[Federal Register Volume 67, Number 32 (Friday, February 15, 2002)]
[Notices]
[Pages 7213-7215]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 02-3781]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY


Public Comment for Study on Information Sharing Practices Among 
Financial Institutions and Their Affiliates

AGENCY: Department of the Treasury, Departmental Offices.

ACTION: Notice and request for comments.

-----------------------------------------------------------------------

SUMMARY: The Secretary of the Treasury (Secretary), in conjunction with 
the federal functional regulatory agencies and the Federal Trade 
Commission, is conducting a study of information sharing practices 
among financial institutions and their affiliates, as required by the 
Gramm-Leach-Bliley Act of 1999. The Secretary is requesting public 
comment on a number of issues to assist in preparation of the Study.

DATES: Please submit comments and responses to the questions in this 
notice on or before April 1, 2002.

ADDRESSES: All submissions must be in writing or in electronic form. 
Please send e-mail comments to study.comments@ots.treas.gov, or 
facsimile transmissions to FAX Number (202) 906-6518 re: GLBA 
Information Sharing Study. Comments sent by mail should be sent to: 
Regulations and Legislation Division, Chief Counsel's Office, Office of 
Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, ATTN: 
Study on GLBA Information Sharing. (Senders should be aware that there 
have been some unpredictable and lengthy delays in postal deliveries to 
the Washington, DC area in recent weeks and may prefer to make 
electronic submissions.) Anyone submitting comments is asked to include 
his or her name, address, telephone number, and if available, FAX 
number and e-mail address. Please do not submit confidential commercial 
or financial information. All submissions should be captioned 
``Comments on the GLBA Information Sharing Study.'' Comments will be 
available to the public in their entirety via the Treasury Department 
website, www.USTreas.gov, where a link will be established. The link 
will be clearly identified on the Treasury homepage as relating to the 
GLBA Study on Information Sharing Practices Among Financial 
Institutions and Their Affiliates. Copies of comments also may be 
inspected at the Treasury Department Library, Room 1428, Main Treasury 
Building, 1500 Pennsylvania Avenue, NW., Washington, DC 20220. Before 
visiting the library, visitors must call (202) 622-0990 to arrange an 
appointment.

FOR FURTHER INFORMATION CONTACT: Susan Hart, Financial Economist, 
Office of Consumer Affairs and Community Policy, Department of the 
Treasury, (202) 622-0129; or Brian Tishuk, Director, Office of Consumer 
Affairs and Community Policy, Department of the Treasury, (202) 622-
1964.

SUPPLEMENTARY INFORMATION:

I. Statutory Background

    On November 12, 1999, President Clinton signed into law the Gramm-
Leach-Bliley Act (GLBA).\1\ The GLBA made several fundamental changes 
to the laws governing the financial system, including easing the limits 
on the types of financial institutions that may be affiliated with one 
another. A Company is an affiliate of a financial institution if it 
controls, is controlled by, or is under

[[Page 7214]]

common control with the financial institution.
---------------------------------------------------------------------------

    \1\ Pub. L. 106-102.
---------------------------------------------------------------------------

    The GLBA also established limits on the extent to which financial 
institutions\2\ may disclose personal information about consumers\3\ 
with whom they do business. The GLBA generally requires that a 
financial institution provide a clear and conspicuous notice of its 
privacy policies and practices and allow consumers to prevent (i.e., to 
opt out of) the disclosure of their nonpublic personal information\4\ 
to a nonaffiliated company, unless certain prescribed exceptions apply. 
The financial institution also must explain how consumers can exercise 
their opt out rights. These limitations on disclosing nonpublic 
personal information do not apply when a financial institution 
discloses a consumer's information to its affiliates.\5\
---------------------------------------------------------------------------

    \2\ Under subtitle A of title V of the GLBA, a financial 
institution generally is any banking institution, credit union, 
securities entity (such as a broker-dealer, mutual fund, or 
investment adviser), or insurance company, as well as any other 
business that engages in activities that are financial in nature 
under section 4(k) of the Bank Holding Company Act of 1956. See 15 
U.S.C. 6809(3); 12 U.S.C. 1843(k). Futures entities (futures 
commission merchants, commodity trading advisors, commodity pool 
operators, and introducing brokers) are also financial institutions 
for purposes of subtitle A of title V of the GLBA, 7 U.S.C. 7b-2(a).
    \3\ Under the GLBA, a consumer in an individual who obtains from 
a financial institution financial product or services to be used 
primarily for personal, family, or household purposes, or that 
person's legal representative. See, e.g., 12 CFR 40.3(e)(1).
    \4\ As further discussed below, nonpublic personal information 
generally is any personally identifiable financial information about 
the consumer, other than publicly available information. See, e.g., 
12 CFR. 40.3(n).
    \5\ Under the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681 
et seq.), financial institutions generally must give consumers clear 
and conspicuous notice and the opportunity to opt out of transfers 
of certain types of information to affiliates to avoid becoming 
consumer reporting agencies, subject to certain exceptions. 
Consequently, some disclosures of information to affiliates whether 
or not limited by the GLBA, may be subject to the notice and opt-out 
provisions of the FCRA.
---------------------------------------------------------------------------

    Section 508 of the GLBA \6\ requires the Secretary, in conjunction 
with the federal functional regulators \7\ and the Federal Trade 
Commission, to conduct a study of information sharing practices among 
financial institutions and their affiliates. The Study must address: 
(1) The purposes for the sharing of confidential customer information 
with affiliates or with nonaffiliated third parties; (2) the extent and 
adequacy of security protections for such information; (3) the 
potential risks for customer privacy of such sharing of information; 
(4) the potential benefits for financial institutions and affiliates of 
such sharing of information; (5) the potential benefits for customers 
of such sharing of information; (6) the adequacy of existing laws to 
protect customer privacy; (7) the adequacy of financial institution 
privacy policy and privacy rights disclosure under existing law; (8) 
the feasibility of different approaches, including opt out and opt in, 
to permit customers to direct that confidential information not be 
shared with affiliates and nonaffiliated third parties; and (9) the 
feasibility of restricting the sharing of information for specific uses 
or of permitting customers to direct the uses for which information may 
be shared.
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 6808.
    \7\ The federal functional regulators are: the Office of the 
Comptroller of the Currency, the Office of Thrift Supervision, the 
Board of Governors of the Federal Reserve System, the Federal 
Deposit Insurance Corporation, the National Credit Union 
Administration, the Securities and Exchange Commission, and the 
Commodity Futures Trading Commission.
---------------------------------------------------------------------------

    In formulating and conducting the Study, the Secretary is required 
to consult with representatives of State insurance authorities 
designated by the National Association of Insurance Commissioners, and 
also with the financial services industry, consumer organizations and 
privacy groups, and other representatives of the general public. The 
Secretary also will incorporate the views of the federal functional 
regulators, including their examiners, and the Federal Trade Commission 
in completing this Study. Upon completion of the Study, the Secretary 
will submit a report to the Congress of the Study's findings and 
conclusions, as well as any recommendations for legislative or 
administrative actions as may be appropriate.

II. Request for Comments

    Please comment on the specific questions set forth below and on any 
other issues relevant to this Study. Please label comments with the 
number and letter corresponding to the question to which the comment 
relates. For purposes of the questions below, the terms ``information'' 
and ``confidential customer information'' mean ``nonpublic personal 
information,'' as defined in the regulations implementing the financial 
privacy provisions of Title V of the GLBA.\8\ In addition, for the 
purposes of this request, the term ``customer'' means any individual 
and includes any individual who applies for or obtains a financial 
service or product.\9\
---------------------------------------------------------------------------

    \8\ See, e.g., 12 CFR 40.3(n), ``Nonpublic personal 
information'' means: (i) ``Personally identifiable financial 
information''; and (ii) any list, description, or other grouping of 
consumers (and publicly available information pertaining to them) 
that is derived using any personally identifiable financial 
information that is not publicly available. ``Personally 
identifiable financial information'' means any information: (i) A 
consumer provides to a financial institution to obtain a financial 
product or service from the institution; (ii) about a consumer 
resulting from any transaction involving a financial product or 
service between a financial institution and a consumer; or (iii) the 
financial institution otherwise obtains about a consumer in 
connection with providing a financial product or service to that 
consumer. See, e.g., 12 CFR 40.3(o).
    \9\ See, e.g., 12 CFR 40.3(e)(1) and 40.3(h). Under GLBA 
regulations, a ``customer'' has an established, on-going 
relationship with a financial institution, whereas a ``consumer'' 
need not. No distinction is made for the purposes of questions 
raised in this notice: The terms are interpreted as equivalents, and 
thus a customer need not have a continuing or on-going relationship 
with a financial institution.
---------------------------------------------------------------------------

    1. Purposes for the sharing of confidential customer information 
with affiliates or with nonaffiliated third parties:
    a. What types of information do financial institutions share with 
affiliates?
    b. What types of information do financial institutions share with 
nonaffiliated third parties?
    c. Do financial institutions share different types of information 
with affiliates than with nonaffiliated third parties? If so, please 
explain the differences in the types of information shared with 
affiliates and with nonaffiliated third parties.
    d. For what purposes do financial institutions share information 
with affiliates?
    e. For what purposes do financial institutions share information 
with nonaffiliated third parties?
    f. What, if any, limits do financial institutions voluntarily place 
on the sharing of information with their affiliates and nonaffiliated 
third parties? Please explain.
    g. What, if any, operational limitations prevent or inhibit 
financial institutions from sharing information with affiliates and 
nonaffiliated third parties? Please explain.
    h. For what other purposes would financial institutions like to 
share information but currently do not? What benefits would financial 
institutions derive from sharing information for those purposes? What 
currently prevents or inhibits such sharing of information?
    2. The extent and adequacy of security protections for such 
information:
    a. Describe the kinds of safeguards that financial institutions 
have in place to protect the security of information. Please consider 
administrative, technical, and physical protections, as well as the 
protections that financial institutions impose on their third-party 
service providers.

[[Page 7215]]

    b. To what extent are the safeguards described above required under 
existing law, such as the GLBA (see, e.g., 12 CFR 30, Appendix B)?
    c. Do existing statutory and regulatory requirements protect 
information adequately? Please explain why or why not.
    d. What, if any, new or revised statutory or regulatory protections 
would be useful? Please explain.
    3. The potential risks for customer privacy of such sharing of 
information:
    a. What, if any, potential privacy risks does a customer face when 
a financial institution shares the customer's information with an 
affiliate?
    b. What, if any, potential privacy risks does a customer face when 
a financial institution shares the customer's information with a 
nonaffiliated third party?
    c. What, if any, potential risk to privacy does a customer face 
when an affiliate shares information obtained from another affiliate 
with a nonaffiliated third party?
    4. The potential benefits for financial institutions and affiliates 
of such sharing of information (specific examples, means of assessment, 
or evidence of benefits would be useful):
    a. In what ways do financial institutions benefit from sharing 
information with affiliates?
    b. In what ways do financial institutions benefit from sharing 
information with nonaffiliated third parties?
    c. In what ways do affiliates benefit when financial institutions 
share information with them?
    d. In what ways do affiliates benefit from sharing information that 
they obtain from other affiliates with nonaffiliated third parties?
    e. What effects would further limitations on such sharing of 
information have on financial institutions and affiliates?
    5. The potential benefits for customers of such sharing of 
information (specific examples, means of assessment, or evidence of 
benefits would be useful):
    a. In what ways does a customer benefit from the sharing of such 
information by a financial institution with its affiliates?
    b. In what ways does a customer benefit from the sharing of such 
information by a financial institution with nonaffiliated third 
parties?
    c. In what ways does a customer benefit when affiliates share 
information they obtained from other affiliates with nonaffiliated 
third parties?
    d. What, if any, alternatives are there to achieve the same or 
similar benefits for customers without such sharing of such 
information?
    e. What effects, positive or negative, would further limitations on 
the sharing of such information have on customers?
    6. The adequacy of existing laws to protect customer privacy:
    a. Do existing privacy laws, such as GLBA privacy regulations and 
the Fair Credit Reporting Act (FCRA), adequately protect the privacy of 
a customer's information? Please explain why or why not.
    b. What, if any, new or revised statutory or regulatory protections 
would be useful to protect customer privacy? Please explain.
    7. The adequacy of financial institution privacy policy and privacy 
rights disclosure under existing law:
    a. Have financial institution privacy notices been adequate in 
light of existing requirements? Please explain why or why not.
    b. What, if any, new or revised requirements would improve how 
financial institutions describe their privacy policies and practices 
and inform customers about their privacy rights? Please explain how any 
of these new or revised requirements would improve financial 
institutions' notices.
    8. The feasibility of different approaches, including opt-out and 
opt-in, to permit customers to direct that such information not be 
shared with affiliates and nonaffiliated third parties:
    a. Is it feasible to require financial institutions to obtain 
customers' consent (opt in) before sharing information with affiliates 
in some or all circumstances? With nonaffiliated third parties? Please 
explain what effects, both positive and negative, such a requirement 
would have on financial institutions and on consumers.
    b. Under what circumstances would it be appropriate to permit, but 
not require, financial institutions to obtain customers' consent (opt 
in) before sharing information with affiliates as an alternative to a 
required opt out in some or all circumstances? With nonaffiliated third 
parties? What effects, both positive and negative, would such a 
voluntary opt in have on customers and on financial institutions? 
(Please describe any experience of this approach that you may have had, 
including consumer acceptance.)
    c. Is it feasible to require financial institutions to permit 
customers to opt out generally of having their information shared with 
affiliates? \10\ Please explain what effects, both positive and 
negative, such a requirement would have on consumers and on financial 
institutions.
---------------------------------------------------------------------------

    \10\ This question seeks views on a general opt out for sharing 
of information with affiliates and represents a broadening of opt-
out provisions for affiliate sharing under the FCRA.
---------------------------------------------------------------------------

    d. What, if any, other methods would permit customers to direct 
that information not be shared with affiliates or nonaffiliated third 
parties? Please explain their benefits and drawbacks for customers and 
for financial institutions of each method identified.
    9. The feasibility of restricting sharing of such information for 
specific uses or of permitting customers to direct the uses for which 
such information may be shared:
    a. Describe the circumstances under which or the extent to which 
customers may be able to restrict the sharing of information by 
financial institutions for specific uses or to direct the uses for 
which such information may be shared?
    b. What effects, both positive and negative, would such a policy 
have on financial institutions and on consumers?
    c. Please describe any experience you may have had of this 
approach.

    Dated: February 4, 2002.
Sheila C. Bair,
Assistant Secretary of the Treasury.
[FR Doc. 02-3781 Filed 2-14-02; 8:45 am]
BILLING CODE 4810-25-P