WASHINGTON - When regulators release their financial privacy proposal today for public comment, bankers can expect a 40-page preamble, a 30-page regulation, and a pragmatic approach to the task of balancing bank and consumer rights.
The Office of the Comptroller of the Currency will post its version on its Web site this morning (www.occ.treas.gov), while the Federal Reserve Board will issue its own just before voting on it around lunchtime. The proposed rules would implement privacy provisions in the financial reform law enacted in November.
A Jan. 19 draft obtained by American Banker provides a glimpse of the evolving regulation.
According to the draft, only people who have a continuing relationship with a bank or other financial services company would be considered "customers" automatically entitled to receive privacy notices from the company whether or not data was expected to be shared.
People who occasionally use another bank to cash checks, withdraw money from an ATM, or get travelers' checks would not be considered customers; they would receive privacy notices only if the bank intended to share their personal information with a third party.
Examples in the draft help clarify some complex situations, such as the case of a lender that originates a loan but then sells it along with the servicing rights. In that scenario, only the buyer would need to make the necessary privacy disclosures. If the seller kept the servicing rights, however, both buyer and seller would need to make the required disclosures.
The disclosures will require lenders to tell customers how information is collected, such as from loan applications or credit card transaction histories, and what types of businesses might gain access, such as life or mortgage insurance companies.
These privacy disclosures could not be made orally, by posting a sign in the branch, or by placing a statement on the company's Web site. Written disclosures would need to be issued in person, by mail or courier, or, in certain limited cases, by e-mail. Privacy disclosures would have to be made prior to the establishment of the relationship, and then annually.
If a bank wants to share with a third party "nonpublic personal information" about a former, current, or prospective customer, it must first disclose that plan to the consumer and give him or her at least 30 days to block it, or "opt out." The definition of "nonpublic" information is broad: It includes the fact that a person is a customer of the bank. So if a bank wants merely to give a list of its customers' names to a third party, it must inform customers and let them block that transaction.
The draft proposal asks the industry for its opinions on a number of questions.
One is whether the privacy rule should apply to U.S. financial institutions operating abroad, and to foreign companies operating within the U.S. Another is whether one participant in a joint account can opt-out for the whole group. Regulators also want to know whether banks should be required to make sure third parties comply with prohibitions on data reuse.
Though the official public comment period on the draft proposals did not begin until today, regulators have witnessed an unofficial comment period since American Banker posted a Dec. 21 draft of the regulation on its Web site. A recent letter from the Financial Services Roundtable, for example, offered regulators the group's "preliminary views" based on the draft.