| March 31, 2000 Via e-mail: GLBRule@ftc.gov Donald S. Clark, Secretary Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 -- Comment Dear Mr. Clark: Countrywide Home Loans, Inc. ("Countrywide") is pleased to submit our comments in connection with the Commission's proposed Gramm-Leach-Bliley Act Privacy Rule ("Privacy Rule"), 16 CFR Part 313. 65 Fed. Reg. 11174-11195. As the Commission noted, the Privacy Rule would implement the privacy provisions of the Gramm-Leach-Bliley Act, Subtitle A of Title V of Pub. L. 106-102 ("GLBA"), for all institutions subject to the jurisdiction of the Commission. We appreciate the opportunity to comment on these Privacy Rules. At Countrywide, we monitor our customer's privacy concerns closely and strive to provide our customers with choice, control and convenience. We are also continually looking for opportunities to meet our customers' needs and optimize their homeownership experience by providing the right products and services at the right time and at the right price. We conduct extensive market research and carefully develop such product and service offers to meet our standards and assure that they reach customers most likely to take advantage of the opportunity. However, we appreciate the need to set standards with respect to the information sharing practices that make these consumer benefits possible when necessary to respond to consumer demands for privacy. In Countrywide's experience, though, the standards must be flexible enough to reflect the fact that attitudes toward what level of information sharing is acceptable and what level of sharing is invasive vary enormously. We think that, in responding to these widely varying customer demands, the good data handlers in the industry will actually further enhance information systems and cross-selling efforts to meet the specific wants and needs of the individual customer. But doing so entails financial institutions like ours devoting more resources to those efforts. It also depends on carefully tailored Privacy Rules that do not unwittingly hinder reasonable business practices that the vast majority of our customers would not find invasive. In that light, our comments reflect not only our strong commitment to protecting consumer privacy, but also our desire to avoid Privacy Rules that increase costs and disrupt routine business practices that benefit both consumers and businesses. Definition of "Non-Public Personal Information" Under Alternative A's restrictive definition of "publicly available information," an item of information would not be considered to be publicly available, even if it was a matter of public record, if the financial institution obtained the item from its own records of its relationship with the customer. Proposed § 313.3(n)(1)(i), (o)(1)(iii). Publicly available information includes only information that is, in fact, obtained from government records, widely distributed media, or government-required disclosures. Proposed § 313.3(p)(1). Under this unduly restrictive definition, Countrywide could not share basic information about the mortgage such as property address or loan amount or even the fact that an individual recently became a customer, despite the appearance of those facts in the real property records (since that information appears in the original recorded mortgage instrument or a recorded assignment of mortgage). This information epitomizes "public" records that should flow freely in our economy. Every competitor of Countrywide could use the publicly available information about our customers, combine it with "nonpublic personal information" by obtaining a credit report under the prescreening provisions of the Fair Credit Reporting Act or its own compilation of data, and solicit our new customers for a myriad of home-related products. Meanwhile, the Privacy Rule would forbid Countrywide--the company that the customer chose to handle the customer's personal information in the first place--from using the fact of the relationship to efficiently cross-market other products and services from unaffiliated third parties. Countrywide and other mortgage lenders would be forced to pay additional costs to data compilers and list brokers just to obtain public data already in our possession in an effort to retain our own customers, resulting in higher prices for consumers. This result not only goes beyond consumers' reasonable expectations of privacy, but is also patently unfair and anti-competitive for business and counterproductive for consumers. In addition to being anti-competitive, the Commission's Alternative A would create confusion in the marketplace. Regardless of the financial institution's policies with respect to use of customer data, the existence of the customer relationship is public information. In addition to the public recording of the mortgage instrument or assignment, home sales are routinely reported in general-circulation newspapers as well as in more specialized publications, whose reports often identify the mortgagee as well as the purchaser or seller. A consumer who opted-out of having Countrywide disclose the existence of the relationship could still receive solicitations from unaffiliated third parties who obtained the customer's name from such other sources rather than from Countrywide. Customers periodically forward to us marketing material they have received from nonaffiliated third parties that are written, despite the deceptive nature of the practice, to suggest to the consumer some sort of relationship between Countrywide and the other party. Such a consumer might, and in Countrywide's experience sometimes does, mistakenly believe that Countrywide failed to honor the consumer's opt-out request, damaging the relationship between Countrywide and our customer. Alternative B is preferable because it gives the financial institution the ability to reduce the likelihood of brand confusion in the marketplace. For customers who have opted out, Countrywide and other financial institutions have the option to continue offering products and services through joint or co-branded marketing arrangements with nonaffiliated third parties, so long as the information shared with the nonaffiliated third party is publicly available. These customers will be more likely to appreciate the difference between the joint or co-branded marketing arrangements and the deceptive marketing materials falsely suggest to the consumer some sort of relationship between Countrywide and the other party. Alternative A would also potentially limit beneficial and non-controversial information flow before the closing of a home purchase mortgage. For example, it is common for real estate agents and mortgage companies to each independently share the fact of a customer relationship with different affiliated or unaffiliated third party home warranty providers. This often results in the consumer getting competing quotes for a home warranty. The mortgage company would have to provide a disclosure of its privacy policy with respect to that information to all borrowers and an opt-out right before it shared the information with any unaffiliated third parties. Ironically, though, since real estate agents are not clearly within the meaning of "financial institution" under GLBA, real estate agents would be free to share the fact of the relationship without any limits. This would strengthen the real estate agent's position to influence the customer's choice of providers, and consequently limit the intensity of competition between third party service providers for the ancillary services that a consumer needs during a home purchase. Furthermore, the unduly broad definition in Alternative A would require financial institutions to enhance current systems or build new systems at great cost to prove compliance with the Privacy Rule by being prepared to show that shared information was obtained from a qualifying public source. This requires that a financial institution keep track of not only the information it obtains but also the source of each piece of information and the date the information was obtained. While it may be possible for financial institutions to invest in sophisticated data systems to track this, it is a substantial burden without any commensurate privacy-enhancing benefits to the consumer given that the customer's information is already publicly available. The end result is that consumers pay more for financial products and services with no measurable improvement in consumer privacy. In its recent Trans Union decision, the Commission recognized that a report of public record mortgage information does not raise the same privacy concerns as a report containing nonpublic details of the relationship between the borrower and the mortgage company. In that opinion, the Commission assumed that information brokers that report only public record mortgage information are not "consumer reporting agencies" as defined in the Fair Credit Reporting Act ("FCRA"). Trans Union, Opinion of the Commission, slip op. at 45. See 15 U.S.C. § 1681a(f). The Commission reached this result even though the definition of a "consumer report" which is an element of the definition of a "consumer reporting agency" arguably applies to a report of public record mortgage information. See 15 U.S.C. § 1681a(d). We note that neither the Board of Governors of the Federal Reserve System ("Board") nor the Securities and Exchange Commission ("SEC") proposed Alternative A. As a result, it is possible that the Board and SEC would adopt Alternative B while the Commission and the other regulatory agencies adopted Alternative A. This outcome would be inconsistent with the statutory mandate to issue "to the extent possible…regulations [that] are consistent and comparable." See GLBA § 504(a)(2). Such a result would present particular problems for mortgage companies that are subsidiaries of bank holding companies but have affiliates that are supervised by agencies other than the Board, because the affiliates would be subject to two conflicting requirements. In addition, a problem of public perception would be created. Consumers - who are unlikely to have any idea whether or not their mortgage is held by a bank holding company affiliate - would be treated differently depending on the nature of their mortgage lender's charter. A legitimate basis has not been articulated for the various agencies to adopt inconsistent definitions of "nonpublic personal information" nor is it conceivable how different definitions for different chartered institutions would satisfy the statutory mandate. Finally, the Commission also seeks comment on whether it should require a financial institution to establish "reasonable procedures to establish that information is, in fact, available from public sources before [treating it] as 'publicly available information.'" We do not believe that such an additional requirement is warranted. Financial institutions of all types have a strong incentive to establish appropriate compliance procedures. An agency's assertion that a financial institution's procedures are inadequate, with no evidence of any information sharing violations, should not be an independent basis for an enforcement action. Responsibilities of Secondary Market Participants with No Direct Relationship with the Customer In enacting the GLBA, Congress recognized that the activities of secondary market participants generally do not raise personal privacy concerns. The GLBA exempts from the disclosure and opt-out provisions any "disclosure of nonpublic personal information…in connection with…a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer." GLBA § 502(e)(1)(C). This exemption would be unduly narrowed or rendered meaningless if a secondary market participant were considered to have established a customer relationship as soon as it acquired ownership of a loan. In addition to the specific exemption for secondary market activities, the more general exception for disclosures "as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer" would also apply to most, if not all, disclosures of information to a secondary market investor. See GLBA § 502(e)(1)(C). The Commission should clarify that secondary market participants, who do not service the loans, generally do not establish a customer relationship with the consumer. The Commission should more explicitly recognize the distinction between a secondary market participant and a financial institution that has a direct relationship with the borrower, by generally treating the borrower as a "consumer," not a "customer" of a passive secondary market participant under the regulation. If the secondary market participant either (1) markets financial products or services directly to the consumer, or (2) shares nonpublic information with an unaffiliated third party (where an exception does not apply), then the borrower becomes a "customer" who is entitled to disclosures and the opt-out right. As noted, under the definition of "consumer," a financial institution need not provide initial disclosures or an opt-out right unless it shares nonpublic information with an unaffiliated third party, and an exception does not apply. Under Countrywide's proposal, consumers would be fully protected because the secondary market participant would have to treat them as customers - providing disclosures and an opt-out right - before or at the time it marketed to them or shared any of their information with nonaffiliated third parties. Issues Involving Loan Servicers Sub-servicing Arrangements The Commission should recognize that there are sub-servicing arrangements in which the loan is actually serviced by one or more entities other than the owner of the servicing rights. In addressing the responsibilities of servicers, the Privacy Rule consistently refers to the transfer or retention of "servicing rights." The regulation states that:
Proposed 15 C.F.R. § 313.3(e)(2)(v), 65 Fed. Reg. at 11191. For example, assume that a loan is owned by a securitization trust. Acme Mortgage owns the servicing rights but Countrywide performs the actual servicing functions as sub-servicer. The borrower makes payments to the order of Countrywide and calls Countrywide's "800" number with questions about the loan. All of the borrower's contact is with Countrywide. Unless Acme enters into another customer relationship with the borrower, there is no reason for Acme to provide its privacy policy and an opt-out right. Only Countrywide should do so. From the consumer's point of view, a sub-servicing arrangement is often indistinguishable from the situation in which the servicing rights are transferred. In situations where the loan is serviced by the owner of the servicing rights, the consumer often has no direct contact with the owner of the loan and has no interest in being notified of a change of ownership. Similarly, in sub-servicing arrangements, the consumer typically has no direct contact with the owner of the servicing rights. Servicing rights are, in essence, a financial instrument that represents an interest-only strip-off of the mortgage loan. At the same time, many servicers outsource some or all of their responsibilities but retain the value of their brand name by using a "private label" servicer. In the example above, assume that the borrower makes payments to the order of Acme Mortgage and calls Acme's "800" number, but Acme has outsourced the performance of these functions to Countrywide. As far as the borrower is concerned, all contact is with Acme. Unless Countrywide enters into a customer relationship with the borrower that is separate from its outsourcing arrangements or discloses nonpublic personal information to an unaffiliated third party, there is no reason for Countrywide to provide its privacy policy. We believe that, instead of focusing on ownership of servicing rights (or, for that matter, on ownership of the loan), the entity or entities that deal directly with the consumer should be considered "servicers." In other words, the entity to which the consumer sends payments should be treated as the loan servicer. The definitions in HUD's Regulation X should serve as a starting point:
24 C.F.R. § 3500.2. The Commission should simply make clear that the person in whose name the service is performed is the person responsible for the servicing. Notice by Servicer The timing rules in the Privacy Rule would create serious difficulties for mortgage loan servicers. A financial institution must provide initial disclosures and the right to opt-out before a customer relationship is established. See Privacy Rule § 313.4(a)(1). A consumer becomes the customer of a loan servicer when the consumer "[m]akes his or her first payment to you [the financial institution] on a loan account for which you have obtained the servicing rights." Privacy Rule § 313.4(c)(2)(v). As discussed above, a loan may be serviced by a different entity from the owner of the loan servicing rights, and we recommend that the Commission apply the regulation to the functional loan servicer rather than to the owner of the servicing rights. However, even if the Commission were to make such a change, basing the timing on when the loan servicer receives its first payment would create severe difficulties. With respect to mortgages subject to the Real Estate Settlement Procedures Act ("RESPA"), both the transferor servicer and the transferee servicer(1) are obligated to notify the borrower of the change of servicer. See 24 C.F.R. § 3500.21(d). The transferor servicer's notice must generally be sent at least fifteen days before the effective date of the transfer (as defined in Section 6 of RESPA), while the transferee servicer's notice must be sent no later than fifteen days after the effective date. HUD's Regulation X also requires the notices to state the date that the transferor servicer will cease to accept payments and the date that the transferee servicer will begin to accept them. However, despite that disclosure, it is entirely possible if not likely that the transferee will receive some payments prematurely. Since the privacy disclosures must be made before receipt of the first payment, the Privacy Rule would effectively require the transferee servicer to send a privacy disclosure at some time before the effective date of the transfer, probably at the same time as the transferor's disclosure. This change in requirements would disrupt longstanding practices in the mortgage industry. As long as the transferee servicer does not plan to share information about the consumer with nonaffiliated third parties, there is no reason to require a disclosure before the effective date of the transfer, as defined by RESPA. In any case, if the transferee servicer wants to share information in a manner not covered by an exception, it must provide the opt-out notice and a reasonable time to opt-out before doing so. The Commission has recognized the limited value of a disclosure by a transferee in the context of a transfer of ownership of a loan, by allowing that the disclosure may be provided -
Privacy Rule § 313.4(d)(2). Although, as noted, we do not believe that purchase of a loan by itself should trigger a disclosure requirement, we support the timing principle behind the Privacy Rule, and urge the Commission to apply it to transfers of servicing. Specifically, the transferee servicer should be given a reasonable time after the transfer to provide disclosures, and the time limits in Regulation X for the transferee servicer's disclosures should be a safe harbor (whether or not the transaction is subject to RESPA). Transferability of Opt-Out A related question is whether a consumer's opt-out with respect to one lender or servicer should be effective against a subsequent lender or servicer. The Proposal implies that the opt-out applies only to the current financial institution, since otherwise it would make no sense for the successor financial institution to provide new disclosures and a new opportunity to opt-out. Countrywide supports this interpretation and urges the Commission to make it explicit in the final rule. Issues Involving Mortgage Brokers Because over 50% of residential mortgage loans are now originated by or through mortgage brokers, the Commission should also clarify when in the mortgage loan origination process a mortgage broker's customer becomes a customer of the ultimate lender. It should recognize that the lender may either close the loan in its own name or provide funds for the broker to close the loan in the broker's name. In brokered-loan situations, the broker typically sends customer data to one or more wholesale lenders to see if the applicant fits the lender's guidelines. In this situation, several lenders will have the applicant's data, but none is assured of having a customer relationship with the applicant. On the other hand, the mortgage broker does have a customer relationship with the applicant. The Privacy Rule states that a mortgage broker establishes a continuing relationship with the consumer, and the consumer, therefore, becomes the broker's customer, when consumer "[e]nters into an agreement or understanding with you [the broker] whereby you undertake to arrange or broker a home mortgage loan . . . for the consumer." Privacy Rule 16 C.F.R. § 313.3(h)(2)(i)(D), 65 Fed. Reg. at 11189-90. Since the broker has a customer relationship with the applicant, it is logical to conclude, as the Privacy Rule does, that the applicant does not become a customer of any of the lenders until the loan closes (that is, unless one or more of the wholesale lenders takes additional actions that would make the applicant its customer). As the Commission recognizes, while the loan is being shopped, none of the lenders has established a continuing relationship with the applicant. The rule should also make clear that a broker may make privacy disclosures, and provide an opt-out right, on behalf of a number of prospective wholesale lenders, and that those lenders may then rely on those disclosures in sharing information. For example, this issue could arise if the broker wishes to offer the applicant the option of buying a home warranty through whichever lender ultimately funds the loan. The broker will ask each prospective lender to have a home-warranty company mail a solicitation to the applicant. In order to do so, each prospective lender must share nonpublic personal information the fact that the applicant has applied for credit with the home-warranty company. The prospective lenders should be able to rely on the broker's representation that the applicant received the broker's privacy disclosures and an opportunity to opt-out, and did not opt-out. Joint Accounts for Multiple Customers and Multiple Accounts for the Same Customer The Commission seeks comment on whether there are instances where all parties to the account need not receive the notice and on how the right to opt-out should apply to joint accounts. Requiring every joint account holder receive a notice and opt-out would be unworkable for businesses and unfriendly to consumers. Financial institutions would have to keep track of whether all, or only some, of the joint account holders had opted out. And, if joint account holders disagreed about opting out or one was more prompt than the others in returning the opt-out form, financial institutions would be legally forced to sort information from the joint account, restricting the distribution of information personal to one, but not all account holders. Instead, we think that any specification of requirements for joint accounts must take into account the reality that "joint" applications often involve one person filling out all or a disproportionate share of the application. This is particularly true in the Internet context, where a joint application is submitted from a single computer with a single keyboard. We urge the Commission to provide flexibility to financial institutions to decide how to manage these notices and opt-outs, allowing the lender to assume that the joint applicants will communicate about what is desired. Disclosures to Multiple Customers Countrywide believes that the Commission should adopt a rule that requires a clear and conspicuous notice only to one of the joint account holders. Trying to give multiple disclosures would be particularly difficult with electronic applications, as it would require designating specific computers as being under the control of specific persons for purposes of sending notices and would appear to necessitate acknowledgments of receipt. Notice to either holder of a joint account is almost universally the rule under other consumer protection laws. For example, the Official Staff Commentary to Regulation Z provides as follows:
Official Staff Commentary to Regulation Z, ¶ 17(d)-2. See also, e.g., Regulation B, 12 C.F.R. § 202.9(f); Regulation E, 12 C.F.R. § 205.4(d)(2); HUD's Regulation X, 24 C.F.R. § 3500.6(a). The major exception to this rule is the right of rescission. In that case, in light of the swift expiration of the consumer's rights and the perceived significance of the transaction - the placing at risk of the consumer's home, the Board apparently believed that it was important for all joint borrowers to receive the notice. By contrast, the opt-out right continues through the life of the loan (and for twelve months thereafter, under the proposal), and a joint account-holder can always opt-out, when he or she receives the next annual notice or is concerned by some practice of the financial institution. Opt-Outs on Joint Accounts The financial institution should be able to provide a privacy policy and opt-out to any joint account holder, by including the notice for example as a part of the application package, leaving it to that person to consult with the other joint account holders about whether to opt out. And any one of the joint account holders should then be able to exercise the opt-out, restricting distribution of the information associated with the account. In such case, the Commission would recognize by rule the legitimacy of a presumption that a communication from any joint account holder was a communication on behalf of all. Some financial institutions may want to treat an opt-out on an account-by-account basis to avoid issues relating to joint versus individual credit reports and the possibility of having to prove that information sharing related to only the customer choosing not to opt-out. As discussed above, requiring both parties to a joint account to opt-out is problematic in view of the language of the statute and could create operational problems on accounts, such as HELOCs, for which institutions routinely honor requests from either party. Most financial institutions today maintain their records on an account-by-account, rather than customer-by-customer, basis and would find it difficult to comply with an opt-out request with respect to only one account-holder. On the other hand, as diversified financial organizations integrate their relationships with the customer across multiple products, some are moving toward identifying the customer by a single identifying number. As financial institutions convert their records to a customer-by-customer rather than account-by-account basis, it may become more feasible to share information on an account with respect to a non-opt-out joint account holder while honoring an opt-out request from another party to the account. The reasonable approach would be not to require opt-outs on a customer-by-customer basis but to allow financial institutions that choose to apply the opt-out on an a customer-by-customer to disclose that fact and the means for each customer to opt-out in its clear and conspicuous privacy policy. Multiple Accounts for the Same Customer Diversified financial organizations should have the option of making a single disclosure, and providing a single opt-out right, applicable to all account relationships with the customer of any financial institutions within the organization. Allowing such a procedure would reduce the paperwork burden on both the consumer and the financial institution. Requiring separate notices to each joint account holder would be extremely burdensome for mortgage lenders, particularly with regard to the annual statement of the financial institution's privacy policies and procedures. Although joint borrowers most often both live in the home when a mortgage loan is closed, that is not always the case, and they may separate or divorce later without informing the lender. Lenders and other financial institutions should be able to send disclosures, including the opt-out right, to the address that the borrowers provide for receipt of billing statements and other information about the account. Disclosures of Account Numbers The Commission seeks comment on whether there should be an exception in Section 313.13 to the general prohibition in GLBA § 502(d) against disclosing account numbers for marketing purposes. At a minimum, the Commission should clarify that the exceptions to the opt-out in GLBA § 502(e) apply equally to the sharing of account numbers. Countrywide strongly supports such an exception, although we believe that there are situations in which it is also appropriate to disclose the unencrypted account number. As the Commission notes, "[t]he Statement of Managers contained in the Conference Report to S. 900 encourages the Commission and Agencies to adopt an exception to section 502(d) to permit disclosures of account numbers in limited instances." Specifically, the Managers advocated permitting the disclosure of encrypted account numbers "where the disclosure is expressly authorized by the customer and is necessary to service or process a transaction expressly requested or authorized by the customer." As the Commission wonders, a blanket prohibition on disclosing account numbers would indeed "unintentionally disrupt certain routine practices," including routine joint marketing programs between a "financial institution" and an unaffiliated third party not covered by the narrow joint marketing exception in GLBA § 502(b). For example, Countrywide makes special offers such as airline miles from United Airlines and American Airlines and trade credits from E* Trade as additional incentive to attract new mortgage customers. Countrywide collects the United, American, or E*Trade account number from the customer to properly credit the customer's account at this other company. Obviously, the consumer's privacy is not compromised in any way by Countrywide giving United, American, or E*Trade a list of their own account numbers, since United, American, or E*Trade already knows the account numbers of its own customers. It is inconceivable that the prohibition on sharing account numbers was intended to reach this situation and the Commission should clarify that this type of sharing is permissible. Other common account number practices should also be permitted. For example, Countrywide Home Loans ("CHL") lawfully provides a mailing list of current borrowers to its affiliate Countrywide Insurance Services ("CIS") on a regular basis. When customers respond to CIS' mailings, CIS places the insurance policy with its affiliate, Balboa Life & Casualty, or one of the unaffiliated insurers with whom CIS works. In an effort to make billing and payment of these services easy, the customer may choose to pay for the insurance by paying it along with the customer's monthly mortgage payment to CHL. In order for CHL to efficiently assure proper application of a payment collected on behalf of CIS, CIS may ask the insurance carrier to establish an insurance policy number that is identical to the CHL loan number or otherwise provide the carrier with the CHL loan numbers. The Privacy Rule would appear to prohibit this reasonable business practice, at least with respect to a home equity line-of-credit, since CIS has arguably "shared" the CHL transactional account number of those consumers who have elected to purchase insurance with the unaffiliated insurance carriers. The Commission should clarify that the prohibition against sharing account numbers does not apply once the consumer has decided to purchase goods or services from a financial institution's unaffiliated marketing partner. At that point, marketing activities have ceased and the next steps relate to billing, shipping, and other servicing activities. A simple way to implement this clarification would be to specify that the exceptions in Proposed 15 C.F.R. §§ 313.9, 313.10, and 313.11 also apply to the prohibition against sharing account numbers. For example, CIS could ask its insurance carrier to establish the insurance policy number as the CHL loan number "in connection with…servicing or processing a financial product or service requested or authorized by the consumer." However, under Privacy Rule 15 C.F.R. §§ 313.12, the insurance carrier would be able to use the account number "only for the purpose of [the] exception" under which the insurance carrier received the information. The Commission also requests comment on whether disclosure of an encrypted account number to a marketer, without supplying the key, violates GLBA § 502(d). We do not believe that it does, since a properly encrypted account number gives the marketer no more information than would providing some other arbitrary number. In addition, the purpose of the provision appears to be to prevent the marketer from using the account number to compromise the privacy or security of the account, which cannot happen with an encrypted number. Notice and Opt-Out Requirements Need to be Equally Flexible in the Internet and Non-Internet Contexts The GLBA provides that "a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, of such institution's policies and practices...". GLBA § 503(a). In this regard, we note that the Congress did not establish any more stringent standard for delivery of privacy policy disclosures "on-line" than in an "off-line" context, but it appears that the Commission has inadvertently established a higher bar for doing business on line than for doing business off-line. Is the standard delivery, as Congress appeared to allow in passing GLBA, or is acknowledgment of receipt necessary? The Privacy Rule provides two examples concerning the requirement that a consumer receive "actual notice" of a business's privacy policies and practices. A business can reasonably expect a consumer to receive actual notice if the business "post[s] the notice on the electronic site and require[s] the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service[.]" Privacy Rule § 313.4(d)(5)(i)(C). A business cannot have such an expectation if it "send[s] the notice via electronic mail to a consumer who obtains a financial product or service with you in person or through the mail and who does not agree to receive the notice electronically." Privacy Rule § 313.4(d)(5)(ii)(B). The Commission may believe that these two examples establish a rule concerning what constitutes effective electronic notice that is both predictable and even-handed in its treatment of electronic and paper disclosures. In fact, the two examples leave several significant problems unanswered. May a business provide the privacy policy by e-mail to a consumer who consents to such delivery? An institution should not be required to give electronic notice exclusively using a pop-up screen that requires response before proceeding, which would effectively require acceptance before proceeding. Limiting electronic disclosure to such a narrow technological solution would mean that the electronic opt-out was an opt-in for all practical purposes. This violates Congress' intent. If a business wants to use opt-ins, for customer relation purposes or to establish consumer consent to sharing (useful for FCRA purposes), then it should be able to. But such an opt-in should not be mandated for electronic disclosures, given that it is not required for paper disclosures. We would like confirmation, in the form of a specific example or regulatory language, that any mode of delivery specifically agreed to by the consumer is permissible. Must a business provide a separate notice for each site? We think that financial institutions and affiliates should have the flexibility to determine the range of Internet addresses or sub-addresses covered by any particular privacy policy disclosure, so long as it is clear to the consumer which addresses or sub-addresses the disclosure covers. The Commission should make this clear. Must a business post a separate notice for each instance in which it provides a financial product or service over the Internet? If a business wishes, it should be able to use a single privacy policy disclosure with reference to as many or as few products or services as it wishes, again subject to the requirement that the scope of the notice should be clear. Because of the technology available to providers of financial services over the Internet, commonly known as "cookies," it is possible to know whether a privacy policy disclosure has been provided to a particular computer user before. Using such technology, it is possible to provide a small number of comprehensive privacy policy disclosures, rather than bombarding a consumer with repeated requests that he or she read and acknowledge privacy policy disclosures before making each request for a financial product or service. Significantly, this option of using a cookie to avoid repetitive privacy policy disclosures is extremely consumer-friendly: the consumer could delete the cookie at any time, prompting the financial institution to deliver another round of disclosures. If properly disclosed to the consumer, the use of a cookie for this purpose would assure the consumer of receiving privacy disclosures when the consumer wanted them. This approach would not dilute consumers' privacy protections but would allow financial institutions to tailor the customer relationship to reflect the fact that attitudes toward what level of information sharing is acceptable and what level of sharing is invasive vary enormously. We urge the Commission to make clear that such comprehensive disclosures and such monitoring technology are permissible under the GLBA. Must a business post the notice on its own site, or may it link to a third party service provider's site? The Privacy Rule appears to specify that the business post the privacy policy notice on its own "site." We see no reason, however, why a business should not be able to create a non-discretionary, clear and conspicuous link to a third party's site where the privacy policy notice is posted, so long as the effect is the same as a posting on the business's own site, and so long as the legal responsibility for the posting lies with the business rather than its third-party service provider. Co-Branded Products and Services It would benefit providers of financial services over the Internet if the Commission were to clarify how to comply with the GLBA in a situation, common on the Internet, where a financial product or service is provided through a co-branded portion of a web site. The Privacy Rule does not discuss co-branding at all. However, it appears to contemplate a rough parity where the provision of one financial product by one business produces the need for one privacy policy. Under that logic, it would appear that a product or service provided through a co-branded site, if truly provided by both of the co-branded entities and not by one as the agent of the other, would still require two notices. Countrywide supports an approach that would allow financial institutions in co-branded or joint marketing arrangements to agree to give separate notices or a joint notice, so long as the notices are simple and understandable. Establishing Electronic "Reasonable Opportunity" Standards for Opt-Outs Finally, the Privacy Rule should clarify the issue of what, in the context of the Internet, constitutes a "reasonable opportunity" for a consumer to opt out. The Privacy Rule provides two examples of a reasonable opportunity. With a customer, a financial institution may "mail the notices required in ... this section to the consumer and allow the consumer a reasonable period of time, such as 30 days, to opt out." Privacy Rule § 313.7(a)(3)(i). In addition, in an isolated transaction, a financial institution may "provide the consumer with the required notices at the time of the transaction and request that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction." Privacy Rule § 313.7(a)(3)(ii). The Commission has solicited comments on whether an additional example "in the context of transactions conducted using an electronic medium would be helpful." 65 Fed. Reg. at 11182. We think that an additional example would be helpful, given that the two examples in the Privacy Rule leave so many possible consumer relationships unanswered. Specifically, the Commission should provide clear guidance that applies to situations in which a financial institution provides electronic notices to its customer, and in which a financial institution provides electronic notice to a consumer in connection with something more than an isolated transaction. The reasonableness of the response period for electronic notices should not be measured by the slower pace required in connection with notices being mailed. Electronic delivery is a reliable delivery mechanism, and delivery failures are easy to detect and correct, so there is no reason to require a financial institution to wait thirty days to permit a consumer or customer to respond to an electronic notice. At the same time, because the privacy policy notice may be a complex document, it may not always be appropriate to require the consumer or customer to read, acknowledge and consent immediately as a condition to proceeding with the transaction. We therefore urge the Commission to insert at least one additional example, establishing that what constitutes a reasonable opportunity in the electronic context is some period significantly less than thirty days, though longer than that given to a consumer in an isolated transaction. We think three days is a period appropriate for both consumers and customers. The federally mandated cooling-off period for certain persons borrowing on the security of their principal dwellings is currently three days. 15 U.S.C. § 1635(a). If three days is reasonable time to decide about such a significant issue, it should be reasonable time for the consumer or customer to make the decision whether to permit nonpublic personal information about himself or herself to be distributed. Should a financial institution be required to accept opt-outs through any means they have established to communicate with consumers, such as a toll-free number for consumer inquiries? Countrywide supports the Privacy Rule as drafted, which allows a financial institution to establish "[a] reasonable means by which the consumer may exercise the opt-out right." See Privacy Rule § 318.3(a)(1)(iii). Requiring financial institutions to accept opt-outs through any of the many channels that they have established for customer communications would impose a significant and potentially unmanageable burden on institutions that is not justified by any benefit that might accrue to consumers. The financial institution should be allowed to direct the consumer to appropriately trained personnel. For example, Countrywide already maintains a centralized intranet database, called our Global Do Not Solicit system, that allows us to record and honor opt-out requests for mail, telemarketing, e-mail, and certain information sharing with affiliates and nonaffiliated third parties. In order to maintain a complete and accurate record of any customer's opt-out request, customer may call a specific toll-free number where trained customer service representatives can carefully handle customers' opt-out request. If too many boxes are checked, Countrywide and its affiliates won't be able to use other communication methods acceptable to the customer, to timely inform the customer of valuable, money-saving product and service offers. If too few boxes are checked, the customer will receive additional communications that irritate the customer and may lead to privacy complaints and potential liability for failing to honor the customer's request. Personnel who are responsible for other types of customer communication can be instructed to transfer calls to those specially-trained on privacy issues. Countrywide urges the Commission to allow this flexibility with respect to the Privacy Rules. Should there be a specific deadline for honoring an opt-out request? Countrywide agrees with the Commission that "the wide variety of practices of financial institutions [makes a single time] limit inappropriate." We support the proposed standard that third-party "disclosures stop as soon as reasonably practicable." For example, a financial institution should not have to contact third parties to which it has already transmitted a mailing list and remove the names of customers who have opted-out since the institution transmitted the list. What burden is presented by the opt-out requirement, what methods do financial institutions expect to use to deliver the notices required by the rule, and what is the likely number of opt-out requests that financial institutions expect to receive? It is our belief that the percentage of opt-out requests will depend largely on whether financial institutions are given enough lead time to develop simple, understandable notices. Well-written notices will allow consumers to weigh the benefits of the free flow of information relative to individual attitudes on what is invasive. But it will take time for financial institutions to develop and refine these notices. If financial institutions are given this opportunity, Countrywide suspects that the percentages will be similar to the phone companies experience with how many people get unlisted telephone numbers, the credit bureaus' experience with how many people opt-out of the prescreening process, and the Direct Marketing Associations' experience with how many people opt-out of marketing solicitations. Countrywide urges the Commission to extend both the rulemaking process and the window period, as further explained below, to avoid uninformed "knee-jerk" decisions on the opt-out. Even without the passage of GLBA, Countrywide had woven an intricate system of safety nets to protect the privacy and security of our customers' information. Despite that fact, proper systems design and integration and adequate training of personnel are the primary burdens that the opt-out requirement presents. Countrywide plans to deliver the opt-out notices required by the GLBA and Privacy Rules by updating the privacy policy a link to which appears on every page of the Countrywide.com web site. Countrywide also plans to present our customers with a stand-alone brochure on privacy and security containing the opt-out notices in a variety of situations--for example, during the application process and in our monthly statements. And we have a centralized intranet database, called our Global Do Not Solicit system, that allows us to record and honor opt-out requests for mail, telemarketing, e-mail, and certain information sharing with affiliates and nonaffiliated third parties. Plus, we have numerous other policies relating to the privacy and security of customer information. Many of these policies were kept internal to meet our customers' expectations that the home loan process be seamless and easy. The GLBA requires Countrywide and all other financial institutions to articulate all of these policies and practices to our customers in one simple, understandable document. It is a daunting challenge. Other Clarifications for the Final Privacy Rules Should there be specific provisions allowing third-party contractors to use nonpublic personal information they obtained under an exception "to improve credit scoring models or analyze marketing trends, as long as the third parties do not maintain the information in a way that would permit identification of a particular consumer"? We support a clarification to the regulation that would allow a third party to use information in this manner. A third party contractor may wish to aggregate information it obtains from mortgage lenders about particular consumers as input into its credit scoring systems. Such a use of information about consumers does not compromise their privacy in any way and ultimately benefits the public by making credit more widely available. Should there be additional "safeguards" to prevent abuse of consumer's consent to have information disclosed? We do not believe that additional safeguards are necessary at this time. Even as drafted, the regulation could make it difficult to conduct routine activities such as verifying information supplied by a telephone applicant for a mortgage loan. The Commission should clarify the regulation to indicate that the consumer should be deemed to have consented to the disclosure of nonpublic personal information when a consumer has initiated a transaction and the financial institution is asked to verify information supplied by the consumer. What information is "derived using personally identifiable financial information"? The Commission could sharpen the definition of nonpublic personal information by specifying that a "list, description or other grouping of consumers ... derived using any personally identifiable financial information" must be a list, description or grouping of "identifiable consumers" to be covered by the Privacy Rules. See Proposed § 313.3(n)(1)(ii). If a business sells impersonal demographic information, and another business uses that information to create a list of consumers, the first business should not be held liable as a distributor of information under the GLBA. If the first business actually compiles a list of consumers, or a list which allows the recipient of the information to readily identify individual consumers, then it should be subject to the GLBA. Any other result would have the effect of turning the demographic information itself into nonpublic personal information, despite its impersonality. Should the Commission impose additional requirements on financial institutions that take advantage of the service provider/joint marketing exception to the opt-out requirement in GLBA § 502(b)(2)? Assuming that the Commission has the power to impose additional requirements, we see no reason why it should do so. The GLBA provision requires a financial institution that takes advantage of it to "fully disclose…the providing of such information and enter…into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information." A financial institution that is exempt from the opt-out requirement pursuant to Section 502(b)(2) must provide the initial privacy disclosures as well as the specific disclosure that it is providing information under a servicing or joint marketing agreement. A customer who is particularly sensitive to data sharing may seek out financial institutions that avoid these types of relationships. From whom does a person obtain a financial product or service? The definition of a consumer should be clarified with respect to whom the consumer obtains the financial product or service from. There is an additional category of financial services providers which provide services to consumers only indirectly. For instance, an appraisal service may be hired by a lender to prepare a property valuation, and such service will be paid for by a consumer, yet the appraisal company has contact only with the lender. While the lender might be expected to bind the ancillary service provider by contract to respect the privacy policies of the lender vis-a-vis its customers, it is hard to understand how the appraiser would apprise the consumer of its privacy policy, since it would ordinarily not have direct contact with the consumer. In a home financing context, there are a number of such ancillary service providers, and the proliferation of privacy notices which the consumer would receive may be confusing to the consumer, who views himself as a customer of the lender, not the lender's vendors. Again with the intention of creating regulatory certainty, we would urge the Commission to state that an individual is a consumer only with respect to those financial institutions to which the individual directly provides nonpublic personal information. What information is "personally identifiable"? In addition to using the Alternative B definition of nonpublic personal information, we urge the Commission to take the opportunity to sharpen the definition by clarifying what constitutes "personally identifiable financial information." See Proposed § 313.3(o). Although the definition is elaborate, including numerous examples and several specific exclusions from the category, it does not address the fundamental question of when information can be said to be "personally identifiable." We believe that so long as the information is not identifiable, it should not be protected. This would be in keeping with the Commission's interpretation of the Fair Credit Reporting Act, under which information that would otherwise be a consumer report, but which has been "coded ... so that the consumer's identity is not disclosed" is not a consumer report. 16 C.F.R. § 600.3, Commentary to the Fair Credit Reporting Act, Comment 4-B to Section 603(d). Businesses do not need personally identifiable information for such purposes as refining automated underwriting software and enhancing the accuracy of demographic market analysis, but they do need information that is accurate and nonduplicative. Aggregated financial information, stripped of personal identifiers, constitutes the database from which risk models are constructed and refined. These models guide lenders in determining how much interest to charge on individual loans, in order to cover the risks associated with lending, while offering the most competitive rates (that is, the lowest rates consistent with the institution making a profit). The less information is available, the less predictive these risk models can be. And when lenders cannot rely upon their risk models, they tend to charge higher rates, in order to avoid losing money to unanticipated or incorrectly quantified risks. Consumers profit from accurate risk models, which are only possible with access to accurate information. We urge the Commission to permit the free distribution of aggregated or otherwise depersonalized data, as a way of permitting financial institutions and others to continually refine their risk models in order to keep consumer costs low. Because of this benefit to consumers, and because of the lack of a corresponding risk, businesses with such information should be able to provide it to businesses that need it. So long as this information does not identify consumers and cannot be used to target individual consumers for unwanted attention, distribution of this information should not be subject to regulations intended only to protect consumers in these limited and unaffected instances. Should financial institutions have to develop policies and procedures to ensure that third parties to whom information is disclosed comply with the limits on redisclosure of that information? Countrywide opposes any such requirement. Even in the absence of any regulation, mortgage lenders and other financial institutions have a strong incentive to take steps to preserve the confidentiality of the valuable customer information that they supply to third-party vendors. Moreover, the potential liability faced by a third party for breaching contracts that require this confidentiality should serve as an adequate deterrent. Limit Liability for Nonaffiliated Third Party Use of Information A financial institution must contractually require nonaffiliated third parties performing services on behalf of the institution to maintain the confidentiality of customer information and limit the third parties' use of the information. Privacy Rule § 313.9(a)(2). If a financial institution enters into such a contract, the third party breaches the contract by violating these limits. Consumers would likely have a contract claim against the nonaffiliated third party as an third party beneficiary of the contract. In addition, the third party is probably in breach of the Privacy Rules, given the limits on re-disclosure and reuse of information. See Privacy Rule § 313.12(b)(2). Both of these outcomes make sense. But we are concerned that, without clarification from the Commission, the financial institution itself will be held in violation as well, despite the fact that it is blameless. We urge the Commission to make clear that, in the situation outlined above, the financial institution is not liable under the GLBA for the breach of the confidentiality agreement by its third-party service provider unless the financial institution participated in some way in the violation. Effects of Overlapping Federal Requirements and Permissions We would appreciate the Commission providing some guidance as to the interaction of the GLBA with existing laws and regulations, particularly the Fair Credit Reporting Act ("FCRA"), 12 U.S.C. §§ 1681 et seq. The GLBA expressly does not "modify, limit or supersede" FCRA, except in minor respects. GLBA § 506(c). Although the two statutes are distinct, we would urge the Commission to consider how much it is possible to craft rules for the GLBA that are consistent with the known rules of the FCRA. We also urge the Commission to consider explicitly the interaction of the GLBA with other federal rules, answering questions such as whether Internal Revenue Service rules governing the use of tax return information preempt inconsistent aspects of the Privacy Rule. Extension of the Rulemaking Process and the Six Month Window Period The Commission invited comments on whether six months following adoption of the final Privacy Rules is sufficient to enable financial institutions to comply. Unless the Commission adopts its Alternative B definition of "nonpublic personal information," the six-month window period will be grossly inadequate. Alternative A would require all of the companies in any multi-company financial service provider to invest in, design, and roll out new systems to reliably and instantly keep track of not only the information each company obtains but also the source of each piece of information and the date the information was obtained. We believe that the process of developing and programming our systems to track each field of information would take several months alone. Then, the flow of information would have to be redesigned to assure that every internal data process flowed through a new or redesigned filter system to distinguish appropriately between sources. This is not to mention testing of the system to assure that it works. Meanwhile, new disclosures must be developed and distributed to customers in various media and personnel must be trained on these landmark changes in the law. Even with the adoption of Alternative B, Countrywide still feels that a one-year window would be more appropriate in light of the compliance burdens that will be faced. We also strongly urge the Commission to extend the 30-day period under the so-called "transition rule" in Privacy Rule § 313.16(b) to 90 days, allowing large financial institutions to spread the effort to give the disclosure to existing customers and accept any resulting opt-out requests over a reasonable period of time. Countrywide, for example, will need to deliver its new privacy policy to about 2.1 million existing customers. Countrywide would experience significant additional costs and a potential disruption in its customer service operations if it were required to provide these policies to all 2.1 million customers in a single month. Countrywide is also concerned that the rulemaking process provide ample time to craft Privacy Rules that do not unwittingly hinder reasonable business practices that the vast majority of our customers would not find invasive. Hearings may be helpful to the Commission's in its efforts to finalize the Privacy Rules and achieve consistency with the other agencies. Countrywide appreciates the time pressure that has been thrust on the Commission but urges the Commission to give adequate consideration to the complexities raised by the Privacy Rules. Conclusion We think the Commission's Privacy Rule is an excellent starting point for implementing the GLBA; however, we also believe that additional refinement is needed on certain issues. We are particularly concerned that the Commission's Privacy Rule avoid an overly broad definition of nonpublic personal information. We hope that our comments will be of help in crafting a final version of the Commission's Privacy Rule implementing the GLBA that strikes the right balance between protecting consumer privacy rights and preserving the clear consumer benefits that result from the free flow of information in our economy. Sincerely, Sandor E. Samuels 1. See 24 U.S.C. § 3500.21(a). |