application. The SEC declined to elaborate on the requirements for obtaining consent or the safeguards that should be in place when a consumer consents. A consumer may always revoke his or her consent.
While Regulation S-P will be effective November 13, 2000, the effective date for compliance with Regulation S-P is July 1, 2001. Institutions should use the time available to implement and test systems because by that date:
Earlier compliance is, of course, permitted and many Institutions will want to combine their privacy and opt-out notices with annual tax information or quarterly statement mailings.
In addition, after July 1, 2001, all broker-dealers, investment companies, and registered investment advisers will have to:
Also, all contracts with third parties for the marketing of an Institution's services or products that were in existence on July 1, 2000 will have to require the third party to maintain the confidentiality of the information by July 1, 2002.
Finally, Institutions will be expected to revise their policies and procedures on safeguarding customer information from time to time as may be appropriate to ensure the protection of nonpublic consumer information and to revise privacy notices to reflect changes in privacy policies.
For those investment advisers who have always kept client information confidential, the GLB Act and Regulation S-P will have little substantive impact. Nevertheless, to some extent compliance will involve operational, programming and other costs for investment advisers and compliance with the new rules will, no doubt, be included in future regulatory field examinations.
The investment advisers who will feel the least impact are those who:
The only responsibilities these advisers will have under Regulation S-P will be to provide initial and annual privacy notices to each of their clients and, if they disclose nonpublic personal information to service providers and joint marketers, to include a description of that information in those notices. In either case, they will not need to provide any opt-out notices or opt-out rights.
[1] Although the GLB Act flatly prohibits a financial institution from disclosing (other than to a consumer reporting agency) account numbers or similar access numbers or access codes for a credit card, deposit, or transaction account of a consumer to any unaffiliated third party for use in telemarketing, direct mail marketing, or marketing through electronic mail to the consumer, the House-Senate conference report encouraged the SEC to allow disclosures of account numbers or access codes in an encrypted, scrambled or similarly coded form. Based upon a belief that encrypted numbers operate as identifiers attached to accounts for internal tracking purposes only (primarily by broker-dealers) and that an encrypted account number without the key is not the same as the number itself (and thus falls outside the prohibition in the GLB Act, which focuses on numbers that provide access to an account), the final rules permit an account number or similar form of access code to be transmitted in an encrypted form so long as the Institution does not provide the recipient with the means to decrypt the number.
[2] By contrast, while the record owner of mutual fund shares has a customer relationship with both the fund and the principal underwriter (which is a broker-dealer) that sells the shares, an investment adviser to a fund does not generally have any ongoing account relationship with each fund shareholder. Instead, it serves the fund shareholders indirectly through the portfolio management services it provides to the mutual fund, and only the mutual fund is its customer.
[3] An individual who is a beneficiary of a trust or an employee benefit plan participant is neither a "consumer" nor a "customer." However, the individual who selects the custodian of an individual retirement account is a "consumer" of that custodian.
[4] Delayed delivery is permitted in only three instances when immediate delivery either would pose a significant impediment to the conduct of a routine business practice or the consumer agrees to receive the notice later in order to obtain a financial product or service immediately: (a) if the customer has not made the election to establish the customer relationship (e.g., when a brokerage account is transferred by a trustee selected by the Securities Investor Protection Corporation); (b) when to do otherwise would substantially delay the consumer's transaction and the consumer agrees to receive the notice at a later time (e.g., when an investor requests over the telephone that a broker-dealer execute a securities trade); or (c) when an unaffiliated broker-dealer or registered adviser purchases mutual fund shares or establishes a brokerage account on behalf of a customer. Even in such circumstances, notice must be delivered as promptly as possible thereafter.
If you would like further information about privacy issues or to discuss other issues relating to hedge funds and their investment managers, contact Howard A. Neuman at (212) 818-9200 .
To take action on any of the information contained in this report, you should seek professional advice.
[Home
| Attorneys | Practice Areas
| Articles | Contact Us
| New Uploads | Site Search
| CyBarrister Page | Immigration
Law Center | Hedgefund Resource]