| |
My name is L. Richard Fischer. I
am a partner of Morrison & Foerster and I practice in the firm’s
Washington, D.C. office. I have
nearly three decades of experience in advising banks and other financial
services companies on retail banking matters, including privacy, and I am the
author of the leading treatise on this subject-- The
Law of Financial Privacy. I am
pleased to have the opportunity to appear before you today to address the issue
of information privacy and the requirements of the recently enacted Gramm-Leach-Bliley
Act.
As you are aware, the Gramm-Leach Bliley Act (the “GLBA”) established
the most comprehensive financial privacy provisions of any federal legislation
ever enacted by Congress. The GLBA
requires each financial institution to provide every customer with a clear and
conspicuous statement of the institution’s policies and practices for
protecting the privacy of customer information. In addition, each financial institution must provide its
customers with notice, and an opportunity to prohibit, or opt out of, the
disclosure of information to nonaffiliated third parties.
Under regulations promulgated to implement the GLBA, these requirements
become fully effective on July first of this year. Currently
the financial services industry is in the midst of readying itself for this July
1, 2001 effective date. Not only
are financial institutions putting in place programs to comply with the notice
and opt out requirements of the GLBA, but they also are reviewing and revising
their corporate information policies and practices.
In fact, it simply is not possible for a financial institution to craft a
privacy notice without first conducting an inventory of its current information
practices and shaping those practices prospectively in a manner consistent with
that privacy notice. As a result,
financial institutions have been reviewing, and where appropriate restructuring,
their relationships with third party servicers and other companies to further
limit the disclosure of information about consumers, and to increase their
control over information when it is disclosed.
The full effects of the implementation of the GLBA will not be apparent
for some time. Nevertheless, from
first hand experience in working with a wide variety of financial institution
clients, I can attest that the changes in market practices that already have
resulted from the GLBA have increased the high level of confidentiality with
which financial institutions have historically treated their customer
information. Further, the privacy
notices required by the GLBA, which consumers have already begun to receive, can
be expected to raise consumer awareness of privacy-related issues.
This will enable market forces to further shape information practices to
reflect even more closely consumer expectations.
The
Gramm-Leach-Bliley Act
The GLBA applies to a broad range of financial institutions.
It sweeps within its coverage not only traditional banks, securities
firms, and insurance companies, but also all other providers of financial
products and services as defined under section 4(k) of the Bank Holding Company
Act. As a result, retailers issuing
credit cards, money transmitters, check cashers, mortgage brokers, real-estate
settlement services, appraisers, tax preparation services and even online
companies that offer aggregation, funds transfer or payment services are all
financial institutions under the GLBA.
Because of the GLBA, no company that provides financial products or
services to individuals for personal family or household purposes may provide
non-public information about those individuals to a nonaffiliated third party
for any purpose outside of a specific list of exceptions without first giving
the individuals an opportunity to opt out of that disclosure of information.
In addition, at the time of establishing a retail customer relationship
with an individual, and at least annually thereafter throughout the entire life
of that relationship, a financial institution must provide the customer with a
clear and conspicuous disclosure of the institution’s policies and practices
with respect to the disclosure of personal information to both affiliates and
nonaffiliated third parties. This
detailed notice must describe, among other things, the categories of information
collected by the institution, the categories of information to be disclosed, the
categories of persons to whom information may be disclosed and the
institution’s policies for protecting the confidentiality and security of the
information. And this disclosure
obligation applies even if the financial institution discloses no
information to third parties. Where
information is disclosed to third parties, it is subject to reuse and
redisclosure limitations to ensure that the use to which information is put is
consistent with the purpose for which the information was disclosed.
These statutory requirements are
implemented by regulations adopted by seven federal agencies, including the bank
supervisory agencies, the Securities and Exchange Commission and the Federal
Trade Commission, as well as by rules adopted by the States for insurance
companies.
Many financial institutions adopted privacy policies and communicated
them to their customers well before the adoption of the GLBA, and they have a
long history of treating customer information as confidential.
However, the specific requirements of the GLBA and the implementing
agency regulations have required all financial institutions to reassess their
policies and practices concerning the collection and use of customer
information, and to implement compliance programs to satisfy the new GLBA
requirements for notices and opt-outs.
The
Implementation Experience
I have been deeply involved in advising a wide variety of financial
institutions on their efforts to comply with the GLBA.
For larger institutions, compliance has been a multiphased effort
involving individuals from throughout the organization, including its policy,
operations, information management, legal, and compliance functions.
Both the scope and intensity of these efforts have been Herculean; so
will the resulting communication onslaught -- tens of thousands of financial
institutions sending billions of privacy notices to consumers throughout the
country. In my experience no other
piece of consumer legislation has engendered or required a response of this
magnitude.
Financial institutions have conducted
comprehensive surveys of every aspect of their practices concerning consumer
information and evaluated those practices in terms of the expectations and
preferences of their customers. They
have made difficult business judgments weighing the possible privacy concerns of
their customers against the efficiencies and consumer benefits of using
customer-related information to identify and respond to the needs of those
customers,
and established policies and practices to reflect those judgments.
Financial institutions have developed notices explaining these policies
and practices to their customers, and have put in place programs to ensure that
the notices are delivered to customers and that their employees adhere to these
policies and practices, not only in spirit, but in a rigorous way.
This also has proved to be a highly
competitive process. Although I have reviewed scores of privacy notices, few look
alike. Financial institutions have
designed their privacy notices to address the preferences and concerns of their
customers as they perceive them. Some
financial institutions are even establishing tailored policies and providing
special notices for different types of financial products or programs in order
to ensure that the privacy expectations of those customers are met.
Many financial institutions have tested their policies on focus groups in
order to determine whether they have assessed their customer preferences
correctly, and some of these institutions have had to return to the drawing
boards when they concluded that they did not access those preferences correctly.
Even where information about consumers will be shared with servicers and
other third parties, many financial institutions are going well beyond the
regulatory requirements for disclosure to explain their practices to consumers
and to explain how consumers benefit from those practices. In many cases institutions have curtailed the flow of
information and restructured business relationships to limit the disclosure of
information about their customers, particularly to nonaffiliated third parties.
In virtually all cases, the process has lead to increased controls over
the use and disclosure of information about consumers, even where that
information is necessary to service and maintain customer relationships.
But the efforts to date are only the
beginning. Because of the
importance that the GLBA places on limiting the subsequent use and redisclosure
of information about consumers, financial institutions and the outside companies
that assist them in servicing their customers, must review and revise their
outsourcing agreements and implement procedures to ensure that customer
information is used only in accordance with applicable privacy policies.
They also must ensure that they comply with the reuse and redisclosure
limitations in the GLBA and the implementing agency regulations.
In many cases, this requires the segregation of information according to
the purpose for which it was received, or separately tagging information to
indicate its origin and permissible uses.
Going
Forward
At this time, it is far too early to assess the full effect that the GLBA
will have on financial privacy. Consumers
are just beginning to receive their initial privacy notices for their existing
customer relationships. Most
consumers will receive several notices - perhaps 20 or more privacy notices
each. These privacy notices will
evidence a variety of choices with respect to the sharing of information about
them with third parties. How
consumers exercise those choices will tell us much about consumer privacy
preferences and their appreciation of the many benefits of information sharing.
In addition, financial institutions will be watching the actions of their
competitors, as well as the responses of their customers, and then carefully
revising or adjusting their policies accordingly.
In other words, market transparency --- and accordingly the role of
market forces in shaping privacy practices --- will increase dramatically over
the next few months.
|
|
