WASHINGTON - Seven federal agencies implementing the privacy provisions of the Gramm-Leach-Bliley Act of 1999 have been inundated with more than 8,650 comment letters requesting myriad changes and more time to adopt new protections.
The financial reform law requires banks, insurers, and brokers, among other companies, to annually disclose their privacy policies to customers, one of which gives people a chance to prevent the company from sharing personal data with third parties. Congress gave regulators until May to issue final rules and until November to implement them. But the banking industry is asking for more time - until at least August 2001, or preferably March 2002.
FleetBoston Financial Corp. "will work vigorously to implement the final regulations, however, we anticipate that we will need a minimum of 18 months after the final regulations are issued to design and implement appropriate systems, programs, and policies to comply fully," wrote Agnes Bundy Scanlan, managing director of corporate privacy.
Bankers also were nearly unanimous in asking the agencies for a sample privacy notice.
"Financial institutions should be given these model disclosures as a safe harbor because of the complexity of the current legal and regulatory environment concerning consumer privacy," wrote Carl V. Howard, general counsel for bank regulatory issues at Citigroup Inc.
Many letters accused the regulators of stretching beyond what Congress intended. For example, the Illinois Bankers Association said the proposed rule would require institutions to describe confidentiality and security practices by explaining who in the bank has access to personal information.
"We believe that the proposed rule goes far beyond the Gramm-Leach-Bliley Act," association president Finis W. Schultz wrote. "Financial institutions frequently must access information to detect potential fraud, and this practice should not be disclosed to the customer."
Some 2.5 billion disclosure statements could be required under the new rules. The American Bankers Association cited estimates as high as $1.25 billion for the cost of compliance.
Alan P. Shor, chief operations officer of Zale Corp., predicted its subsidiary, Jewelers National Bank, would spend more than $1.5 million to mail the initial privacy notice to existing customers. Daniel Higham, director of compliance for Susquehanna (Pa.) Bancshares Inc., put annual printing and mailing costs at $160,000.
In the proposal, regulators requested industry opinion on certain details. One of the most crucial to bankers is the definition of "nonpublic personal information." The agencies presented two alternatives. One would prevent banks from sharing publicly available customer information unless it is obtained from a public source, like a telephone directory.
The second alternative, which banks almost universally said they prefer, allows the sharing of such information from customer records so long as it is available from a lawful public source.
"Financial institutions should not be burdened with the task of obtaining public information directly from public records," Fleet's Ms. Scanlan wrote.
Regulators also asked whether financial institutions should be responsible for policing how third-party service providers handle private information. Bankers answered with a resounding "no."
"Institutions should not be required to monitor or police third-party use of information," wrote Susan E. Lester, chief financial officer of U.S. Bancorp.
Bankers suggested practical ways to implement the new law.
As an alternative to written disclosures, some institutions, including Citigroup, suggested allowing banks to provide a toll-free telephone number customers can call to opt-out.
Richard F. Ober Jr., general counsel of Summit Bancorp of Princeton, N.J., suggested institutions send only a brief notice if they have not changed their privacy notices from the previous year. He recommended that the notice say: "Our policies and procedures on customer privacy have not changed from the last notice we gave you."
Among the many clarifications requested by bankers were: what constitutes a customer relationship; whether only one notice may be sent per household even if there are multiple accountholders at the same address; and if they may honor customers' requests not to receive privacy notices.