Letters to Regulators
Alternative Forms of Privacy Notices
March 29, 2004
Re: Alternative Forms of Privacy Notices
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA)1 appreciates the opportunity to comment on possible amendments to the current privacy rules implementing sections 502 and 503 of the Gramm-Leach-Bliley Act. The amendments would be designed to allow or require financial institutions to provide alternative forms of privacy notices, such as a short form privacy notice, that would be easier for consumers to understand and should reduce regulatory burden for financial institutions.
The ICBA supports the development of a short-form privacy notice to facilitate consumer understanding of individual financial institutions' privacy policies and procedures. However, since banks have developed and revised privacy notices over the past three years to meet existing compliance standards, the ICBA strongly urges that the use of any new alternative privacy notice be optional and not mandatory. This is especially critical for smaller institutions that are only likely to share information as permitted by existing exceptions such that they are not required to offer consumers an option to opt out from information sharing and, as a result, are likely to already have shorter notices.
If an optional short form alternative notice is developed, it should be one that can be used in lieu of the existing long form, as it would be burdensome and confusing for financial institutions to be required to have both a short form privacy notice and a long form privacy notice. And it is equally important to develop model language to help consumers understand that not all banks are required to offer the right to opt out since they only share information as permitted by one of the statutory exceptions.
The Gramm-Leach-Bliley Act (GLBA) requires banks and other financial institutions to send customers annual privacy notices that describe the bank's policies and practices for disclosing nonpublic personal information to both affiliated and non-affiliated third parties. In addition, where applicable, the notice must describe how a customer can opt out from information sharing with non-affiliated third parties.
Under current rules, privacy notices generally must include the following information: (1) categories of nonpublic personal information the bank collects; (2) categories of nonpublic personal information that the bank discloses; (3) categories of affiliates and nonaffiliated third parties to which the bank discloses nonpublic personal information; (4) categories of information disclosed about former customers; (5) a separate statement about information disclosed for joint marketing purposes; (6) an explanation of the consumer's right to opt out from disclosure of nonpublic personal information to nonaffiliated third parties (including an explanation about how to exercise that right); (7) an explanation about the bank's information sharing with affiliates; (8) the bank's policies and procedures for protecting the confidentiality and security of nonpublic personal information; and (9) any disclosures that the bank makes "as permitted by law," such as disclosures for government reports or to complete transactions.
When privacy notices were first developed and distributed in 2001, critics complained about their length and complexity. To begin to address these problems, the regulatory agencies held a forum in December 2001 to discuss how to make privacy notices more effective. The agencies are now considering options for a more streamlined notice format that will meet consumers' needs and at the same time reduce burden.
Development of a Short Form Notice
Generally, the ICBA believes that the purpose of a privacy notice should be to explain to customers the bank's policy of collecting non-public personal information about consumers, how the bank might share that information and, where applicable, how the customer can opt out from that information sharing.
The ICBA has long advocated the creation of a short-form privacy notice. Anecdotal evidence suggests that few consumers read privacy notices, and a short form notice would more be likely to be read, making it both more useful and more in keeping with its intended purpose.
However, many banks have already developed and established procedures to comply with existing requirements, and any change in existing procedures will require redesign of forms, retraining of staff, and possibly reprogramming of software that is currently in place to ensure compliance with new requirements. Therefore, the ICBA believes that if the agencies develop a short-form privacy notice, use of the short form should be optional and not mandatory.
Moreover, since any new notices will not be the result of substantive changes to a bank's privacy policies and procedures, it will be important that consumers understand that the change is merely a change in format to facilitate comparison of privacy policies and not a change in privacy rights. Therefore, it will be vitally important for the agencies to take steps to educate the public about any changes to ensure that the general public understands why the notices are being changed and what significance the changes portend for individual consumers.
Utility of Existing Privacy Notices for Consumers. The ICBA believes that the current privacy notices are somewhat useful for bank customers, as they disclose the bank's information sharing practices. However, they are only somewhat useful because the sample language and required disclosures can often be confusing for bank customers. Community bankers report that the majority of their customers are not especially concerned about the disclosures in the privacy notice. Rather, most community banks have established trust and confidence with their customers that serve as the foundation for the relationship and the privacy notice merely reaffirms a pre-existing trust and confidence.
It has been suggested that a simpler form would allow customers to shop and compare privacy practices and policies between different institutions. Since the great majority of bank customers are more likely to shop based on fees and the location of a bank branch rather than a bank's privacy policies, the ICBA questions how extensively consumers would use the privacy notice to compare financial institutions. However, a simplified, consistent document would make it easier for individual consumers to understand privacy policies and would make it easier for those consumers that want to make comparisons to do so.
Annual Notice. The ICBA believes a shorter notice would be preferable, with disclosures made at the time an account is opened. However, we believe that an annual notice of a bank's privacy policies is unnecessary. The current requirement that all consumer customers receive an annual copy of the bank's privacy notice is unduly burdensome, with the costs far outweighing any minimal benefits. We recognize there is an annual notice provision in the statute, but the statute also grants the agencies leeway in drafting regulations. Specifically, section 504(b) permits the agencies to grant exceptions to the provisions of section 502(a) through (d) when it would be consistent with statutory purpose. Section 502(a) requires a notice that substantially complies with the provisions of section 503, the annual notice requirement.
The ICBA submits that it would be possible for the regulators to interpret these provisions to allow an exception from the annual notice requirement for financial institutions that only share information in such a way that they are not required to offer consumers an opt-out option. If the agencies do not feel comfortable with such an interpretation, the ICBA strongly urges the agencies to recommend that Congress consider eliminating the annual mailing requirement to reduce cost and regulatory burden.
Providing the bank's privacy notice at account opening would ensure that the provisions are called to the consumer's attention and should be thoroughly adequate for the great majority of consumers, especially customers of banks that are not required to offer an opt-out option. If and when the bank's information sharing practices change, a revised notice could be provided. There would be an added benefit in providing notice only when there is a change in the bank's information sharing practices and procedures: the notice would call attention to the changes, as opposed to the current requirement of annual mailing by all financial institutions that merely ensures customer indifference to notices, making it increasingly likely that the notices are unheeded and unread.
Right to Opt Out. Many community banks only share information as permitted by one of the exceptions provided in the statute and the rule. As a result, they are not required to offer their customers an opt-out. However, because of media coverage of privacy issues, consumers believe that all banks must offer an opt-out. The ICBA encourages the agencies to make additional efforts to help the public understand how the right to opt out works and that not all banks must offer the option. The ICBA also recommends that the agencies clarify how banks should handle opt-out requests where the bank is not required to offer one. For example, if a customer requests an opt-out from a bank that only shares information as permitted by one of the existing exceptions, the bank should be able to treat that request as invalid and not retain any record of the request.
If a bank is required to offer customers the right to opt out, the ICBA is concerned that highlighting that information, such as through the use of highlighted text, a special font or by placing the disclosure in a separate box, may be a disservice to customers by encouraging the opt-out and preventing the bank from providing good customer service by making it more difficult to offer a broad variety of financial products and services through affiliates or non-affiliated third parties. However, if the agencies deem highlighting of the opt-out option is appropriate, then it should be a recommended, but not required, practice. And, since so many community banks are not required to offer the right to opt out because they only share information following one of the statutory or regulatory exceptions, the ICBA also believes it would be extremely useful for the agencies to develop model language that explains in very brief and simple terms why the bank is not offering a right to opt out. Such model language would be helpful in eliminating some of the confusion engendered by media reports when privacy notices were first used in 2001.
Key Elements for a Short Form Notice. Community banks and their customers generally believe that the same elements of privacy are important. Essentially, a bank's privacy notice should stress that the bank protects the security and confidentiality of each customer's information, that it may disclose that information to provide services and products, and, where applicable, a brief explanation of what the customer must do to opt out from information sharing. Generally, the privacy notice should not be more than four or five items, since the more detailed and complex the notice becomes, the less likely consumer will actually read it and the less useful the privacy notice will be.
If the bank only shares information under the existing exceptions such that it is not required to offer an opt-out, the requirements for a privacy notice should be very short. Primarily, the notice should alert customers to whether the bank shares non-public personal information about its customers for marketing non-financial products and services. Banks are in the business of providing financial products and services for their customers and community banks often rely on third parties to provide financial services and support their customers' financial needs; anecdotal evidence suggests that customers are not offended when a bank makes arrangements to provide financial services. The objections arise when banks use non-public personal information to market non-financial services, such as magazine subscriptions, dental or legal services or travel services.
Where a consumer does not have the right to opt out from information sharing with third parties, such as where the bank enters into joint marketing ventures with other financial service providers to offer its customers financial products and services, the ICBA does not believe that it is necessary to highlight this element in the privacy notice.
Possible Notice Formats or Templates
One option being considered by the regulators would be a short-form privacy notice that gives abbreviated disclosures but does not provide all the disclosures mandated by the Gramm-Leach-Bliley Act. Under this option, a separate long-form would have to be available on request to meet statutory requirements.
While the ICBA agrees that if the short form does not contain all the elements required by the Gramm-Leach-Bliley Act, the abbreviated notice should include a simple statement informing customers how to obtain the full, long-form privacy notice. However, we do not agree this avenue is likely to be useful in reducing customer confusion or reducing regulatory burden. While a short form would reduce distribution and mailing costs, it could actually increase regulatory burden, since banks would be required to maintain two privacy notices: a new short form and a long form containing all the information required by the statute. Having two privacy forms would require banks to train staff on the use of two forms and would require banks to maintain supplies of two parallel forms. Moreover, having a bifurcated system of privacy notice forms would be confusing to customers, since every financial institution would have two related but different privacy notices. The ICBA believes that if a shorter privacy notice is created, it should replace the current long form.
While it would be preferable to have a new short form replace the long form, if there must be two forms, the most logical requirement would be to make the long form available at account opening for customers that request it. Banks should have the option of providing either the short form or the long form at account opening. If a bank elects to provide a short form privacy notice to customers at account opening, the bank should then make the long form available if the customer requests it. After an account relationship has been established, if an annual notice is still required, the short form could be used.
It is important that all banks have the option of using only one privacy notice form. This is especially important for community banks that do not share information outside one of the permitted exceptions, that are therefore not required to offer an opt-out, and that already use a "long" form that is actually relatively short. Those banks should be allowed to continue to use their existing form.
The agencies have identified four possible notice formats for consideration, with the caveat that they are solely designed to encourage discussion. The three notice formats provide varying degrees of flexibility in making privacy disclosures. The first would be the least flexible, since it provides a standard template where bankers merely indicate "yes" or "no" on each category. The second offers slightly greater flexibility, permitting banks to supplement the mandated information in each category. The third template allows the greatest flexibility, setting out a format of various categories for disclosures, but allowing individual banks to describe their information sharing practices for that particular category. All three sample forms are designed to facilitate consumer comparison of privacy policies and practices among different financial institutions. While each form has individual merits, the ICBA believes that greater flexibility may be the most decisive factor.
The less flexibility permitted for individual financial institutions to disclose their privacy policies and procedures, the less information is actually conveyed to consumers. The current food nutrition labels have often been cited as an ideal model to emulate. Unfortunately, the information included in a privacy notice is subjective and cannot be distilled to the absolutes that nutrition labels are designed to convey. In fact, software programs that can distill and analyze privacy policies have been difficult to develop for this reason. Therefore, sufficient flexibility is critical in any required disclosures of a bank's information sharing practices.
Optional vs. Mandatory. Again, it is important to stress that any new short-form privacy notice should be optional and not mandatory. As noted above, for the past three years, banks have been issuing privacy notices to their customers, and have reached a point where existing notices meet compliance requirements and are familiar to bank customers. A mandatory change in format, however well intentioned, will be expensive and burdensome. And since a new format will not be the result of substantive changes to a bank's privacy policies or procedures, it may be confusing for consumers. Since costs may outweigh benefits for many banks, a revised format should be optional. This is especially important for community banks that already use shorter privacy notices that meet the requirements of the current regulations. While the ICBA urges that any new privacy notice formats be optional for all financial institutions, at a minimum, community banks that are not currently required to offer customers with an opt-out should be allowed to continue using their existing privacy notices.
Language. Privacy notices should provide information to consumers in a meaningful way. Since much of the language in the current regulatory models have been subjected to criticism, it would be useful for the regulatory agencies to test proposed language changes with focus groups. When developing alternative privacy notices, the ICBA suggests incorporating standard phrases in model clauses, since standard terminology ensures consistency and facilitates consumer understanding and comparison.
However, banks also should be allowed some flexibility to develop their own language for disclosures as long as certain mandatory information is included. Individual banks know their own customer base and should be able to communicate information to their own customers in the most appropriate manner. Permitting flexibility allows banks to tailor disclosures based on their unique market and circumstances, although providing a safe harbor for use of model language would encourage its use. But while standard language is useful for model clauses, it should not be mandatory.
Presentation Format. There may be advantages to standardized presentation, but the less flexibility permitted individual financial institutions, the less opportunity the bank has to accurately communicate its information sharing practices to its customers. The key advantage to a standardized format for presentation, perhaps following the model of the Schumer Box used for Truth-in-Lending disclosures, is that it would permit consumers to compare privacy policies for different financial institutions, if they so desire. For a short-form privacy notice, one page would most likely be the optimal length.
State Law Considerations. Because the provisions of the Gramm-Leach-Bliley Act allow individual states to develop requirements that differ from federal requirements, it is important that any changes to the existing federal regulations permit banks sufficient flexibility to include any disclosures required by state law in their federal privacy notices at the bank's option and when state law permits.
Safe Harbor. While the use of any short form privacy notice should be optional, whenever a bank uses the standard form template or model language furnished by the agencies, the bank should have a safe harbor to protect it from examiner criticism or litigation.
The ICBA supports the development of an optional short-form privacy notice that is clear and concise and that helps consumers understand an individual financial institution's information sharing practices. However, inasmuch as banks and their customers have had three years of experience with existing requirements, any new alternative forms of privacy notice should be at the option of the institution, especially community banks that are not required to offer an opt-out.
If an alternative notice format is developed, it should be a template that banks can use, and the regulatory template should provide a safe harbor from examiner criticism and litigation. Any alternative form of privacy notice should include all the disclosures mandated by the Gramm-Leach-Bliley Act so that it can be used instead of the existing long form and not as a companion or supplemental notice form.
The ICBA also strongly encourages the agencies to strive to eliminate the annual notice requirement, especially for those banks that are not required to offer an opt-out. Finally, the ICBA urges the agencies to develop model language and undertake a public education effort to help consumers understand that not all banks are required to offer a right to opt out.
Thank you for the opportunity to comment. If you need additional information or have any questions, please contact me by phone at 202-659-8111 or by e-mail at email@example.com.
Robert G. Rowe, III
1 ICBA represents the largest constituency of community banks in the nation and is dedicated exclusively to protecting the interests of the community banking industry. We aggregate the power of our members to provide a voice for community banking interests in Washington, resources to enhance community bank education and marketability, and profitability options to help community banks compete in an ever-changing marketplace.