Letters to Regulators
Privacy Burden: OCC
February 11, 2003
Re: Privacy of Consumer Financial Information
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA)1 appreciates the opportunity to comment on the burdens imposed on banks and thrifts by the Gramm-Leach-Bliley Act (GLBA) privacy rule.
The ICBA believes that the OCC seriously underestimates the amount of time needed to comply with the privacy rule. The annual average amount of time that it takes banks and thrifts to comply with the requirements should be increased by four to five times the 45 hours estimated to more accurately reflect the time banks spend on compliance. Furthermore, the ICBA urges the OCC to work with the other agencies to develop a short-form of privacy notice. A short form notice would be more useful and more effective for the majority of consumers while also reducing burden on the industry.
Community banks have been and will continue to be strong guardians of their customers' privacy and confidentiality. Protecting the security and confidence of customer information is central to maintaining public trust and key to long-term customer retention. Community banks recognize that consumers are concerned about their personal financial privacy, especially as technology revolutionizes financial services operations. Under the GLBA requirements, banks have implemented and upgraded security measures to ensure customer information is properly protected.
The ICBA strongly urges policymakers to maintain an appropriate balance between the critical protection of consumer financial privacy and community banks' legitimate information sharing needs to ensure that community bank customers have access to important financial products and services. The GLBA provisions on consumer financial privacy are the most comprehensive, complex privacy protections enacted into federal law. They require banks and other financial services providers to disclose their privacy policies and practices to customers annually, a process that was a vast and burdensome undertaking, costing the industry billions of dollars. The initial privacy notices followed the mandate of the statute and its implementing regulations, but the ICBA would welcome an abbreviated notice after further discussion between the regulators and the industry.
Estimate of Regulatory Burden
The OCC estimates that it takes a national bank, on average, 45 hours annually to comply with the requirements of the GLBA privacy rules. The ICBA believes that this seriously understates the demands of the rule. While it is true that the major compliance efforts affected national banks during the first year as they implemented policies, practices and procedures to comply with the new requirements, the rule still imposes a significant burden and cost on the industry.
Anecdotal evidence from an informal survey of ICBA leadership bankers demonstrates that small community banks with between 3,000 and 6,000 customers estimate it takes a minimum of 80 hours each year to comply with the demands of the GLBA privacy rules; those estimates are from banks that do not share information in ways that require the bank to provide an opt-out option. For a larger urban bank with just over $1 billion in assets, it can take nearly 2750 hours to comply annually. In addition to preparation and mailing of notices, all banks and thrifts must audit the programs, ensure that employees are properly trained, and monitor compliance on a regular basis.
For banks or thrifts that provide an opt-out option, the time devoted to compliance with the privacy rule dramatically increases. In addition to providing notice and monitoring for compliance with the mandated disclosures, a bank that is required to offer an opt-out option must also ensure that systems and procedures are in place to track the customers that opt out. If the bank or thrift offers levels of opting out (allowing a customer to elect to opt-out from some or all information sharing), the increased layering adds further to the burden.
Because many community-based institutions only share information as permitted under one of the exceptions under the GLBA privacy statute and regulations, they do not experience the added burden of offering an opt-out option. However, even for banks that do not offer an opt-out, to suggest that a bank can comply with the GLBA privacy mandates by spending only 45 hours annually fails to recognize the requirements that the rule imposes. That burden estimate may be accurate for very small banks and thrifts (those with fewer than 2,000 customers), but for the great majority of community banks, it is inadequate. For larger institutions, where an individual may be designated to handle privacy matters full-time, the estimate of 45 hours is woefully inadequate. The ICBA suggests that the hourly burden estimate be increased to more accurately reflect the actual burden placed on banks and thrifts. At a minimum, the estimated average should be four to five times the 45 hours currently estimated.
Short Form Notice
To facilitate compliance with the privacy rules, and to ensure examiners do not question the notice, many banks followed the template and sample language offered in the appendix to the rule. Consumer activists have been highly critical of that language, suggesting that it is overly complex and presented in terms that are beyond the education level of the average member of the public.
As a means to help address these criticisms, the ICBA strongly encourages the regulatory agencies to develop a shorter form of notice. In December 2001, the federal agencies responsible for GLBA privacy compliance convened a workshop to discuss effective privacy notices. At that time, it was suggested that a shorter form of notice would be more effective and useful for customers, and better enable them to compare practices among various institutions. Surveys of consumers suggest, because they have developed a relationship of trust with their bank, many bank customers are not concerned with the detailed information currently mandated for privacy notices. A short form notice would provide useful information for the great majority. For those consumers that want more detailed information about a bank's privacy policies and practices, the short form notice could include a brief explanation about where to find that information, and the financial institution could provide the information on request. Overall, though, a short notice would be less burdensome, less costly and more useful to consumers.
For many banks, the initial privacy notice is the same notice that is sent to customers annually. This is especially so for banks that do not share information except as permitted by the section 14 and 15 exceptions,2 e.g. for processing and servicing a customer's account. If a bank's privacy policies and practices have not changed, and the bank does not share information with affiliates, joint marketers or third parties other than under the Section 14 and 15 exceptions, the ICBA suggests that it is unduly burdensome to require an annual mailing of privacy notice. We recognize that this requirement is mandated by statutory requirements. However, the agencies have some latitude in drafting regulations to carry out the GLBA privacy provisions. Specifically, GLBA section 504(b) allows the agencies to grant exceptions to the provisions specified in sections 502(a) through (d) of the statute where it would be consistent with the purposes of the statute. Section 502(a) requires a notice that substantially complies with the provisions of section 503, which requires the annual notice. The ICBA suggests that an appropriate interpretation of this statutory authority to grant exceptions could include granting an exception from the annual notice in limited instances, i.e., when the bank does not share information except as covered by one of the section 14 or 15 exceptions. If the agencies do not believe that their statutory authority encompasses such an exception, the agencies should recommend to Congress that it consider a less frequent mailing requirement for banks that meet these criteria as a means to reduce regulatory burden.
Providing a customer with the bank's privacy notice at the time an account is opened should be sufficient for most consumers, especially where the bank engages in no information sharing other than as permitted by the section 14 and 15 exceptions. The bank or thrift could then furnish a revised notice furnished if and when their privacy policies or practices change (or on request from a customer). An added benefit to providing notice only when there is a change in practices and procedures would be that it would call attention to the changes. Annual mailing of an unchanged notice is more likely to result in customer indifference, with the result that the notice is unheeded and unread.
Thank you for the opportunity to comment. Should you have any questions or need any additional information, please contact Robert Rowe, ICBA's regulatory counsel, at 202-659-8111 or email@example.com.
A. Pierce Stone
cc: Joseph F. Lackey, Jr.
1ICBA is the nation's leading voice for community banks and the only national trade association dedicated exclusively to protecting the interests of the community banking industry, ICBA has 5,000 members with branches in 17,000 locations nationwide. Our members hold more than $526 billion in insured deposits, $643 billion in assets and more than $405 billion in loans for consumers, small businesses, and farms. They employ more than 231,000 people in the communities they serve.
2 12 CFR 40.14 and 12 CFR 40.15.